Woburn, MA – November 11, 2014 – Kaspersky
Lab today announced
that after analyzing more than 2,000 Stuxnet files collected over a two-year
period, it can identify the first
victims of the Stuxnet worm. After Stuxnet was discovered over four
years ago as one of the most sophisticated and dangerous malicious programs,
Kaspersky Lab researchers can now provide insight into the question: what were the
goals of the Stuxnet operation?
Initially security researchers had no doubt that the whole
attack had a targeted nature. The code of the Stuxnet worm looked professional and
exclusive; there was evidence that extremely expensive zero-day vulnerabilities
were used. However, it wasn’t yet known what kind of organizations were
attacked first and how the malware ultimately made it right through to the
uranium enrichment centrifuges in the particular top secret facilities.
Kaspersky Lab analysis sheds light on these questions. All five
of the organizations that were initially attacked are working in the ICS area
in Iran, developing ICS or supplying materials and parts. One of the more
intriguing organizations was the one attacked fifth, since among other products
for industrial automation, it produces uranium enrichment centrifuges. This is
precisely the kind of equipment that is believed to be the main target of
Stuxnet.
Apparently, the attackers expected that these organizations
would exchange data with their clients – such as uranium enrichment facilities
– and this would make it possible to get the malware inside these target
facilities. The outcome suggests that the plan was indeed successful.
“Analyzing the professional activities of the first
organizations to fall victim to Stuxnet gives us a better understanding of how
the whole operation was planned. At the end of the day this is an example of a
supply-chain attack vector, where the malware is delivered to the target
organization indirectly via networks of partners that the target organization
may work with,” said Alexander Gostev, chief security expert, Kaspersky Lab.
Kaspersky Lab experts made another interesting discovery: the
Stuxnet worm did not only spread via infected USB memory sticks plugged into
PCs. That was the initial theory, and it explained how the malware could sneak
into a place with no direct Internet connection. However, data gathered while
analyzing the very first attack showed that the first worm’s sample (Stuxnet.a)
was compiled just hours before it appeared on a PC in the first attacked
organization. This tight timetable makes it hard to imagine that an attacker
compiled the sample, put it on a USB memory stick and delivered it to the
target organization in just a few hours. It is reasonable to assume that in
this particular case the people behind Stuxnet used other techniques instead of
a USB infection.
The latest technical information about some previously unknown
aspects of the Stuxnet attack can be read on Securelist and journalist Kim
Zetter’s new book, “Countdown to Zero Day.” The book includes
previously undisclosed information about Stuxnet; some of this information is
based on the interviews with members of the Kaspersky Lab Global Research and
Analysis Team.
**
ICS industrial control systems
September 28, 2010
Is stuxnet the new Ultra?
Few people realize the importance of Marian Rejewski, Jerzy Rozycki and Henryk Zygalski. These three Polish mathematicians and cryptologists solved the Enigma machine in 1932, the main cipher used by the Germans, and in 1939 transferred their knowledge to the British who under the leadership of Alan Turing at Bletchley Park continued to penetrate most of the German communication during WWII.
The history of WWII would have been quite different if it
had not been for Ultra as the intelligence obtained through breaking
Enigma was called. The anti submarine warfare in the Battle of the
Atlantic was won almost entirely thanks to Ultra. Many of the major
battles of the Second World War, The Battle of Britain, El Alamein, Stalingrad,
Kursk, D-Day were won at least partly because Ultra had broken the German code.
But all this was unknown until 30 years after the end of
the Second Word War.
So what is one to make of the articles like this one in
Computerworld Is Stuxnet the 'best' malware ever?
The Stuxnet worm is a
"groundbreaking" piece of malware so devious in its use of unpatched
vulnerabilities, so sophisticated in its multipronged approach, that the
security researchers who tore it apart believe it may be the work of
state-backed professionals.
"It's amazing,
really, the resources that went into this worm," said Liam O Murchu,
manager of operations with Symantec's security response team.
"I'd call it groundbreaking,"
said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In
comparison, other notable attacks, like the one dubbed Aurora that hacked
Google's network and those of dozens of other major companies, were child's
play.
The malware, which weighed in a
nearly half a megabyte -- an astounding size, said Schouwenberg -- was written
in multiple languages, including C, C++ and other object-oriented languages, O
Murchu added.
Or this one in The Economist A cyber-missile aimed at Iran?
But the possibility that it might
have been aimed at one set of industrial-control systems in particular—those
inside Iranian nuclear facilities—has prompted one security expert to describe Stuxnet
as a "cyber-missile", designed to seek out and destroy a particular
target. Its unusual sophistication, meanwhile, has prompted speculation that
it is the work of a well-financed team working for a nation state, rather than
a group of rogue hackers trying to steal industrial secrets or cause trouble.
This, in turn, has led to suggestions that Israel, known for its high-tech
prowess and (ahem) deep suspicion of Iran's nuclear programme, might be behind
it. But it is difficult to say how much truth there is in this juicy theory.
Are we witnessing the first visible stages of the war against the Iranian
nuclear sites? Although the worm can apparently be patched I can imagine
the level of concern that is spreading among the Iranians is significant.
Will it take 30 years to find out what has happened?
Is Israel involved? Should we be surprised if it
were? Not really. One just needs to read the book Start-Up
Nation by Dan Senor
and Saul Singer to get the magnitude of Israel’s achievement in computer
technology in the last 30 years. The 8088 chip used in the original
IBM PC was designed in Haifa, the 386 in Jerusalem. Centrino and Core 2 Duo,
and most of the Intel’s forty new processors over a one-hundred-day
period were based on Intel’s Israeli team’s design.
Is stuxnet just the tip of the iceberg? Will computer
know-how play the same role Ultra played in the Second World War? Let’s
hope so. Is the ingenuity, innovation and chutzpah that made the Israeli
computer revolution possible now being utilized to counter the Iranian threat?
Apparently.
There is a difference. The scientific and technological
achievement of both sides during Word War II was comparable. Britain had
the radar and Alan Turing, the Americans the Manhattan project. The Germans had
Karl Zuse, who invented the first electro-mechanical computer and Wernher von
Braun. Today the difference is between a country (or countries) that
virtually invented the technology and one that is still learning how to use it.
Let’s hope that this difference will prove crucial.
