Tuesday, November 12, 2013

Did Stuxnet go rogue? Consider these targets...

Remember Stuxnet, the computer worm designed to take out Iran's nuclear plants? It was developed by the United States and Israel -- that is, by the NSA and Unit 8200. Although Stuxnet is in the news again, many of the current stories don't mention the worm's spooky origins. I guess journalists prefer to give the impression that Stuxnet just popped into existence like Mr. Mxyzptlk.

Most articles about this virus neglect to mention something revealed in June of last year: Israel intentionally disabled a "kill switch" built into Stuxnet, thereby allowing its spread into the wild. That's why this state-sponsored malware may now be on any computer, including your own.

Stuxnet (or a related malware) is spreading -- and I'm starting to think that what we're seeing is no accident. Evidence suggests that the targets have been carefully selected.

The worm has invaded the International Space Station via a USB stick carried by a cosmonaut. In this case, I do favor the "accident" theory -- unless there is more going on up there than we've been told.

But I have little doubt that another target -- a Russian nuclear plant -- belongs in the "made it happen on purpose" category. So far, no news stories have identified the specific Russian nuke plant that was hit. (Or did I miss something? If you know which facility was involved, please share your info with the rest of the class.) More frightening still is the claim that any number of other power plants may also be infected.

Stuxnet targets the SCADA industrial control software developed by Siemens. SCADA exists in many variants and is used in facilities all over the world. This one-app-for-all-purposes approach has many advantages -- and one huge problem: Vulnerability. Before SCADA, industrial facilities hired programmers to create individualized proprietary software, an expensive approach which was inherently more secure. ("Security through obscurity," as the geeks say.)

The above-mentioned Russian nuke plant was disconnected from the internet at the time of its infection, according to security expert Eugene Kaspersky. I can't verify whether this claim is true. If it is true, I'd like to know how the system was compromised. It is worth noting that current versions of SCADA rely on cloud computing, and on a new concept (well, new to me) called the "Internet of Things."

If you want a good scare, read the Wiki article at the other end of that last link while keeping in mind this reminder of what Stuxnet can do:
It initially spreads through Microsoft Windows and targets Siemens industrial control systems. It's considered the first malware that both spies and subverts industrial systems. It's even got a programmable logic controller rootkit for the automation of electromechanical processes.

Let that last point sink in for just a second. This thing, with a little bit of coaxing, can actually control the operation of machines and computers it infects.
Here's the part very few people are talking about: Stuxnet is generally thought to be a Windows-only virus. But the International Space Station switched over to Linux some time ago. (Apparently, the ISS made the switch because they've been troubled by Windows-based virii since 2008, and perhaps earlier.) This changeover includes all of the laptops used in space. Keep in mind that the virus "got in" via a USB stick.

The ISS uses SCADA on Linux computers. Turns out there was a version of SCADA for Linux as early as 2001, and perhaps earlier.

Either Stuxnet is cleverer than we thought, or the current "Stuxnet" worm is actually something new.

Here's the part no-one is talking about: If it is true that the worm has infected nuclear power plants around the world, we have officially entered James Bond territory. A single malefic individual (feel free to visualize a bald man sitting in a leather chair as he strokes a white cat) could set off dozens of nuclear meltdowns. Simultaneously. Worse, that same malefic individual could also control water systems, electrical systems, gas pipelines -- anything that uses SCADA.

Do you find that scenario too paranoid to be credible? Before you smirk and scoff, consider this: Not long ago, anyone suggesting that the NSA or Unit 8200 created malware would have been derided as a wacky conspiracy theorist...


Anonymous said...

Kapersky and the FSB :

Why Americans or others for that matter would be running software on their computers created by a guy with ties to the FSB(KGB) is a mystery to me... but whatever floats your boat.

Might want to exercise a bit of skepticism here with info coming from Kapersky.

Anonymous said...

Thanks for the info; it's quite interesting.

Anonymous said...

Unit 2600? C'mon Mr. Cannon. Freudian slip?

Yes, propagation of Stux is a serious concern. ISS and Russian nuclear plants ... wow! What if Japanese nuclear plants were infected some time in the recent past?

Joseph Cannon said...

Anon: I have no idea why I made that typo. Must have been distracted while writing. Fortunately, the name was given correctly in the first instance.

Thanks. I've corrected.

Stephen Morgan said...

There was recently a story about malware spreading between computers acoustically. And just because a computer isnt connected to the internet doesn't mean it can't be connected to a phone which has been on the internet, by wifi or bluetooth. Or through one of those Huawei 3G modems which were made by the Chinese People's Liberation Army.

Linux might be secure by default, but it can have a number of vulnerabilities. With WINE or PLayonLinux installed it can run Windows programmes, including Virii. It can also be vulnerable if you don't disable USB autorun, or file previews, especially PDFs.

Perhaps we should start hoping Skynet will revere its creators.

Stephen Morgan said...

Have you seen this:

There's a similar relationship in your own house between your computer and wireless router, it can spy on everything you do on the internet quite easily.

b said...

Can some sensible person advise on relatively 'secure' web-based email that I can set up and utilise using Tor? Tormail is down. Lavabit is out. Hushmail doesn't allow Tor. (Bit of a giveaway, that last one?)

I sometimes need to send unencrypted email (routinely - i.e. without going through the palavah of sending anonmail or installing any programs at my end to do so), so that neither the webmail outfit nor the recipient gets to know my IP. (That's unless they ask Uncle, or Uncle's British cousins, of course. I don't fantasise that the NSA doesn't have access to everything on my computer and all the electronics in my house.)


Stephen Morgan said...

There's no such thing as secure web-based e-mail, using Tor or not. If you want an anonymous account just sign up with Gmail or myopera or some other conventional provider but only access it through Tor. Think of it as the e-mail version of a burner.

If you really want some deep-web e-mail account you could try i2pmail.org, although that uses i2p rather than Tor, a similar anonymising protocol which doesn't normally access the normal web.

Of course anonymising e-mail services have been known to be run by the intelligence services.