(Chris Wood filling in for David Galland)
Dear Reader,
About a month ago, in this missive we talked about a new war that is being waged across the globe – a war that’s not fought with guns on the ground but with computer code in cyberspace. Well, thanks to a newly discovered, hyper-sophisticated piece of malware known as the Stuxnet worm, this war just got a whole lot more intense and a whole lot more scary. Although the study of Stuxnet is ongoing, more and more cyber-security experts throughout the world are coming to the conclusion that the worm represents something entirely new: “a cyber weapon created to cross from the digital realm to the physical world – to destroy something.”
When Stuxnet was discovered in June, cyber-security experts could tell immediately that the worm must have been created by an extremely well-funded and probably government-backed group due to its sophistication and complexity. It was also immediately apparent that this was the first malware known to seek out and infiltrate industrial control systems of real-world targets like factories and power plants. What wasn’t known at the time was who created it and what the motive was behind it. Was Stuxnet intended to steal proprietary industrial data, or something more sinister?
By August the answer became apparent. Not only could Stuxnet infiltrate industrial control systems and steal data, it was able to take control of the systems it had infected and reprogram them to sabotage operations without being detected by the monitoring systems.
Here’s a slightly technical explanation of what Stuxnet does from Symantec (published on August 6, 2010):
As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
… By writing code to the PLC, Stuxnet can potentially control or alter how the system operates.
As September rolled around, what was known about the Stuxnet worm can be summed up by the following quote:
“It is not speculation that this is the first directed cyber-weapon,” or one aimed at a specific real-world process, said Joe Weiss, a U.S. expert who has testified to Congress on technological security threats to the electric grid and other physical operations. “The only speculation is what it is being used against, and by whom.”
But now, after months of study, the purpose of the Stuxnet worm may be coming to light.
German security researcher Ralph Langner has developed a well-supported and rather shocking theory – the Stuxnet worm is targeted at a single location, which it seeks to sabotage or destroy. At a closed-door conference last week in Maryland, Langner said Stuxnet might be targeting not a sector but perhaps only one plant, and he speculated that it could be a controversial nuclear facility in Iran.
Langner stumbled onto the idea that the Stuxnet worm could be a weapon targeted at a single facility by noticing that the worm lies dormant in most of the systems it infects. After more research, he concluded that the worm is basically “fingerprinting” the systems it infiltrates and looking for very specific traits, remaining dormant if it doesn’t find them. All of this suggests Stuxnet is indeed a specifically targeted weapon.
Furthermore, based on the forensic analysis being conducted, Langner assumed that this targeted attack had already taken place and was successful; i.e., that the Stuxnet worm had already fulfilled its singular purpose. So, he said, “let’s check where something blew up recently.”
Here’s Langner’s theory in his own words:
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year, I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half years before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells.
Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Then, on the other hand, probably not. Check who commissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company, too, doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (http://www.atomstroyexport.com/index-e.htm) that tries to download stuff from a malware site that had been shut down more than two years ago (www.bubamubaches.info). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange.
I could give some other hints that have a smell for me, but I think other researchers may be able to do a much better job on checking the validity of all this completely non-technical stuff. The one last bit of information that makes some sense for me is the clue that the attackers left in the code, as the fellows from Symantec pointed out -- use your own imagination because you will think I'm completely nuts when I tell you my idea.
Welcome to cyberwar.
So while Langner is admittedly reticent about his theory, it is a possibility. And if that’s the case, security experts speculate that the worm originated in the U.S. or Israel. But we might not know for some time.
Regardless of specific theories, Stuxnet represents a new breed of threat to all nations’ industrial infrastructure – a guided cyber-missile capable of the same level of destruction as a conventional physical warhead.
By Vedran Vuk
In 2008, a lot of educated individuals justified the bailouts by warning of riots and social upheaval. Hence, the bailouts were absolutely necessary. If the unemployment rate rose, people would take to the streets. They’ll elect a new Hitler. Society will come to a halt.
Even conservatives and libertarians sometimes make the same argument against their own proposals. If the government lowers welfare benefits, there will be Molotov cocktails flying through the air. I call BS. First of all, economic hardship around the world is nothing new. In fact, it’s the norm. And unfortunately, the average person has an extremely high tolerance for unemployment, scarcity, and tyranny.
Look at the fall of the Berlin Wall. Can you believe that it took so long? I certainly can, because the average person in any society is a whipped dog. As soon as the master takes out the rolled-up newspaper or even hints at it, the dog whimpers and goes back to his corner. Or just look at the travesty during the Great Depression. Unemployment rates were at 25%. And despite years of failed policies, riots outside organized labor were rare.
Threats of social unrest are always presented as one-way streets. We’re always told, “If we don’t bail out the banks, people will riot.” But why not another version, “If we bail out the banks, people will riot.”
Just think of how many abuses the average citizen suffers, yet still does not riot. The government already regulates every aspect of your life and confiscates nearly half of your income. Or what about the porno scanners in airports alone? Overpaid perverts strip search your wife and kids every time that you fly. No rioting still. Why, there’s not even an angry whisper from the Christian Right. I guess they’re too busy protecting the sanctity of marriage from homosexuals. If you ask me, they should be protecting the sanctity of marriage from the perverts and pedophiles at the TSA instead.
We live in a society of whipped dogs. But it’s not just us. It’s true for most societies around the world. Few people will riot over a bit of unemployment.
Even the bailout supporters proved themselves wrong. We were warned that without the stimulus and bailouts,, there would be 10% unemployment. And from there, the streets would fill with anarchy. Well, we’re here at 10% unemployment. Seen any burning cars lately? No, I didn’t think so. Oh wait. I did see some soccer moms holding signs and “Don’t Tread on Me” banners in front of the Washington Monument. Oh my. I’m shivering from fright.
In history, mass riots seem to arrive from two events. Well-organized movements created by special interests – especially labor unions like in Greece. Without the unions, I doubt much hullabaloo would be heard at all. Or, after decades and decades of oppression, an unpredictable spark will set people off. Think Berlin Wall, Romania’s mass protests, MLK riots, etc.
For the most part, individuals in society do not stand up for themselves. That’s far more frightening than riots. I bet that if the United States started to place Middle Easterners and anti-government types into concentration camps, there wouldn’t be a single riot in this country. We’ve seen this happen throughout history time and time again.
Sure, there’s some chance of riots and anarchy breaking loose. But the chances are much higher that others will do nothing while your tax rate skyrockets to 90%, your rights are stripped, and the economy continues to tank. Your fellow citizens will watch injustice after injustice unfold and will not lift a finger to stop it. Fear not riots. Instead, fear the complicity of the masses.
Chris again. Thanks, Vedran. And thank you, dear reader, for spending some time with us today. A quick glance at the screens before I sign off, and I see stocks are down slightly, while crude is up to just under $80/bbl and gold is just several dollars off record highs at $1,307/oz. Now I must run, but first I’d like to thank you for reading this Daily Dispatch and for subscribing to a Casey Research service. See you tomorrow.
Chris Wood
Casey Research, LLC