* Stuxnet: “The world’s first known cyber super weapon designed specifically to destroy a real-world target”. Has it been designed to disable Iran’s Bushehr nuclear plant?
* Pregnant Israeli gives birth last night after she is wounded in Palestinian terror attack
* Many of those Western news outlets that did report on the shooting, failed to mention that the “military wing” of Palestinian President Abbas’s Fatah party claimed responsibility for the attack
* Turkish president addresses rally in which Israeli Arabs are told “Al-Aqsa will be redeemed by blood and fire”
* “The prominent American TV personality seated next to me said something cringingly obsequious to Iranian TV about how gracious Ahmadinejad is for making himself available to the media”
CONTENTS
1. Israeli shooting victim gives birth to son
2. New British Labour leader’s mother backs Jewish anti-blockade flotilla
3. We will speak to Hamas “in a very peaceful and friendly way”
4. Turkish President tells Israeli Arabs: We will protect al-Aqsa
5. Ahmadinejad dines in New York with Louis Farrakhan
6. “You stoned my sister!”
7. Yale students get to meet Ahmadinejad
8. Iranian troops cross into Iraq and kill 30 Kurds
9. Hizbullah “successfully tests long range missiles in Iran”
10. An imaginative way to slow down Iran’s nuclear program?
11. “Breakfast with Ahmadinejad” (By Bret Stephens, Wall Street Journal)
12. “The Stuxnet computer worm and the Iranian nuclear program” (Stratfor Global Intelligence)
13. “Stuxnet out to destroy Iran’s Bushehr nuclear plant?” (Christian Science Monitor)
[All notes below by Tom Gross]
ISRAELI SHOOTING VICTIM GIVES BIRTH TO SON
A pregnant Israeli gave birth late last night in an emergency Cesarean section, shortly after she was wounded in a gun attack on two Israeli cars in the southern West Bank.
Doctors at Soroka Medical Center in the nearby Israeli town of Beersheba succeeded in delivering a healthy baby boy after the woman (Netta Zucker, 35) and her husband Sharon, also 35, were shot and injured.
Zucker, who was nine months pregnant with her first child, sustained moderate injuries in the attack. In a statement last night, the al-Aqsa Martyrs’ Brigades, the “military wing” of Palestinian President Abbas’s Fatah party, jointly claimed responsibility for the attack with the Islamic Jihad movement. (Islamic Jihad and Fatah share aims in their rivalry to Hamas, as well as their hatred for Israel.)
After giving birth, Zucker underwent surgery for her wounds. Her husband, who also underwent surgery to remove bullets from his legs, said, “This was not how I planned on bringing my first child into the world.”
Above: Sharon Zucker in hospital this morning with his newborn son
This was the third such terror attack in the area in less than a month. One of the four Israelis shot dead in the same area of the southern West Bank on August 31 was also pregnant. (You can see photos of the victims of that attack, together with several photos of Palestinians celebrating it, near the top of the page here.)
Two other Israelis were shot and wounded in their car in the area on September 1, and in June, two Israelis were killed in an ambush nearby. The two Hamas operatives who were arrested for that attack and proudly confessed to it, had been released from an Israeli jail where they had been serving sentences for previous terrorist offenses.
NEW UK LABOUR LEADER’S MOTHER BACKS JEWISH ANTI-BLOCKADE FLOTILLA
The mother of Ed Miliband, the newly elected leader of Britain’s opposition Labour party, has added her name to a far-left British Jewish group that yesterday launched a boat from northern Cyprus to sail for Gaza. The aim of the boat, they said, was to “break the Israeli blockade” and meet with Hamas representatives.
Miliband narrowly beat his older brother, David, in a dramatic vote to win the Labour leadership on Saturday ahead of the party’s annual conference. (David won 49.35%, Ed won 50.65%.)
As foreign secretary, David Miliband took a number of steps which many considered hostile to Israel, such as voting for the Goldstone report and expelling a senior Israeli diplomat from London earlier this year. His brother Ed has positioned himself on the left of David (and has already been dubbed “Red Ed” by sections of the British media) and is thought to be even less sympathetic to Israel than David and may possibly share his mother’s views on the subject.
WE WILL SPEAK TO HAMAS “IN A VERY PEACEFUL AND FRIENDLY WAY”
Naomi Wayne, a co-founder of Jews for Justice for Palestinians UK, of which Ed and David Miliband’s mother Marion Kozak is a signatory, said yesterday that “what we are hoping to do by sending the boat is reach Gaza in a very peaceful and friendly way.” When asked if their group was being rather naïve, she vigorously denied this.
Jews for Justice for Palestinians was founded in 2002, at the height of the second Intifada. Besides Kozak, other well-known signatories include Marxist historian Eric Hobsbawm, actor and comedian Stephen Fry, actress Zoë Wanamaker, sculptor Sir Anthony Caro and former Labour MP and London mayoral candidate Oona King. (As reported on this email list at the time, in 2003 King told a press conference organized by the Christian Aid charity in London that, “speaking as a Jew,” the situation in Gaza is “the same in nature” “as the Warsaw Ghetto”.)
According to recent opinion polls, the group’s views are only shared by a tiny segment of British Jews.
Miliband is the son of the late prominent Marxist sociologist Ralph Miliband, whose Polish-Jewish parents fled Belgium in 1940 as the Nazis arrived. Ralph Miliband is buried in London’s Highgate Cemetery close to Karl Marx. He met Marion Kozak, who was born in Poland, when she was one of his students at the London School of Economics.
***
The organizers don’t seem to have noticed the additional hypocrisy of an anti-“occupation” flotilla sailing from Turkish-occupied northern Cyprus.
***
The Arabic service of Russia Today yesterday became the latest TV station to run a report on the new Gaza mall, whose existence was first revealed on this website.
***
Among dispatches on previous flotillas to Gaza, please see:
* Videos of today’s tragic incident off the coast of Israel
* “Rachel Corrie is on Her Way” – Due to attempt to land shortly in Gaza
* Cartoons on the flotilla incident from the Arab media
TURKISH PRESIDENT TELLS ISRAELI ARABS: WE WILL PROTECT AL-AQSA
Thousands of people attended the (Israeli) Islamic Movement’s annual rally in Umm al-Fahm in northern Israel on Friday, which was addressed by phone by Turkish President Abdullah Gul, who promised to support “efforts to protect the al-Aqsa Mosque in Jerusalem.”
The head of the Islamic Movement, Sheikh Raed Salah, who is currently serving a five-month prison sentence for assaulting a police officer, sent a statement which was read to the crowd, warning of the supposed Jewish danger to the al-Aqsa Mosque.
“This is the most perilous year for al-Aqsa,” he said. “The dangers (from the Jews) know no end. We must redeem Al-Aqsa by blood and fire.”
In his message, read over the phone by the Turkish advisor for Mideast affairs, President Gul assured participants that “Your brothers in Turkey will always lend their support to the protection of the al-Aqsa Mosque and all other holy sites in Jerusalem.”
Israeli-Arab Knesset Member Hanin Zuabi told the crowd that “Turkey’s freedom flotilla represents the profound link between us. Together we will protect the holy sites of Jerusalem.”
Sheikh Kamal Khatib, the deputy chief of the Islamic Movement, made a speech mocking Chief Palestinian Negotiator Saeb Erekat: “You’re entire life is about negotiations. You are all just peddling illusions,” he said.
Commenting on Israeli Foreign Minister Avigdor Lieberman’s remarks about the possibility of a territorial swap between Israel and a future Palestinian state in which Palestinian-Israeli towns like Umm al-Fahm might become part of Palestine, Khatib said that “the only population swap we will agree to is for the Jews to go to Russia.”
***
A reader adds: Interestingly, Israeli President Shimon Peres hasn’t addressed any rallies in eastern Turkey saying Kurdistan will be redeemed by blood and fire.
AHMADINEJAD DINES WITH LOUIS FARRAKHAN
As part of his six-day-stay in New York last week, Iranian President Mahmoud Ahmadinejad held a “secret” dinner with Louis Farrakhan and members of the New Black Panther Party last Tuesday at the Warwick Hotel on West 54th Street.
The meeting took place in a banquet room, where the leaders exchanged theories on what’s wrong with the world. Both Ahmadinejad and Farrakhan have in the past blamed “the Jews” for many of the world’s problems.
Farrakhan (who was born Louis Walcott) is best known as the bow-tie-wearing leader of The Nation of Islam movement. In 1996, he was awarded the Al-Gaddafi International Prize for Human Rights by Libyan dictator Muammar al-Gaddafi. He has called Jews “satanic” and said “Hitler was a very great man.”
“YOU STONED MY SISTER!”
The New York Post reports that on Thursday night, two well-dressed women sat at the hotel bar of the Hilton Manhattan, on 42nd Street, where Ahmadinejad was staying. One of them caught the attention of the president’s security detail. She was soon surrounded by eight angry Iranians, who ordered her to leave. She refused.
A manager tried to calm things down. Suddenly, the woman stood up and pointed at the Iranians, yelling, “You stoned my sister! You’re murderers!” before she was removed from the hotel.
***
Earlier on Thursday, delegates from the United States, Europe and other countries walked out in the middle of a speech by Ahmadinejad to the UN General Assembly after the Iranian leader reiterated the conspiracy theory that the U.S. government itself orchestrated the 9/11 attacks on America.
YALE STUDENTS GET TO MEET AHMADINEJAD
New York Times op-ed contributor Hillary Mann Leverett – who has long been accused of being an apologist for the Iranian regime – was granted a special seminar with Ahmadinejad for her Yale graduate students last Thursday, shortly after Ahmadinejad’s controversial speech to the UN. Leverett, a senior fellow at Yale’s newly created Jackson Institute, is a proponent of engaging with Iran rather than imposing sanctions.
Her husband, Flynt Leverett, with whom she often co-writes articles, is also a senior fellow at the Jackson Institute and works for the New America Foundation, a leftist think tank based in Washington. Last year the Leveretts wrote an op-ed titled “Ahmadinejad won. Get over it” in Politico, which argued that Ahmadinejad won the 2009 elections fairly.
Hillary Mann Leverett has held various positions related to Middle East policies in the U.S. State Department and National Security Council.
Jim Levinsohn, director of the Jackson Institute, said the Institute’s main aim in hiring fellows is to expose students to a wide range of views.
In the spring semester, Leverett will teach a Yale undergraduate course titled “The United States and the Middle East.”
IRANIAN TROOPS CROSS INTO IRAQ AND KILL 30 KURDS
Troops from Iran’s Revolutionary Guard on Saturday crossed into northern Iraq and killed 30 members of a Kurdish opposition group. As not reported by most Western media, the Revolutionary Guard periodically fire artillery across the border into areas where the Kurdish rebels hide out.
HIZBULLAH “SUCCESSFULLY TESTS LONG RANGE MISSILES IN IRAN”
The Kuwaiti newspaper Al-Rai reports that a new Iranian missile, which was displayed with great pride in Tehran recently, has now been successfully tested by the Lebanese Hizbullah militia.
Al-Rai said the test took place in Iran since such an event could not take place in Lebanon. “The test was successful and part of the units which participated returned to their bases in Lebanon,” unidentified officials told Al-Rai. Hizbullah has formulated a “bank of targets” in Israel such as “power stations and sensitive institutions” across the country, the sources added.
The missile has a range of 200 kilometers which means it is capable of hitting many cities in Israel if it was launched from the Israel-Lebanon border.
According to figures given in August in an Iranian TV broadcast, the missile is 9 meters in length and weighs 3,500 kilograms.
AN IMAGINATIVE WAY TO SLOW DOWN IRAN’S NUCLEAR PROGRAM?
I attach three articles below. In the first, Wall Street Journal columnist Bret Stephens, a subscriber to this list, describes his breakfast with Ahmadinejad last week – and the reactions of the other journalists present.
The second and third articles concern the computer worm proliferating in Iranian targets that may have been sent by an unnamed national intelligence agency to attack Iranian nuclear facilities.
The worm is very advanced, requires specific intelligence on its target, exploits multiple system vulnerabilities and uses two stolen security certificates, suggesting a typical hacker did not create it.
If a national intelligence agency in fact targeted Iranian nuclear facilities, this would be the first deployment of a cyberweapon reported to the public, and the full details of the operation are not likely ever to be known.
Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
(Among previous dispatches on the Iranian nuclear threat, please see this one)
[All notes above by Tom Gross]
FULL ARTICLES
PAYING COURT TO AHMADINEJAD
Breakfast with Ahmadinejad
Lox, bagels and the “Zionist regime”
By Bret Stephens
The Wall Street Journal
September 23, 2010
New York -- It’s a few minutes before eight in the morning on Tuesday, and the 30 or so journalists who have assembled to meet Mahmoud Ahmadinejad in the conference room of a midtown Manhattan hotel are gorging themselves on lox and bagels and wondering whether the buffet is some kind of sly catering joke. A prominent TV personality seated next to me is approached by an Iranian film crew wanting to know her thoughts about their president. She says something cringingly obsequious about how gracious he is for making himself available to the media.
I suppose she’s simply trying to be polite, and perhaps taking care not to say anything that could cause trouble for her or her colleagues down the road. But it dawns on me that the exchange also captures the central dynamic of the meeting. We get access to Ahmadinejad – and the feeling of self-importance that goes with that. In exchange, we pay him court.
The first question goes to an editor from Fortune magazine, who wants to know how the Iranian economy is doing. Ahmadinejad devotes a good 10 minutes to extolling Iran’s economic strengths – industrial exports have “tripled”; investment in infrastructure is way up; the service sector is thriving; agriculture has experienced “a gradual but consistent pattern of growth.”
All of this is, of course, a lie, which is why the regime no longer allows its Central Bank to publish economic statistics. And yet it is a flawlessly delivered lie, spoken in the kind of modulated tone you would expect from an IMF technocrat. As a matter of performance, it’s masterful. And while none of us in the audience believes a word of Ahmadinejad’s answer, we believe him the way we believe Al Pacino when he inhabits a role. We believe his self-belief. And we wonder whether he believes it, too.
Next question: the nuclear talks. “There is a good chance that talks will resume in the near future.” Suddenly he has slipped back into an objective reality. Sure enough, word comes down the following day that the permanent members of the U.N. Security Council have “reaffirmed our commitment to continued and active engagement” with Iran, in the words of the EU’s Catherine Ashton. The U.S. is a party to that statement.
Somebody asks about the status of opposition leaders Mir Hossein Mousavi and Mehdi Karroubi, both of whose offices were raided this month. Ahmadinejad flatly denies this, and once again we make a seamless transition back to the realm of the perfect lie, perfectly told.
Now CNN’s Fareed Zakaria asks Ahmadinejad whether he would accept whatever deal Palestinians might strike with Israel in the current negotiations.
The question is meant as a trap – if he says no, he is potentially contradicting the Palestinians; if yes, he might have to recognize Israel’s right to exist. Ahmadinejad’s answer showcases his rhetorical gifts. He says he has no trouble deferring to the wishes of Palestinians; he merely wishes they be represented by the people they actually elected, meaning Hamas. In a stroke, he has put himself on the side of democracy and exposed the central fallacy of the current peace process, which is that a majority of Palestinians want to co-exist with a Jewish state called Israel.
A little later, under questioning about Iran’s obstruction of U.N. nuclear inspectors, he points out that the “Zionist regime” operates under no U.N. nuclear strictures. Which makes for a powerful argument the moment you accept the premises of the Nuclear Nonproliferation Treaty.
By this point the questioning has become a little more testy. Ahmadinejad remains unflappable, even bemused. But there’s also an undercurrent of menace in his answers, as if he knows he owes his audience the frisson of danger that is his trademark. In response to a question about a prospective Israeli airstrike, he says “the Zionist regime is a very small entity on the map and doesn’t really factor into our decisions.” As for a U.S. attack, he warns that “war is not just bombing someplace. When the war starts, it knows no limits.”
In the New York Times’s account of the breakfast, reporter Neil MacFarquhar – who asked an opaque question about Cyrus the Great and was roundly mocked for it by Ahmadinejad – described the president’s remarks as “standard talking points” plus “a little fresh bluster.” Perhaps I haven’t achieved the appropriate degree of jadedness, but my own impression of Ahmadinejad was that he was easily the smartest guy in the room. He mocked us in a way we scarcely had the wit to recognize. We belittle him at our peril.
EVIDENCE PINPOINTING WHO CREATED THE WORM IS NOT LIKELY TO EMERGE
The Stuxnet computer worm and the Iranian nuclear program
Stratfor Global Intelligence
September 24, 2010
SUMMARY
A computer worm proliferating in Iran targets automated activity in large industrial facilities. Speculation that the worm represents an effort by a national intelligence agency to attack Iranian nuclear facilities is widespread in the media. The characteristics of the complex worm do in fact suggest a national intelligence agency was involved. If so, the full story is likely to remain shrouded in mystery.
***
ANALYSIS
A computer virus known as a worm that has been spreading on computers primarily in Iran, India and Indonesia could be a cyberattack on Iranian nuclear facilities, according to widespread media speculation.
Creating such a program, which targets a specific Siemens software system controlling automated activity in large industrial facilities, would have required a large team with experience and actionable intelligence. If a national intelligence agency in fact targeted Iranian nuclear facilities, this would be the first deployment of a cyberweapon reported on in the media. It would also mean that the full details of the operation are not likely ever to be known.
The so-called Stuxnet worm first attracted significant attention when Microsoft announced concerns over the situation in a Sept. 13 security bulletin, though various experts in the information technology community had been analyzing it for at least a few months. The worm is very advanced, required specific intelligence on its target, exploits multiple system vulnerabilities and uses two stolen security certificates, suggesting a typical hacker did not create it.
On a technical level, Stuxnet uses four different vulnerabilities to gain access to Windows systems and USB flash drives, identified independently by antivirus software makers Symantec and Kaspersky Lab. Discovering and exploiting all four vulnerabilities, which in this case are errors in code that allow access to the system or program for unintended purposes, would have required a major effort. Three of them were “zero-day” vulnerabilities, meaning they were unknown before now. A Polish security publication, Hakin9, had discovered the fourth, but Microsoft had failed to fix it. Typically, hackers who discover zero-day vulnerabilities exploit them immediately to avoid pre-emption by software companies, which fix them as soon as they learn of them. In another advanced technique, the worm uses two stolen security certificates from Realtek Semiconductor Corp. to access parts of the Windows operating system.
Stuxnet seems to target a specific Siemens software system, the Simatic WinCC SCADA, operating a unique hardware configuration, according to industrial systems security expert Ralph Langner and Symantec, which both dissected the worm. SCADA stands for “supervisory control and data acquisition systems,” which oversee a number of programmable logic controllers (PLCs), which are used to control individual industrial processes. Stuxnet thus targets individual computers that carry out automated activity in large industrial facilities, but only will activate when it finds the right one. Siemens reported that 14 facilities using its software had already been infected, but nothing had happened. When Stuxnet finds the right configuration of industrial processes run by this software, it supposedly will execute certain files that would disrupt or destroy the system and its equipment. Unlike most sophisticated worms or viruses created by criminal or hacker groups, this worm thus does not involve winning wealth or fame for the creator, but rather aims to disrupt one particular facility, shutting down vital systems that run continuously for a few seconds at a time.
VirusBlokAda, a Minsk-based company, announced the discovery of Stuxnet June 17, 2010, on customers’ computers in Iran. Data from Symantec indicates that most of the targeted and infected computers are in Iran, Indonesia and India. Nearly 60 percent of the infected computers were in Iran. Later research found that at least one version of Stuxnet had been around since June 2009. The proliferation of the worm in Iran indicates that country was the target, but where it started and how it has spread to different countries remains unclear.
Few countries have the kind of technology and industrial base and security agencies geared toward computer security and operations required to devise such a worm, which displays a creativity that few intelligence agencies have demonstrated. This list includes, in no particular order, the United States, India, the United Kingdom, Israel, Russia, Germany, France, China and South Korea.
Media speculation has focused on the United States and Israel, both of which are seeking to disrupt the Iranian nuclear program. Though a conventional war against Iran would be difficult, clandestine attempts at disruption can function as temporarily solutions. Evidence exists of other sabotage attempts in the covert war between the United States and Israel on one side and Iran on the other over Iranian efforts to build a deliverable nuclear weapon.
U.S. President Barack Obama has launched a major diplomatic initiative to involve other countries in stopping Iran’s nuclear activities, so another country might have decided to contribute this creative solution. Whoever developed the worm had very specific intelligence on their target. Targeting a classified Iranian industrial facility would require reliable intelligence assets, likely of a human nature, able to provide the specific parameters for the target. A number of defectors could have provided this information, as could have the plants’ designers or operators. Assuming Siemens systems were actually used, the plans or data needed could have been in Germany, or elsewhere.
Evidence pinpointing who created the worm is not likely to emerge. All that is known for certain is that it targets a particular industrial system using Siemens’ programming. Whether the worm has found its target also remains unclear. It may have done so months ago, meaning now we are just seeing the remnants spread. Assuming the target was a secret facility – which would make this the first cyberweapon reported in the media – the attack might well never be publicized. The Iranians have yet to comment on the worm. They may still be investigating to see where it has spread, working to prevent further damage and trying to identify the culprit. If a government did launch the worm, like any good intelligence operation, no one is likely to take credit for the attack. But no matter who was responsible for the worm, Stuxnet is a display of serious innovation by its designer.
TARGET: BUSHEHR?
Stuxnet malware is ‘weapon’ out to destroy ... Iran’s Bushehr nuclear plant?
By Mark Clayton
The Christian Science Monitor
September 21, 2010
Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.
The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.
At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.
The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.
“Until a few days ago, people did not believe a directed attack like this was possible,” Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. “What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern.”
A GRADUAL DAWNING OF STUXNET’S PURPOSE
It is a realization that has emerged only gradually.
Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.
But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings – and communicate that proprietary data over the Internet to cyber thieves?
By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.
But it gets worse. Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.
“Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”
A GUIDED CYBER MISSILE
On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.
“His technical analysis is good,” says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. “We’re also tearing [Stuxnet] apart and are seeing some of the same things.”
Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner’s analysis.
“What we’re seeing with Stuxnet is the first view of something new that doesn’t need outside guidance by a human – but can still take control of your infrastructure,” says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy’s Idaho National Laboratory. “This is the first direct example of weaponized software, highly customized and designed to find a particular target.”
“I’d agree with the classification of this as a weapon,” Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.
One researcher’s findings Langner’s research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls “fingerprinting,” qualifies Stuxnet as a targeted weapon, he says.
Langner zeroes in on Stuxnet’s ability to “fingerprint” the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.
Stuxnet’s ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.
“Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open,” Langner says in an interview. “The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process.”
So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.
Langner’s analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
“After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon,” Langner writes in his analysis. “Something big.”
For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.
“The implications of Stuxnet are very large, a lot larger than some thought at first,” says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. “Stuxnet is a directed attack. It’s the type of threat we’ve been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly.”
Has Stuxnet already hit its target?It might be too late for Stuxnet’s target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.
A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.
Could Stuxnet’s target be Iran’s Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?
Langner is quick to note that his views on Stuxnet’s target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr’s expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)
But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.
“This will all eventually come out and Stuxnet’s target will be known,” Langner says. “If Bushehr wasn’t the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that.”