person:ralph langner

  • #stuxnet files

    W32.Stuxnet Dossier
    v1.4, February 2011, Symantec

    https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
    (Nicolas Falliere, Liam O Murchu, and Eric Chien)

    In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes 4 zero-day exploits, a Windows rootkit, the first ever PLC [Programmable Logic Controller] rootkit, [compromise 2 digital certificates] antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. We take a look at each of the different components of Stuxnet to understand how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting and relevant part of the threat.

    [...]

    Stuxnet contains many features such as:
    • Self-replicates through removable drives exploiting a vulnerability allowing auto-execution. "Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732) CVE-2010-2568"
    • Spreads in a LAN through a vulnerability in the Windows Print Spooler. "Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073) CVE-2010-2729"
    • Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), CVE-2008-4250
    • Copies and executes itself on remote computers through network shares.
    • Copies and executes itself on remote computers running a WinCC database server.
    • Copies itself into Step 7 projects [ Siemens SIMATIC Step 7 industrial control software] in such a way that it automatically executes when the Step 7 project is loaded.
    • Updates itself through a peer-to-peer mechanism within a LAN.
    • Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
    • Contacts a command and control server that allows the hacker to download and execute code, including updated versions.
    • Contains a Windows rootkit that hide its binaries.
    • Attempts to bypass security products.
    • Fingerprints a specific industrial control system (ICS) and modifies code on the Siemens PLCs to potentially sabotage the system.
    • Hides modified code on PLCs, essentially a rootkit for PLCs.

    Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report - update Feb 15, 2011

    http://isis-online.org/uploads/isis-reports/documents/stuxnet_update_15Feb2011.pdf
    (David Albright, Paul Brannan, and Christina Walrond)

    In the December 22, 2010 ISIS [Institute for Science and International Security] report on Stuxnet, ISIS found that this malware contained important evidence indicating that its target was the IR-1 centrifuges at the Fuel Enrichment Plant (FEP) at Natanz. ISIS focused on the attack sequences generated by a Siemens S7-315 programmable logic controller (PLC) connected to frequency converters of a particular type. The ISIS analysis centered on the rotational frequencies listed in these detailed attack sequences. These frequencies matched, in two cases identically, key frequencies characteristic of the IR-1 centrifuge at the FEP.

    A further analysis of another attack sequence has revealed that this code contains a description of what appears to be an exact copy of the IR-1 cascade at the FEP. The attack is titled “Sequence C” by Symantec, the computer security company that has conducted the most thorough and reliable open analysis of the malware’s code, or “417 code” after the advanced Siemens S7-417 programmable logic controller that Stuxnet targets. However, the 417 code is not activated and thus unable to launch an attack. Moreover, key data is missing from the code available to Symantec that would define exactly what is affected or sabotaged. Symantec has assessed that the 417 code is likely unfinished, perhaps a work in progress.

    Additional analysis also lends more support to the conclusion that the Stuxnet malware is aimed principally at centrifuges, not manipulating parameters of the centrifuge cascades so as to lower the production low enriched uranium (LEU) on a sustained basis. To date, Stuxnet is known to have had at least one attack. It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site. The effect of this attack was significant. It rattled the Iranians, who were unlikely to know what caused the breakage, delayed the expected expansion of the plant, and further consumed a limited supply of centrifuges to replace those destroyed. Nonetheless, Iran took steps in the aftermath of the attack that likely reduced further damage by Stuxnet, principally shutting down many centrifuge cascades for months. The shutdown lasted long enough for the malware to be discovered publicly, which time Iran could have found Stuxnet on the Natanz control systems.

    [...]

    New Finding: Evidence of Targeting Natanz in Sequence C or 417 Code
    Soon after the publication of the ISIS December 22 report, Ralph Langner, a German security expert, contacted ISIS after noticing that each of the Natanz centrifuge cascades contained 164 centrifuges. He said that the 417 code, or sequence C, is grouped in six arrays of 164 units each, perhaps representing six cascades, each with 164 centrifuges.
    Based on Symantec’s analysis of this array, ISIS discovered that this array is identical to an IR-1 centrifuge cascade at the FEP. This evidence is perhaps the strongest evidence that Stuxnet is aimed at Natanz.

    [...]
    But with key data missing, one can only speculate about what the 417 code aims to sabotage. According to Symantec, the data sent to the cascades appear more aimed at flipping a series of on/off values rather than sending a packet of commands like the 315 code sends to frequency converters.

  • Stuxnet’s Secret Twin - By Ralph Langner | Foreign Policy
    http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack
    http://www.nettavisen.no/imagecache/parameter/?upsizable=true&action=resize&width=980&height=-1&url=http://pub.nettavisen.no/multimedia/na/archive/00755/Natanz__Natanz___75588116x9.jpg

    What I’ve found is that the full picture, which includes the first and lesser-known Stuxnet variant, invites a re-evaluation of the attack. It turns out that it was far more dangerous than the cyberweapon that is now lodged in the public’s imagination.

    ...

    Once multiple centrifuges are shut off within the same stage, operating pressure — the most sensitive parameter in uranium enrichment using centrifuges — will increase, which can and will lead to all kinds of problems.

    The Iranians found a creative solution for this problem.

    ...

    The system might have keep Natanz’s centrifuges spinning, but it also opened them up to a cyberattack that is so far-out, it leads one to wonder whether its creators might have been on drugs.

    ...

    One of the first things this Stuxnet variant does is take steps to hide its tracks, using a trick straight out of Hollywood. Stuxnet records the cascade protection system’s sensor values for a period of 21 seconds. Then it replays those 21 seconds in a constant loop during the execution of the attack. In the control room, all appears to be normal, both to human operators and any software-implemented alarm routines.

    Then Stuxnet begins its malicious work.

    ...

    Nevertheless, the attackers faced the risk that the attack would not work at all because the attack code is so overengineered that even the slightest oversight or any configuration change would have resulted in zero impact or, worse, in a program crash that would have been detected by Iranian engineers quickly.

    The results of the overpressure attack are unknown. Whatever they were, the attackers decided to try something different in 2009.

    ...

    The new version self-replicated, spreading within trusted networks and via USB drive to all sorts of computers, not just to those that had the Siemens configuration software for controllers installed.

    ...

    If Stuxnet is American-built — and, according to published reports, it most certainly is — then there is only one logical location for this center of gravity: Fort Meade, Maryland, the home of the National Security Agency.

    ...

    Stuxnet is a low-yield weapon with the overall intention of reducing the lifetime of Iran’s centrifuges and making the Iranians’ fancy control systems appear beyond their understanding.

    Reasons for such tactics are not difficult to identify. When Stuxnet was first deployed, Iran had already mastered the production of IR-1 centrifuges at industrial scale. During the summer of 2010, when the Stuxnet attack was in full swing, Iran operated about 4,000 centrifuges, but kept another 5,000 in stock, ready to be commissioned. A one-time destruction of the Iranians’ operational equipment would not have jeopardized that strategy, just like the catastrophic destruction of 4,000 centrifuges by an earthquake back in 1981 did not stop Pakistan on its way to getting the bomb. By my estimates, Stuxnet set back the Iranian nuclear program by two years; a simultaneous catastrophic destruction of all operating centrifuges wouldn’t have caused nearly as big a delay.

    ...

    Pakistan basically managed to go from zero to successful low-enriched uranium production within just two years during shaky economic times, without the latest in digital control technology. The same effort took Iran over 10 years, despite the jump-start from Pakistan’s A.Q. Khan network and abundant money from sales of crude oil. If Iran’s engineers didn’t look incompetent before, they certainly did during the time when Stuxnet was infiltrating their systems.

    ...

    Legend has it that in the summer of 2010, while inflicting its damage on Natanz, Stuxnet “escaped” from the nuclear facility due to a software bug that came with a version update. While that is a good story, it cannot be true. Stuxnet propagated only between computers that were attached to the same local network or that exchanged files though USB drives.

    ...

    Given that Stuxnet reported Internet protocol addresses and hostnames of infected systems back to its command-and-control servers, it appears that the attackers were clearly anticipating (and accepting) a spread to noncombatant systems and were quite eager to monitor that spread closely. This monitoring would eventually deliver information on contractors working at Natanz, their other clients, and maybe even clandestine nuclear facilities in Iran.

    ...

    Stuxnet-inspired attackers will not necessarily place the same emphasis on disguise; they may want victims to know that they are under cyberattack and perhaps even want to publicly claim credit for it.

    And unlike the Stuxnet attackers, these adversaries are also much more likely to go after civilian critical infrastructure.

    ...

    In fact, all modern plants operate with standard industrial control system architectures and products from just a handful of vendors per industry, using similar or even identical configurations. In other words, if you get control of one industrial control system, you can infiltrate dozens or even hundreds of the same breed more.

    ...

    Along the road, one result became clear: Digital weapons work. And different from their analog counterparts, they don’t put military forces in harm’s way, they produce less collateral damage, they can be deployed stealthily, and they are dirt cheap. The contents of this Pandora’s box have implications much beyond Iran; they have made analog warfare look low-tech, brutal, and so 20th century.

  • A New and Frightening #Stuxnet | isssource.com
    http://www.isssource.com/a-new-and-frightening-stuxnet

    ISSSource has learned leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel’s top cyber warriors and have now come up with new version of a Stuxnet-like worm that can bring down Iran’s entire software networks if the Iranian regime gets too close to a breakout, according to U.S. intelligence sources.

    Cet article est-il crédible ? il est très flou sur ses sources et références, ce qui est d’ailleurs fortement reproché par Dale Peterson à la plupart des papiers sur Stuxnet

    Stuxnet Reporting Needs Facts and Attribution
    http://www.digitalbond.com/2011/10/13/stuxnet-reporting-needs-facts-and-attribution
    (lire aussi sous cet article le commentaire de Ralph Langner lui-même)

    #iran #cyberguerre #psyops

  • #Stuxnet Worm Used Against #Iran Was Tested in #Israel - NYTimes.com
    http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&pagewanted=print

    “It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it.” Mr. Langner is among the experts who expressed fear that the attack had legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.

    #usa #cyberwar