Case is that you?
September 22, 2010 12:06 AM   Subscribe

Have we figured out who the real terrorists are yet? Must be an enemy of Iran.
posted by CautionToTheWind at 1:00 AM on September 22, 2010 [5 favorites]

With so much Siemens-specific knowledge, and planting the Trojan horse through a Russian company, my bets would be on Germany's technology-obsessed and often eccentric Bundesnachrichtendienst. Especially since the Germans have been particularly anxious to defuse the Iranian nuclear crisis.
And, quite frankly, if in this way they've prevented, or at least delayed the moment when the Israelis will launch a military strike, whoever wrote that piece of malware deserves the Nobel Peace Prize.
posted by Skeptic at 1:15 AM on September 22, 2010 [4 favorites]

What could possibly go wrong
posted by freebird at 1:21 AM on September 22, 2010 [1 favorite]

With so much Siemens-specific knowledge, and planting the Trojan horse through a Russian company, my bets would be on Germany's technology-obsessed and often eccentric Bundesnachrichtendienst. Especially since the Germans have been particularly anxious to defuse the Iranian nuclear crisis.

Or it could be the Mossad. Israel and Russia are probably more tightly connected than Germany and Russia these days.
posted by acb at 1:56 AM on September 22, 2010

C'mon. The Russian contractors were just ogling porn on the Windows-based control system after mistyping 'Siemens'. Could have happened to anyone.
posted by benzenedream at 1:57 AM on September 22, 2010 [3 favorites]

So a little googling revealed that the initial infection of these machines came from USB flash drives that exploited the Autorun feature as well as a Windows shortcut 0day vuln. Why in the fuck does a system that monitors critical operations of nuclear refinery not have its USB ports disabled or filled with epoxy?!? And assuming there's a justification for needing that, WHY IN THE FUCK DID THEY NOT DISABLE AUTORUN? Autorun is, quite simply, pure evil, and it's simply infuriating that anyone would not secure a system by taking the 10 seconds to disable it.
posted by Rhomboid at 3:06 AM on September 22, 2010 [5 favorites]

Amazing story, thanks for the post. That said, these days, even Gibson believes the future is here:

"Say it’s midway through the final year of the first decade of the 21st Century. Say that, last week, two things happened: scientists in China announced successful quantum teleportation over a distance of ten miles, while other scientists, in Maryland, announced the creation of an artificial, self-replicating genome. In this particular version of the 21st Century, which happens to be the one you’re living in, neither of these stories attracted a very great deal of attention."

(That's from a talk he gave; there's also a good interview in the Atlantic which covers similar ground.
posted by Sifter at 3:11 AM on September 22, 2010 [2 favorites]

Something tells me this is revenge for banning the mullet.
posted by Joe Chip at 3:12 AM on September 22, 2010 [1 favorite]

You can't disable AutoRun. Its very tricky to disable it completely, and then there is an exploit to autorun stuff anyway.

The only real question is "Windows?"
posted by CautionToTheWind at 4:05 AM on September 22, 2010 [3 favorites]

The only real question is "Windows?" -- So, you really want to reignite this holy war again, do you?
posted by crunchland at 4:50 AM on September 22, 2010

The only real question is "Windows?" -- So, you really want to reignite this holy war again, do you?

I'm pretty sure a nuclear meltdown would do more than ignite it.
posted by Netzapper at 4:56 AM on September 22, 2010 [2 favorites]

Wouldn't selling Windows-based control systems (i.e., ones containing US intellectual property) to Iran be technically a violation of arms control treaties?
posted by acb at 5:03 AM on September 22, 2010 [2 favorites]

This is one of those things about which people in Congressional hearings will eventually say, "It seemed like a good idea at the time."
posted by empath at 5:28 AM on September 22, 2010

Far from me to reignite anything. Another poster suggested that 10 seconds of work would have prevented this situation, and it just isn't so.
posted by CautionToTheWind at 5:29 AM on September 22, 2010

So, what, Gibson will be Obama's Clancy?
posted by b1tr0t at 6:23 AM on September 22, 2010 [2 favorites]

Wouldn't selling Windows-based control systems (i.e., ones containing US intellectual property) to Iran be technically a violation of arms control treaties?

So will Obama invade them for copyright infringement and murder a few hundred thousand civilians in order to change the regime and take away their WMCs (weapons of mass computing)?
posted by three blind mice at 6:26 AM on September 22, 2010

Wouldn't selling Windows-based control systems (i.e., ones containing US intellectual property) to Iran be technically a violation of arms control treaties?

Because companies in Russia suddenly care about US Export restrictions?
posted by delmoi at 6:34 AM on September 22, 2010

One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations -- things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said.

That's terrifying.

I'd have to confirm this on a map, but it's less than 1000 miles from Israel to the Bushehr reactor. The Israelis would have to be out of their freakin' minds to cause a possibly uncontrolled meltdown so close to their country. That doesn't rule them out as suspects, of course.
posted by zarq at 6:59 AM on September 22, 2010

Meanwhile:

WASHINGTON - A blustering President Mahmoud Ahmadinejad vowed "war without end" and terrorism unchained Tuesday if anybody messes with Iran. But Israel and the U.S. wouldn't dare go after mighty Iran's nuclear sites, Ahmadinejad said in a hectic round of appearances and sitdowns with Western reporters around Manhattan.

Israel is a pipsqueak nation and the U.S. too worn out by wars in Afghanistan and Iraq to get serious about Iran, he added.

"The Zionist regime is a very small entity on the map, even to the point that it doesn't really factor into our equation," Ahmadinejad said. The U.S. also is not a threat, he said, since the U.S. "doesn't understand what war looks like. When a war starts it knows no limits," he said.

posted by zarq at 7:04 AM on September 22, 2010

The only real question is "Windows?" -- So, you really want to reignite this holy war again, do you?

It does seem that Windows might not be the greatest choice for the industrial control system of A NUCLEAR REACTOR.
posted by thsmchnekllsfascists at 7:23 AM on September 22, 2010 [3 favorites]

The Israelis would have to be out of their freakin' minds to cause a possibly uncontrolled meltdown so close to their country.

What about a carefully controlled meltdown? Just enough to melt some of the mechanisms in the core. When they built it the reactor hadn't been used yet, so they could work on non-radioactive equipment. After a month or two of operation, even a minor meltdown might put the reactor out of commission for years while they repair it.
posted by atrazine at 7:59 AM on September 22, 2010

The only real question is "Windows?"

This was a targeted exploit engineered for the particular installation and hardware at the facility.

The PLC's and controllers for the hardware all run custom software that could only barely be called an OS. They generally expose some capabilities to client PCs but applications built to talk on them usually only run on windows because windows is everywhere and a well understood target platform these days.

This stuff isn't the most robustly designed stuff ever.

I once worked at a mill that had a (then) 6 year old IBM 386 running Windows 3.11 and a custom ISA card to talk to a PLC in the smokestack evaporator unit. This machine was also wired to the DECNET network and would upload reporting data to our VAX machine where the data was used to generate EPA reports on what and how much went up the stack. It worked well enough - when it choked, just reboot it and move on. Then came the plan to upgrade the machine to windows NT for security reasons. But the ISA Card didnt have NT drivers, but the new PCI model did. But it didn't work with the PLC. And a new PLC had have to a different evaporator.

So, pretty soon, you're looking at replacing an entire smokestack just to upgrade a PC from Windows 3.11 to Windows NT. We'll leave aside how the EPA felt about it. So you end up with a lot of institutionalized cruft because the cost to do simple things is so high.

But that being said, it wouldn't matter if it was Linux. Or OSX. As if. I've got a 15 million dollar GE 3T MRI sitting 45 feet from me, and damned if that thing doesn't need constant caressing to just SCP some data to a server somewhere. And it runs Linux as it host OS.

And given the amount of fiddling that my OSX servers require (really? You lost the ACLs again?) I'm not real confident that Apple would be a better solution either.
posted by Pogo_Fuzzybutt at 8:09 AM on September 22, 2010 [10 favorites]

Fascinating article. One point glossed over; how was the payload targeted specifically at the Bushehr reactor? How do they know it wouldn't damage every other installation of that Siemens controller? I think the answer is "they don't".

I did some more historical delving, it looks like the news about Stuxnet targeting SCADA systems broke in July. For the unintended consequences angle, some people are asking if Deepwater runs SCADA. And here's a July 2010 article speculating about the damage Stuxnet could have done to the US power grid. Also this bit is fascinating: "the malicious code was digitally signed using valid digital certificates, which allows Stuxnet to evade security software."

This article linked here seems to just the speculation it was built to target this specific facility. The analysis is pretty thorough, and gains credibility from coming from a German researcher instead of some American contractor looking for cyberwarfare funding. But the only evidence it offers for being targeted to Iran is "It is hard to ignore the fact that the highest number of infections seems to be in Iran". I don't know enough about how Stuxnet spreads to know if that's significant or just an accident.
posted by Nelson at 8:15 AM on September 22, 2010 [2 favorites]

Your software license has expired!
Please obtain a valid license.

I can't think of a more chilling message to receive on your nuclear power plant control monitor. Well, I guess I can think of one.
posted by gwint at 8:46 AM on September 22, 2010

Stuxnet used four zero-day exploits AND compromised certificates for installation. That's no junior-grade hacker. I think the claims that this is national-level sabotage are probably accurate.

For nations trying to develop nuclear weapons, I gotta say, the pain of using OpenBSD must have just gotten a lot more interesting.
posted by Malor at 8:47 AM on September 22, 2010

At this level of investment, it would be trivial to have drivers developed for whatever hardware and whatever OS you feel like using. If the manufacturers are blocking this, then they need some squeezing, which is also trivial at this level.
posted by CautionToTheWind at 8:56 AM on September 22, 2010

The Israelis would have to be out of their freakin' minds to cause a possibly uncontrolled meltdown so close to their country. That doesn't rule them out as suspects, of course.

I'm no expert, but I don't think that blowing the centrifuges could cause a meltdown, since they're used in enrichment, which is to say separating the U-235 and U-238 isotopes from one another, and not in the actual reactor itself.
posted by strangely stunted trees at 8:58 AM on September 22, 2010

I'm no expert, but I don't think that blowing the centrifuges could cause a meltdown, since they're used in enrichment, which is to say separating the U-235 and U-238 isotopes from one another, and not in the actual reactor itself.

To repeat myself:

The exact quote was (emphasis mine), "By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said."
posted by zarq at 9:07 AM on September 22, 2010

What about a carefully controlled meltdown?

Does the phrase "carefully controlled" fit when we're talking about a virus designed to attack the control mechanisms of a nuclear reactor? It's not as if the virus is being remotely operated, and even if it was, those mechanisms need to have millisecond response times.

Just enough to melt some of the mechanisms in the core. When they built it the reactor hadn't been used yet, so they could work on non-radioactive equipment. After a month or two of operation, even a minor meltdown might put the reactor out of commission for years while they repair it.

Perhaps. But the small but potentially catastrophic concern of cascading failures as well as Byzantine Fault Tolerance issues make me extremely wary of the eventual outcome of "minor meltdowns."
posted by zarq at 9:16 AM on September 22, 2010

Well, it's interesting to speculate, but it seems to be little more than a Tom Clancy-esque wank fantasy without much real evidence at the moment.
posted by Artw at 9:47 AM on September 22, 2010

You can't disable AutoRun.

Sure you can. It's a single registry key setting, and can be done through group policy editor or Tweak UI.
posted by Rhomboid at 10:02 AM on September 22, 2010

...it's less than 1000 miles from Israel to the Bushehr reactor. The Israelis would have to be out of their freakin' minds to cause a possibly uncontrolled meltdown so close to their country. That doesn't rule them out as suspects, of course.

Well... on page 88 of this document it starts listing fallout contours for different levels of Nuclear blasts (in this case in the case of nuclear war). A 100 KT fallout seems to plume away from Israel and mainly has effects 80-100 KM away, scanning nuclear meltdown info seems to indicate that while wind plays a large role in contamination area people generally talk in the (low) hundreds of miles affected, not 1000's.

From a sociopathic POV causing Iranian meltdowns may not be that bad of an idea for Israel, it would create tremendous unrest and cause a lot of casualties putting great strain on the Iranian regime, perhaps even breaking it.

From a sane human POV it is indeed fucking nuts, and anyone intentionally doing this would be guilty of massive crimes against humanity.
posted by edgeways at 10:16 AM on September 22, 2010

Keep in mind that security researchers sometimes adopt more bravado then is nessisary. I remember an article about how conflickr or something used some encryption that could only be done "By a few hundred high-level people" when in fact there was an open source implementation (which turned out to actually be flawed in some way)

There's no reason to think the software was designed to target this particular reactor, it could be a 'general' attack against Iranian infrastructure.
posted by delmoi at 10:18 AM on September 22, 2010

I would imagine the main value of the worm (now that the presumed target knows about it) would be in slowing Iran's nuclear program as they shut everything down and try to get rid of the thing. If it's spread throughout the country that could be quite a job.
posted by Kevin Street at 10:19 AM on September 22, 2010

Well, especially as the thing is being built by Russian contractors. Russians are not exactly people you associate with computer security.
posted by Artw at 10:20 AM on September 22, 2010

This week on NPR they are exploring the concept of "cyberwar"

Techdirt thinks there is no evidence to support the concept.

I have to say, the descriptions I heard on NPR this morning seemed terribly stilted - as if they came from people who've read a lot about computers, but are not really all that familiar with them or how they interact on the internet.

The Stuxnet virus came to mind because it exists in the victim's computer

In other words, how do you fight a cyber war using the accepted "rules of engagement" when your supposed attacker has (quite likely, anonymously) just dropped off a package?

A package that may be doing great harm to your network.

It's not like the enemy's computers are all lined up outside the US' data center, lobbing flash drives.
posted by mmrtnt at 10:22 AM on September 22, 2010 [1 favorite]

The PLC's and controllers for the hardware all run custom software that could only barely be called an OS. They generally expose some capabilities to client PCs but applications built to talk on them usually only run on windows because windows is everywhere and a well understood target platform these days.

Absolutely true that what's in the PLC is nothing like an OS and unique to a particular chip and application. However, I wouldn't say they generally run on windows.

The PLC and it's brethren: FPGA's are so prolific in industrial control, they can and do interface with any and all operating systems.

Furthermore, I'd say you'd be hard pressed to find any electronic device these days that doesn't contain PLC's.
posted by sicjoy at 10:23 AM on September 22, 2010

zarq: "but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said." "

Ever heard a centrafuge fail? Or seen one? It's one of those I'm glad I wasn't in the room at the time things. Bangs will be involved.
posted by pwnguin at 2:03 PM on September 22, 2010

Ever heard a centrafuge fail? Or seen one? It's one of those I'm glad I wasn't in the room at the time things. Bangs will be involved.

Yes. I was outside a lab room where one failed. It was quite destructive.

You do see that the phrase "...it could be used to hit other targets too..." is part of the quote, yes?

He is clearly referring to a virus that can affect more than just a centrifuge.

Not for nothing, but this is the third time I have quoted that part of what Byres said in this thread.
posted by zarq at 2:18 PM on September 22, 2010

I would imagine the main value of the worm (now that the presumed target knows about it) would be in slowing Iran's nuclear program as they shut everything down and try to get rid of the thing. If it's spread throughout the country that could be quite a job.

Though this sort of exercise is one of the places in which totalitarian regimes have an advantage.
It wouldn't surprise me if, within a few months, Iran announces that all computers in the country will be installed with Green Dam-style security software which auto-updates the system from a central (government) server and also provides enhanced surveillance capabilities and distributed computing facilities.
posted by acb at 2:42 AM on September 23, 2010

Or it could be the Mossad. Israel and Russia are probably more tightly connected than Germany and Russia these days.

Mossad is of course an obvious suspect (almost too obvious), but the German BND spooks are almost next-door neighbours to Siemens HQ and main R&D center in Munich, and there have long been substantial allegations (in German) of collusion between them. Add to that the fact that the BND has made nuclear proliferation its main concern since the end of the Cold War, and that Siemens is one of the mainstays of the nuclear industry, and the connection becomes quite apparent.
posted by Skeptic at 5:32 AM on September 23, 2010 [1 favorite]

Though this sort of exercise is one of the places in which totalitarian regimes have an advantage. It wouldn't surprise me if, within a few months, Iran announces that all computers in the country will be installed with...

I think you're grossly overestimating the capacity of totalitarian regimes. Totalitarian regimes are really good at deploying human security assets, that is boots on the ground, which is why Iran was able to so effectively raise the stakes and neutralize last year's pro-democracy move/moment. They're much less effective and (because of embargoes, etc.) are fairly path-dependent in deploying technological assets. And then in the case of Iran, you have a political regime that is as much about its oligarchical but at least ostensibly open economic foundations as it is about the religion. Economic freedom does not respond well to the sort of impossible-to-fulfill technical decrees you're musing about, and I haven't seen evidence that Tehran actively engages in this sort of policymaking/commandment. Can they implement better information security within their nuclear industry? Sure, though at a sizeable price premium and inflicting significant delays if they're serious about it. Can they just do so by decree for the whole country? Not a chance, Iran is a reasonably wired society, not another DPRK.
posted by kowalski at 9:00 AM on September 23, 2010

kowalski I think that a truly totalitarian regime like North Korea or Burma could do that sort of thing, but Iran isn't a totalitarian regime, "merely" an authoritarian one. The difference is often overlooked, but can be substantial: even the Chinese government came into trouble when it tried to mandate spyware.
posted by Skeptic at 9:26 AM on September 23, 2010

Iran isn't a totalitarian regime, "merely" an authoritarian one.

Agreed, it's too easy to get caught in other people's narrative frames!
posted by kowalski at 11:03 AM on September 23, 2010

Update

Worm hits computers of staff at Iran nuclear plant
By NASSER KARIMI (AP) –
TEHRAN, Iran — A complex computer worm capable of seizing control of industrial plants has affected the personal computers of staff working at Iran's first nuclear power station weeks before the facility is to go online, the official news agency reported Sunday.
The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.
It was the first sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has also affected equipment linked to the country's nuclear program, which is at the core of the dispute between Tehran and Western powers like the United States.
posted by chavenet at 3:14 PM on September 26, 2010

(Rereading NEUROMANCER)

I'm sorry, why does everyone assume this was the work of a human?
posted by newdaddy at 11:33 PM on September 26, 2010 [1 favorite]

I found this short Q&A on stuxnet pretty informative (via a Slate article on the dangers of USB drives).
posted by exogenous at 8:04 AM on October 6, 2010