August 17, 2019

Search Results for: stuxnet

Four-star General under investigation for leaking details of Stuxnet attack

circuitboard(LiveHacking.Com) – New reports are suggesting that the FBI is starting a new investigation into the public leak  about the Stuxnet worm. According to NBC a retired four-star general US Marine, who had a close relationship to President Barack Obama, is under investigation for leaking details of the cyber-attack.

Gen. James Cartwright, who was the former vice chairman of the Joint Chiefs of Staff,  has been told he is under investigation for allegedly disclosing details the USA’s cyber-attack on Iran’s nuclear facilities. The original FBI investigation looked into possible White House sources, however now the agency has turned its investigation towards possible military leaks including Cartwright.

When the worm first escaped the confines of Iran’s Natanz plant and starting infecting computers across the global, the origin and purpose of the malware was unclear. Over time more and more details of the worm’s activity were analysed and finally thanks to an internal leak in the US Government, it was confirmed (but not publicly) that the National Security Agency had developed Stuxnet in tandem with the Israelis.

According to the  New York Times report on 1 July, 2012, Stuxnet was created under a project known as “Operation Olympic Games” as part of an American and Israeli effort to undermine Iran’s nuclear program.

Stuxnet was designed to destroy the centrifuges used in Iran’s uranium enrichment program and targeted Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes at the Natanz enrichment facilities.

Chevron claimed it also had trouble with Stuxnet, once it had gone global, as it too uses SCADA based systems. However Chevron says none of its equipment was damaged.

There is likley to be other cases of Stuxnet infections in industrial plants across the U.S. and mainland Europe that have been unreported for reasons of security or to avoid embarrassment.

Has Iran been fighting off a fresh Stuxnet attack?

targeted attack(LiveHacking.Com) – There is some confusion about recent malware activity in Iran. A story broke in the last few days saying that a power plant and other industries in southern Iran have been targeted by Stuxnet but that the cyber attack has been successfully rebuffed and prevented from spreading. The story was carried by many of the world’s news agencies including the BBC and Agence France-Presse.

The original story comes from the Iranian Students News Agency (ISNA) which reported that cyberattackers had struck industrial infrastructure in the southern province of Hormuzgan. In it Ali Akbar Akhavan is quoted as saying that a virus had penetrated some manufacturing industries in Hormuzgan province, but that with the help of skilled hackers it had been repelled. Akhavan is quoted as saying that the malware was “Stuxnet-like” but he did not expand on what that meant.

Once the story was being reported Iran issued a correction. “At a press conference we announced readiness to confront cyber attacks against Hormuzgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled,” Ali Akbar Akhavan said. However ISNA is sticking with its original story and has published MP3 files which it claims contain Akhavan’s initial remarks.

The state of Iran’s industrial and IT infrastructure has been a topic of much discussion ever since the original Stuxnet worm was allegedly used to hamper Iran’s nuclear enrichment efforts in 2010. Since then Iran has has various malware troubles including reports of a piece of malware called Narilam which attacked Iranian business databases and a malware incident where Iran was been forced to disconnect some of the computers at its Kharg Island oil processing terminal.

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

miniFlame: New malware found that is linked with Flame, Stuxnet, Duqu and Gauss

(LiveHacking.Com) – Kaspersky Lab has found a new piece of malware that is linked with the various nation-state cyber-espionage malware including Stuxnet, Duqu, Flame and Gauss. Although found all over the world, these malware attacks have specifically targeted the Middle East. Previous analysis of the Flame malware led Kaspersky Lab that there was some form of collaboration between the groups that developed Flame, Stuxnet and Duqu.  Further research prompted the discovery of  the previously unknown malware called Gauss which uses a modular structure resembling that of Flame, has a similar code base and uses the same system for communicating with its C&C servers. The made the whole family: Flame, Stuxnet, Duqu and Gauss.

Now Kaspersky Lab has discovered miniFlame. This new malware is based on the Flame platform and can be operated as part of Flame, but it can also be run as independently, without the main Flame modules installed.

“The SPE malware, is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” wrote GReAT a Kaspersky Lab Expert.

Kaspersky Lab have also discovered that miniFlame can also be used in together with Gauss. It has also been assumed that Flame and Gauss were parallel projects but different as they did not have any common modules or common C&C servers. The fact that miniFlame works with both of these malware projects, proves that that they come from the same authors.

Like the others in the family, miniFlame is targeting the Middle East. Flame attacks where found mainly in Iran and Sudan, while Gauss was mostly present in Lebanon. However miniFlame does not have a clear geographical bias but there are reports from Lebanon, Palestine, Iran, Kuwait and Qatar.

Kaspersky Lab have a a Full Technical Paper on miniFlame here.

Stuxnet Worm was Planted by Double Agent

(LiveHacking.Com) – Industrial Safety and Security Source is reporting that the Stuxnet virus was planted by an Iranian double agent via a memory stick. The Stuxnet malware is widely believed to have caused damage to Iran’s nuclear program by breaking the motors on 1,000 centrifuges at the Natanz uranium enrichment facility.

ISS Source are quoting from U.S. intelligence officials who say that saboteur was probably a member of an Iranian dissident group as using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

The report says that these agents were probably members of the militant Iranian opposition movement Mujahideen-e Khalq (MEK) which, according to Vince Cannistraro, former head of the CIA’s Counterterrorism, is being used by Israel’s Mossad intelligence service from whom they receive training and finance.

Same Platform Used to Create Stuxnet, Duqu and Other Yet Unknown Malware

(LiveHacking.Com) – Researchers from Kaspersky Labs have discovered that Stuxnet and Duqu were created on the same platform which may have been developed long before the Stuxnet scandal of 2011. Known as “Tilded”, because of the common use of files that start with the tilde symbol (~), it is used by just one team to create modular malware that can be adapted to specific targets.

Kaspersky Labs came to this conclusion by analyzing the drivers used for infecting systems with Duqu and Stuxnet. More worrying is that one of the internal driver files used was compiled in January 2008 and that seven types of drivers with similar characteristics exist in the wild.

“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

This leads to the conclusion that Duqu and Stuxnet are separate projects, but that they were created on a single platform – Tilded. It appears that Tilded was developed around the end of 2007 and the beginning of 2008. In 2010 the platform was developed further to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.

The full version of the report of Alexander Gostev and Igor Sumenkov is available at Securelist.

Duqu, Son of Stuxnet, Targets European Industrial Control Systems

(LiveHacking.Com) – Details are emerging about a new worm which seems to be based on Stuxnet, the worm that was allegedly used by either Israel or the USA to attack Iran’s nuclear research.

According to Symantec the new worm, which has been dubbed Duqu because it creates files with the prefix “~DQ”, has parts which are nearly identical to that of Stuxnet, but with a completely different purpose.

Duqu shares a large proportion of its code with Stuxnet but the payload carried by the worm is not intended to sabotage an industrial control system, instead it grants general remote access  to a remote command-and-control (C&C) server. What this shows is that the writers of Duqu have access to the Stuxnet source code and not just its binaries.

Although the analysis of the worm  shows no code related to industrial control systems,  the executables have been found in  organizations involved in the manufacturing of industrial control systems.

It is possible that this is a precursor to a future Stuxnet-like attack:

The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

This does now question the almost universal belief that Stuxnet was either written by Israel or the USA as either of these two countries launching some kind of cyber attack on European companies is almost unthinkable due to the amount of political damage that would be done.

US Government Warns (Again) that Stuxnet Variants Could Target Critical US Systems

(LiveHacking.Com) – It was this time last year that the world first heard about Stuxnet, the computer worm that launched the first successful cyberattack on infrastructure facilities – namely Iran’s nuclear programme. In a US House of Representatives committee hearing, Roberta Stempfley and Sean P. McGurk from the DHS’s Office of Cyber Security and Communications revealed that the US Government is concerned that cyber-terrorists could use variants of Stuxnet to attack other installations that use programmable control systems.

Their comments echo testimony given in March of this year to a Homeland Security House Subcommittee by Deputy Under Secretary Philip Reitinger.

According to both testimonies (which are word for word the same) “copies of the Stuxnet code, in various different iterations, have been publicly available for some time now.” As a result “the Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems.”

ICS-CERT and the NCCIC remain vigilant and continue analysis and mitigation efforts of any derivative malware.

First Stuxnet, Now Stars – New Worm Attacks Iran

Gholam-Reza Jalali, the director of Iran’s Passive Defense Organization has announced that it has detected a new worm called Stars which is designed to spy on Iran’s government systems. Jalali did not reveal what facilities the worm targeted or when it was first detected.

These new revelations come in the wake of Stuxnet, the first ever malware designed to attack industrial equipment. Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers). It is reported that such equipment is used by Iran at its Natanz nuclear facility.

Last week Jalali accused Siemens of helping the U.S. and Israel create the Stuxnet worm saying they should “explain why and how it provided the enemies with the information about the codes of the SCADA software and [so] prepared the ground for a cyber attack.”

Could Stars be just an “ordinary” Windows worm which Iran have mistaken as a cyber attack? Every day security experts find thousands of new malware samples, many of which are designed for spying on victims’ computers.

Does Stuxnet Prove That International Cyberwarfare is Real?

According to the New York Times, The Stuxnet worm has been responsible for destroying about a fifth of Iran’s nuclear centrifuges which could delay Iran’s nuclear program. However it seems that Tehran isn’t accepting any delays and The Telegraph is reporting that Russian nuclear scientists, who are providing technical assistance to Iran’s attempts activate the country’s first nuclear power plant, are warning of another Chernobyl-style nuclear disaster as they are being forced to comply with tight deadlines.

The Stuxnet worm has been the topic of much speculation and theorisation. But one thing is clear, if Stuxnet is an Israeli-American project to thwart Iran’s nuclear program then Cyberwarfare has become a real weapon in a nation-state’s arsenal.

In October of last year William J. Lynn, U.S. Deputy Secretary of Defense, wrote that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”

The next five to ten years will see an increased amout of nation-state sponsored cyber activity and it is becoming more important than ever to ensure that our home, business and national information resources are secure, robust and protected.