Security and Defense: Digital strike

Through incredible technological prowess, anonymous computer experts managed to infiltrate Iranian nuclear systems – and caused utter chaos.

Stuxnet 311 (photo credit: Courtesy)
Stuxnet 311
(photo credit: Courtesy)
Eric Byres was shocked. Sitting in his office in Vancouver, Canada a few weeks ago, he began sifting through some of the requests submitted via the Internet to gain access to blocked-off parts of the website of his company, Tofino Security, which provides computer security solutions for large industries.
One of the requests caught his eye. It was the name of a person he knew from one of the large industries Tofino works with.
Byres called his acquaintance to find out why he was signing up on the site again if he already had an account. The friend was shocked and said that someone else must have been impersonating him. That set off an alarm which sent Byres to examine the lists of new requests he had received in recent months. What he found was astounding.
“What caught our attention was that last year we maybe had one or two people from Iran trying to access the secure areas on our site,” Byres said. “Iran was never on the map for us and all of a sudden we are now getting massive numbers of people going to our website and people who we can identify as being from Iran.”
Byres said that some people openly identified themselves as Iranian when asking for permission to log onto his website, while others were impersonating employees of industries that he frequently works with.
“There are a large number of people trying to access the secure areas directly from Iran and other people who are putting together fake identities,” he said. “We are talking about hundreds. It could be people who are curious about what is going on, but we are such a specialized site that it would only make sense that these are people who are involved in control systems.”
BUT WHY visit Tofino’s website to begin with? The answer is called Stuxnet, sometimes referred to as a worm, a virus or malware and suspected of having caused serious damage to Iran’s nuclear facilities, particularly its Natanz uranium enrichment plant.
Some security experts have called Stuxnet a “weapon,” claiming the damage it has caused has been as effective as a military strike, possibly setting back the Iranian nuclear program. One of them, Ralph Langer from Hamburg, was one of the first people to study Stuxnet’s code, which he has described as sophisticated as that written for cruise missiles.
Without access to Iran, however, it is difficult to validate the claims, although that might have been what outgoing Mossad chief Meir Dagan tried to do in early January when he told reporters that Iran would not be capable of producing a nuclear weapon until 2015, a slight pushback on earlier estimates which had it reaching that stage in the next year or so.
The US is also reportedly working on adjusting its assessments on Iran’s nuclear program and will shortly issue an updated National Intelligence Estimate.
Other experts are more wary of Stuxnet’s impact, claiming that even if it caused damage it has likely been repaired.
WHATEVER THE case, Stuxnet is a sign that a new era of warfare has arrived – the era of the cyber war.
“Fighting in the cyber dimension is as significant as the introduction of fighting in the aerial dimension in the early 20th century,” former head of Military Intelligence Maj.-Gen. (res.) Amos Yadlin said in a policy speech last year. “Preserving the lead in this field is especially important, given the dizzying pace of change...
Like unmanned aircraft, it’s a use of force that can strike without regard for distance or duration, and without endangering fighters’ lives.”
He was not exaggerating. He said that it was a field that Israel had a lot to benefit from as a small country with limited military capabilities. Through cyber warfare, Yadlin said, even small countries could do things once reserved for superpowers.
Stuxnet was first discovered by a computer security company in Belarus, but it only made global headlines after the Iranian media announced that the country had been the target of a coordinated cyber attack. In December, President Mahmoud Ahmadinejad admitted that Stuxnet had infected the Natanz facility, but downplayed the extent of the damage.
“They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts. But the problem has been resolved,” he said.
That might not be so accurate. Byres, who has done some work for Israeli companies, says that the continued Iranian interest in his company’s website is likely an indication that the malware is still raging throughout Natanz’s computers and control systems. “Otherwise, why would they be looking so closely at my site,” he asks.
FOR THE West, it is extremely difficult to measure the extent of the damage Stuxnet caused. In September, the cyber security firm Symantec determined that more than 30,000 computer systems had been infected.
A few days later however, Iran put up a firewall to stop information on its computer systems from reaching the outside world.
It has yet to be removed.
But what Symantec was able to determine is that Stuxnet was designed to target systems that have a frequency converter, a type of device that controls the speed of a motor, like in a centrifuge.
The Stuxnet code modifies programmable logic controllers in the frequency converter drives used to control the motors. It changes the frequencies, first to higher than 1400 Hz and then down to 2 Hz – speeding it up and then nearly halting it – before setting it at just over 1000 Hz. Iran usually runs its motors at 1,007 cycles per second to prevent damage, while Stuxnet seemed to increase the motor speed to 1,064 cycles per second, a small increase but enough, according to experts, to cause damage.
“If you start changing the speed, there are vibrations and they become so severe that it can break the motor,” said David Albright, a Washington-based expert on nuclear proliferation who studied Stuxnet. “If it is true that it is attacking the IR-1, then it is changing the speed to attack the motor.”
During his investigation, Albright discovered that early last year, 1,000 centrifuges, a 10th of those at Natanz, were mysteriously decommissioned.
The fact that only 1,000 were damaged could mean that Stuxnet – if it caused the breakage – was meant to be subtle and work slowly by causing small amounts of damage without leading the Iranians to suspect that something foreign had infiltrated their computer computers.
BUT THE question remains – how did Stuxnet infiltrate the centrifuges to begin with? According to an analysis of Stuxnet, its creators took advantage of speciallycrafted shortcut files placed on USB drives to automatically execute malware as soon as the file is read by an operating system.
In simpler terms, once a disk-on key with the malware was connected to one of the computers on the Natanz network, it was automatically downloaded and began spreading. Another unique feature was the inclusion of a rootkit, software designed to hide the presence of the worm. This part of the worm was called WinNT/Stuxnet.A.
The second phase of the worm, WinNT/Stuxnet.B, injects encrypted files into the infected computer’s memory. Each file has a different purpose – some are meant to be used to spread to other computers and some are drivers, meant to takeover control of the centrifuge’s motor.
Whoever wrote the code made sure to cover his tracks. Instead of writing a forged digital certificate, the creators allegedly stole the certificate – essentially a piece of software’s calling card – of a Taiwan-based computer chip company. How it was stolen is unclear but the company is not suspected of involvement.
In addition, the complexity of the worm has led experts to conclude that there were at least five or six writers working on the code simultaneously, overseen by quality control and project management teams, likely reaching a crew of several dozen over a period of several years. One foreign analyst claimed that the code was of the quality of the type of software you would find in cruise missiles.
According to Langer, the German computer expert, all the attacker had to do was infect the computer of an outside contractor who works at Natanz. “You don’t have to get the infected drive into Natanz; all you need to do is make sure that someone who has access to the facility has his or her computer infected and then connects to the server,” he said.
Some news reports have referred to possible hints left behind in Stuxnet’s 15,000- line code. One possible clue was the use of the word “Myrtus” as the name of one of the files, a possible reference to Hadassah, the birth name of the Queen Esther, who is buried in Persia. Another supposed clue was the number 19790509 which also appears in the code and might refer to May 9, 1979, the day a prominent Persian Jew was executed in Teheran.
The chances that these are real clues are low, according to Byres. While there is a tradition in the software industry of leaving calling cards behind inside codes, in cases like Stuxnet, it would make more sense to throw in a red herring to divert attention away from the real creator.
NO ONE has taken responsibility for the attack but fingers have been pointed mostly at Israel. Langer said that in his opinion at least two countries – possibly Israel and the US – were behind Stuxnet.
While everyone in Israel’s top political and defense echelons believe that Iran’s nuclear program needs to be stopped, many are concerned about retaliation, including Dagan. If Stuxnet can spare Israel that war, there is no question it is worth it.
There are a limited number of agencies that could have been involved in writing such a program. The first is Military Intelligence’s Unit 8200, the equivalent of the US National Security Agency, which is responsible for signal intelligence, eavesdropping on the enemy and code decryption and was entrusted in 2009 with the IDF’s offensive cyber capabilities.
Another possibility is the Mossad, which also has strong technological capabilities but is slightly inferior to Unit 8200, the largest unit within the IDF.
The Mossad has received a major boost in its budget in recent years to help it acquire the resources needed to effectively combat Iran’s nuclear program. Its focus is reportedly on covert operations such as acts of sabotage and assassinations similar to the type that killed a top scientist in Teheran in November, which was attributed to the Mossad, and cyber warfare.
The Iranian announcement that a network of Mossad spies had been caught in Teheran this week – whether the story is true or not – is an indication of how nervous the ayatollahs are.