The American Bear


Iranian cyber warfare commander shot dead in suspected assassination | Telegraph

Mojtaba Ahmadi, who served as commander of the Cyber War Headquarters, was found dead in a wooded area near the town of Karaj, north-west of the capital, Tehran. Five Iranian nuclear scientists and the head of the country’s ballistic missile programme have been killed since 2007. The regime has accused Israel’s external intelligence agency, the Mossad, of carrying out these assassinations.

Ahmadi was last seen leaving his home for work on Saturday. He was later found with two bullets in the heart, according to Alborz, a website linked to the Revolutionary Guard Corps. “I could see two bullet wounds on his body and the extent of his injuries indicated that he had been assassinated from a close range with a pistol,” an eyewitness told the website.

The commander of the local police said that two people on a motorbike had been involved in the assassination.

[…] Subsequently, a statement from the Imam Hassan Mojtaba division of the Revolutionary Guard Corps said that Ahmadi’s death was being investigated. It warned against speculating “prematurely about the identity of those responsible for the killing”.

Western officials said the information was still being assessed, but previous deaths have been serious blows to Iran’s security forces. Tighter security measures around leading commanders and nuclear scientists have instilled a culture of fear in some of the most sensitive parts of the security establishment.

The last victim of a known assassination was Mostafa Ahmadi Roshan, a chemist who worked in the uranium enrichment plant at Natanz, who died when an explosive device blew up on his car in January last year.

After Profits, Defense Contractor Faces the Pitfalls of Cybersecurity |

… [F]ew top officials in the intelligence world have become greater authorities on cyberconflict than the 69-year-old [Michael] McConnell … . He began his career as a Navy intelligence officer on a small boat in the backwaters of the Mekong Delta during the Vietnam War. Years later he helped the American intelligence apparatus make the leap from an analog world of electronic eavesdropping to the new age of cyberweaponry.

President Bill Clinton relied on Mr. McConnell as director of the N.S.A., a post he held from 1992 to 1996. He then moved to Booz Allen as a senior vice president, building its first cyberunits. But with the intelligence community in disarray after its failure to prevent the terrorist attacks of Sept. 11, 2001, the fiasco of nonexistent weapons of mass destruction in Iraq and the toll of constant reorganization, President George W. Bush asked him to be the second director of national intelligence from 2007 to 2009.

That was when he made his biggest mark, forcing a reluctant bureaucracy to invest heavily in cybercapability and overseeing “Olympic Games,” the development of America’s first truly sophisticated cyberweapon, which was used against Iran’s nuclear enrichment program. When Mr. Bush needed someone to bring President-elect Barack Obama up to speed on every major intelligence program he was about to inherit, including drones and defenses against electronic intrusions from China, he handed the task to Mr. McConnell.

But Mr. Obama was not interested in keeping the previous team, and Mr. McConnell returned to Booz Allen in 2009. He earned more than $4.1 million his first year back, and $2.3 million last year. He is now vice chairman, and the company describes him as the leader of its “rapidly expanding cyberbusiness.”

But Mr. Obama was interested in Olympic Games (NYT, 6/1/2012):

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.


(And don’t forget about Flame and the other “Games” like Gauss, Duqu, and mini-Flame).

Obama orders US to draw up overseas target list for cyber-attacks

Barack Obama has ordered his senior national security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks, a top secret presidential directive obtained by the Guardian reveals.

The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”.

It says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.

The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.

The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.

The administration published some declassified talking points from the directive in January 2013, but those did not mention the stepping up of America’s offensive capability and the drawing up of a target list. [continue]

World’s largest oil producer falls victim to 30K workstation attack | Ars Technica

It’s nearly a plot line from the movies: World’s largest oil producer gets hit by a cyber-attack that threatens to wipe away all data from its internal computers. But largely, this is the situation Saudi Aramco described today.

The Saudi Arabia-based, industry leader released a statement confirming that roughly 30,000 workstations were affected via cyber attack in mid-August. Details beyond that were scarce—Saudi Aramco said the virus “originated from external sources” and that its investigation into the matter was ongoing. There was no mention of whether this was related to this month’s Shamoon attacks.

The company said it cleansed its workstations and resumed operations for its internal network today. They also added that oil exploration and production operations were unaffected because those networks were separate systems. Reuters attempted to reach out to the company further but saw its e-mails bounced back. The news outlet also noticed one of the company’s sites taken down by attacks remained non-operational (

[…] The mid-August attack on Saudi Aramco came during the same week when security researchers identified the Shamoon attacks mentioned above. Researchers saw those as a copycat to a malware known as Wiper, which reportedly attacked Iran’s oil ministry in April. Researchers were reluctant to name targets of the Shamoon attacks at that time however.

Stuxnet Will Come Back to Haunt Us | Misha Glenny

"Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive …"

THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.

It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.

There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.

Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.

This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.

Read the rest

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, "officials say" | The Washington Post

The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.

The massive piece of malware secretly mapped and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyber­warfare campaign, according to the officials.

The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.

The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.

“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”

Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.

There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed. Commercial security researchers reported last week that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity. [++]

Some Flame code found in Stuxnet virus: expert | Reuters

A leading computer security firm has linked some of the software code in the powerful Flame virus to the Stuxnet cyber weapon, which is believed to have been used by the United States and Israel to attack Iran’s nuclear program.

Eugene Kaspersky, chief executive of Moscow-based Kaspersky Lab, which uncovered Flame last month, said his researchers have since found that part of the Flame program code is nearly identical to code found in a 2009 version of Stuxnet.

The new research could bolster the belief of many security experts that Stuxnet was part of a massive U.S.-led cyber program that is still active in the Middle East and perhaps other parts of the world.

Although Kaspersky did not say who he thought built Flame, news organizations including Reuters and the New York Times have previously reported that the United States and Israel were behind Stuxnet, which was uncovered in 2010 after it damaged centrifuges used to enrich uranium at a facility in Natanz, Iran.

Instead of issuing denials, authorities in Washington recently launched investigations into the leaks about the highly classified project.

On Stuxnet and Flame, “there were two different teams working in collaboration,” Kaspersky said at the Reuters Global Media and Technology Summit in London on Monday.

Leaks and Transparency | Bernard Finel

Well, Washington is up in arms about “leaks.” Very Serious People across the political spectrum are calling for investigations and a crack down on leaks. All very predictable.

But what is interesting to me is that no one seems to be asking whether this leaked information should ever have been kept secret.

I mean, don’t we have a right to know details about how the President chooses to kill individuals? Indeed, I’d argue that while using drones may be a defensible policy [no, ed.], I see no reason to do so in secret [yes, ed.].

In a similar fashion, why should our involvement in cyber attacks be kept secret? Look, this is potentially an act of war. The public has a right to know what we are doing, since there are major potential consequences to those decisions.

The default should be transparency. We shouldn’t even be talking about leaks, because everything that was “leaked” recently should have been public in the first place.

Crypto breakthrough shows Flame was designed by world-class scientists | Ars Technica

Quick background: Flame is the third of three cyberattacks launched against Iran. Stuxnet, the first, was unleashed under Bush and accelerated under the Obama administration to trip up industrial controllers (PLC’s), making the centrifuges used for uranium enrichment go batshit, thus slowing down Iran’s program. Duqu was the second. It was based on Stuxnet, but apparently was only used to record information (logins,keystrokes,etc.). Duqu and Flame have not yet been claimed by anyone, although Israel and/or the United States are considered the likely culprits.

Dan Goodin from Ars describes how the malware enters a machine and speculates that only a wealthy state could have funded the research required for such a sophisticated bit of code:

The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.

“We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,” Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. “The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications.”

“Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.

Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.

According to Stevens and de Weger, the collision attack was unlike any that cryptographers have seen before. They arrived at that conclusion after using a custom-designed forensic tool to analyze Flame components.

“More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant,” Stevens wrote in astatement distributed on Thursday. “This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame.”

The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens’ and de Weger’s conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field.

“It’s not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough,” Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. “There were mathematicians doing new science to make Flame work.”

And, This just in:
Microsoft contains Flame with Windows Update revamp

In the past four years alone, Iran has been directly attacked by three cyber-weapons, each designed to cause havoc and siphon off data in their own unique ways. Stuxnet, Duqu, and Flame, the latest of the three, have astonished the cyber-security industry. For experts, the coding and function of these viruses have signified the beginnings of an ‘early age of cyber-warfare’, one that could become ‘a common trend in everyday life’ in the near future.

Flame: Opening a New Weapons Cache

You should read this whole piece. This, like the normalization of drone warfare as foreign policy, is happening way too fast.

[One] must ask why Obama would commit the serious tort of cyber-warfare and sabotage in Iran when his own intelligence community is on record that Iran’s nuclear program has been peaceful since 2003? And, indeed, what explains the peculiar timing of this public disclosure only a couple of weeks before the crucial Iran talk in Moscow scheduled for June 18 and 19? Certainly, this is not intended to convince Iran that it can trust Obama and vest any hope for a better treatment than his predecessors. Kaveh L. Afrasiabi

Iranophobia and Obama the cyber-warrior | Kaveh L. Afrasiabi

The cyber-attack and other technologies of sabotage and control used with such facility by Obama may be cutting edge but the underlying discourse is purely pre-modern and even medievalist, ie Machiavellian through and through. As such, Obama is hostage to the past with no prospect for real evolution, pinned to an ideology of Western domination pure and simple.

In this asymmetrical, technologically savvy contestation of power, the US’s combination of soft and hard power is insatiably geared to the satisfaction of a modern totalitarian system nicely cloaked as “the world’s greatest democracy” and legitimated by a whole array of “state apparatus” including the think-tanks and universities routinely dishing out legitimating discourses.

Unlike past totalitarian systems, written about by Hannah Arendt and others, the new American totalitarianism sustains its military adventurisms abroad in the name of a global “higher good”, thus appearing as the custodian of ethics and morality, with deafening declarations of righteousness on the right to intervene in other countries in the name of combating genocide and countering nuclear weapons proliferation. Lacking from these endeavors is the slightest concern about the cognitive dissonance of simultaneously backing authoritarian and rights-abusive regimes, propped up to safeguard America’s “vital interests”.

Indeed, in analyzing the mindset of Obama the drone and cyber warrior, in the rogue behavior of transgressing other nation’s sovereign rights one must take into account the modern history of America’s “imperial presidency,” the hegemonic temptations to dominate and cajole into line the recalcitrant lesser powers, the obsessive neurosis of targeting the ‘“hostile other”, the infections of Israel’s expansionism, the pathological non-disarmament entwined with flagship of counter-proliferation and instrumentalization of world institutions, and the like. Taken altogether, these speak of a major global malady that cannot be remedied until and unless there are new and effective barriers to unipolar American hegemony, which nowadays is basking in the ramifications of a weakened Europe forced to sheepishly toe Washington’s line on all major international issues.

In this context, it would be nearly impossible for Washington to bring to a closure its addictive Iranophobia, to take appropriate steps to end the Iran nuclear standoff, and to discontinue its exploitation of the Iran nuclear crisis for the sake of its vast military-industrial complex. The red line of capitalist profitability would be much maligned if the Iran nuclear talks somehow were to succeed and culminate in a normalization of US-Iran relations, thus depriving US defense contractors of billions of dollars of arms sales to regional allies in the Middle East who need the American protectorate power. It is better to keep throwing monkey wrenches in the wheels of negotiation to set it back and thus keep the crisis going rather indefinitely. [continue →]

How Obama Was Dangerously Naive About STUXNET and Cyberwarfare | Technology Review

If the New York Times’ comprehensive account of the birth of the STUXNET worm that slowed Iran’s efforts to enrich uranium tells us anything, it’s that the Obama administration was remarkably naive about the potential for the proliferation of the cyberweapons it was developing.

Indeed, while discussions of the new territory the US was entering apparently took place in the White House, ultimately, an aide told the Times, the administration didn’t want to “develop a grand theory for a weapon whose possibilities they were still discovering.”

Then, in Summer 2010, an event the administration should have anticipated occurred: The STUXNET worm got loose and started replicating outside the Iranian enrichment plant that had been its target. In the wild, on the Internet, its source code was exposed for everyone to see.

And that, apparently, is when opportunistic [curious] hackers started to learn from it.

As outlined at Data Center Pro, STUXNET taught hackers that the “Industrial Control Systems” used in industrial production (think high-tech factories) and data centers were vulnerable to attack.

Just How Many Cyberattacks Will Iran Take Sitting Down? | FPIF

At the New York Times, Thomas Erdbrink reported on the latest cyberattack on Iran via a virus known Flame. “Iran’s Computer Emergency Response Team Coordination Centre,” he writes, “fears that it’s potentially more harmful than the 2010 Stuxnet virus. … In contrast … the newly identified virus is designed not to do damage but to secretly collect information from a wide variety of sources.” [++]