It’s nearly a plot line from the movies: World’s largest oil producer gets hit by a cyber-attack that threatens to wipe away all data from its internal computers. But largely, this is the situation Saudi Aramco described today.
The Saudi Arabia-based, industry leader released a statement confirming that roughly 30,000 workstations were affected via cyber attack in mid-August. Details beyond that were scarce—Saudi Aramco said the virus “originated from external sources” and that its investigation into the matter was ongoing. There was no mention of whether this was related to this month’s Shamoon attacks.
The company said it cleansed its workstations and resumed operations for its internal network today. They also added that oil exploration and production operations were unaffected because those networks were separate systems. Reuters attempted to reach out to the company further but saw its e-mails bounced back. The news outlet also noticed one of the company’s sites taken down by attacks remained non-operational (aramco.com).
[…] The mid-August attack on Saudi Aramco came during the same week when security researchers identified the Shamoon attacks mentioned above. Researchers saw those as a copycat to a malware known as Wiper, which reportedly attacked Iran’s oil ministry in April. Researchers were reluctant to name targets of the Shamoon attacks at that time however.
“Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive …”
THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.
This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.
The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.
The massive piece of malware secretly mapped and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyberwarfare campaign, according to the officials.
The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.
The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.
“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”
Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.
There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed. Commercial security researchers reported last week that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity. [++]
The US, in partnership with Israel, released a WMD to anyone who could make use of it. And the people in charge of overseeing such activities got fewer details about the WMD than you could put in a long-form newspaper article. And DiFi thinks there’s too little secrecy?
Marcy Wheeler, Dianne Feinstein Admits She Okayed Unleashing 21st Century WMD with Inadequate Details
A leading computer security firm has linked some of the software code in the powerful Flame virus to the Stuxnet cyber weapon, which is believed to have been used by the United States and Israel to attack Iran’s nuclear program.
Eugene Kaspersky, chief executive of Moscow-based Kaspersky Lab, which uncovered Flame last month, said his researchers have since found that part of the Flame program code is nearly identical to code found in a 2009 version of Stuxnet.
The new research could bolster the belief of many security experts that Stuxnet was part of a massive U.S.-led cyber program that is still active in the Middle East and perhaps other parts of the world.
Although Kaspersky did not say who he thought built Flame, news organizations including Reuters and the New York Times have previously reported that the United States and Israel were behind Stuxnet, which was uncovered in 2010 after it damaged centrifuges used to enrich uranium at a facility in Natanz, Iran.
Instead of issuing denials, authorities in Washington recently launched investigations into the leaks about the highly classified project.
On Stuxnet and Flame, “there were two different teams working in collaboration,” Kaspersky said at the Reuters Global Media and Technology Summit in London on Monday.
Well, Washington is up in arms about “leaks.” Very Serious People across the political spectrum are calling for investigations and a crack down on leaks. All very predictable.
But what is interesting to me is that no one seems to be asking whether this leaked information should ever have been kept secret.
I mean, don’t we have a right to know details about how the President chooses to kill individuals? Indeed, I’d argue that while using drones may be a defensible policy [no, ed.], I see no reason to do so in secret [yes, ed.].
In a similar fashion, why should our involvement in cyber attacks be kept secret? Look, this is potentially an act of war. The public has a right to know what we are doing, since there are major potential consequences to those decisions.
The default should be transparency. We shouldn’t even be talking about leaks, because everything that was “leaked” recently should have been public in the first place.
Dan Goodin from Ars describes how the malware enters a machine and speculates that only a wealthy state could have funded the research required for such a sophisticated bit of code:
The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.
“We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,” Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. “The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications.”
“Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
According to Stevens and de Weger, the collision attack was unlike any that cryptographers have seen before. They arrived at that conclusion after using a custom-designed forensic tool to analyze Flame components.
“More interestingly, the results have shown that not our published chosen-prefix collision attack was used, but an entirely new and unknown variant,” Stevens wrote in astatement distributed on Thursday. “This has led to our conclusion that the design of Flame is partly based on world-class cryptanalysis. Further research will be conducted to reconstruct the entire chosen-prefix collision attack devised for Flame.”
The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens’ and de Weger’s conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field.
“It’s not a garden-variety collision attack, or just an implementation of previous MD5 collisions papers—which would be difficult enough,” Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. “There were mathematicians doing new science to make Flame work.”
In the past four years alone, Iran has been directly attacked by three cyber-weapons, each designed to cause havoc and siphon off data in their own unique ways. Stuxnet, Duqu, and Flame, the latest of the three, have astonished the cyber-security industry. For experts, the coding and function of these viruses have signified the beginnings of an ‘early age of cyber-warfare’, one that could become ‘a common trend in everyday life’ in the near future.
You should read this whole piece. This, like the normalization of drone warfare as foreign policy, is happening way too fast.
[One] must ask why Obama would commit the serious tort of cyber-warfare and sabotage in Iran when his own intelligence community is on record that Iran’s nuclear program has been peaceful since 2003? And, indeed, what explains the peculiar timing of this public disclosure only a couple of weeks before the crucial Iran talk in Moscow scheduled for June 18 and 19? Certainly, this is not intended to convince Iran that it can trust Obama and vest any hope for a better treatment than his predecessors.Kaveh L. Afrasiabi
The cyber-attack and other technologies of sabotage and control used with such facility by Obama may be cutting edge but the underlying discourse is purely pre-modern and even medievalist, ie Machiavellian through and through. As such, Obama is hostage to the past with no prospect for real evolution, pinned to an ideology of Western domination pure and simple.
In this asymmetrical, technologically savvy contestation of power, the US’s combination of soft and hard power is insatiably geared to the satisfaction of a modern totalitarian system nicely cloaked as “the world’s greatest democracy” and legitimated by a whole array of “state apparatus” including the think-tanks and universities routinely dishing out legitimating discourses.
Unlike past totalitarian systems, written about by Hannah Arendt and others, the new American totalitarianism sustains its military adventurisms abroad in the name of a global “higher good”, thus appearing as the custodian of ethics and morality, with deafening declarations of righteousness on the right to intervene in other countries in the name of combating genocide and countering nuclear weapons proliferation. Lacking from these endeavors is the slightest concern about the cognitive dissonance of simultaneously backing authoritarian and rights-abusive regimes, propped up to safeguard America’s “vital interests”.
Indeed, in analyzing the mindset of Obama the drone and cyber warrior, in the rogue behavior of transgressing other nation’s sovereign rights one must take into account the modern history of America’s “imperial presidency,” the hegemonic temptations to dominate and cajole into line the recalcitrant lesser powers, the obsessive neurosis of targeting the ‘“hostile other”, the infections of Israel’s expansionism, the pathological non-disarmament entwined with flagship of counter-proliferation and instrumentalization of world institutions, and the like. Taken altogether, these speak of a major global malady that cannot be remedied until and unless there are new and effective barriers to unipolar American hegemony, which nowadays is basking in the ramifications of a weakened Europe forced to sheepishly toe Washington’s line on all major international issues.
In this context, it would be nearly impossible for Washington to bring to a closure its addictive Iranophobia, to take appropriate steps to end the Iran nuclear standoff, and to discontinue its exploitation of the Iran nuclear crisis for the sake of its vast military-industrial complex. The red line of capitalist profitability would be much maligned if the Iran nuclear talks somehow were to succeed and culminate in a normalization of US-Iran relations, thus depriving US defense contractors of billions of dollars of arms sales to regional allies in the Middle East who need the American protectorate power. It is better to keep throwing monkey wrenches in the wheels of negotiation to set it back and thus keep the crisis going rather indefinitely. [continue →]
If the New York Times’ comprehensive account of the birth of the STUXNET worm that slowed Iran’s efforts to enrich uranium tells us anything, it’s that the Obama administration was remarkably naive about the potential for the proliferation of the cyberweapons it was developing.
Indeed, while discussions of the new territory the US was entering apparently took place in the White House, ultimately, an aide told the Times, the administration didn’t want to “develop a grand theory for a weapon whose possibilities they were still discovering.”
Then, in Summer 2010, an event the administration should have anticipated occurred: The STUXNET worm got loose and started replicating outside the Iranian enrichment plant that had been its target. In the wild, on the Internet, its source code was exposed for everyone to see.
And that, apparently, is when opportunistic [curious] hackers started to learn from it.
As outlined at Data Center Pro, STUXNET taught hackers that the “Industrial Control Systems” used in industrial production (think high-tech factories) and data centers were vulnerable to attack.
At the New York Times, Thomas Erdbrink reported on the latest cyberattack on Iran via a virus known Flame. “Iran’s Computer Emergency Response Team Coordination Centre,” he writes, “fears that it’s potentially more harmful than the 2010 Stuxnet virus. … In contrast … the newly identified virus is designed not to do damage but to secretly collect information from a wide variety of sources.” [++]
The Obama administration has long emphasized the importance of domestic cybersecurity, but recent statements show an increasing openness about offensive capabilities. Secretary of State Hillary Clinton acknowledged last month that government hackers had attacked Al Qaeda propaganda sites in Yemen, changing information in ads that talked about killing Americans to show how many Yemenis had died in Al Qaeda attacks.
For years, the Iranians had no idea they were being attacked, blaming their own workers or faults in their facilities, The Times said. But because Stuxnet was inadvertently released, any government— not to mention any hacker with spare time and a malicious streak — can create their own mutation of the weapon.
As the Times points out, “No country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States.” Siemens makes specialized industrial controllers that were targeted by the Olympic Games attacks. As Siemens confirmed to ProPublica, the same hardware and software holes Stuxnet took advantage of in Iran exist in thousands of locations in the U.S. and worldwide. The vulnerable equipment controls everything from natural gas pipelines to refineries and power transmission lines.
American cybersecurity experts have long warned that it’s only a matter of time before someone turns an equally destructive cyberweapon on our own systems. Now that Stuxnet’s origins are clear, the odds of that happening might be even higher.
The debate about a potential cyberattack against Libya was described by more than a half-dozen officials, who spoke on the condition of anonymity because they were not authorized to discuss the classified planning.
In the days ahead of the American-led airstrikes to take down Libya’s integrated air-defense system, a more serious debate considered the military effectiveness — and potential legal complications — of using cyberattacks to blind Libyan radars and missiles.
“They were seriously considered because they could cripple Libya’s air defense and lower the risk to pilots, but it just didn’t pan out,” said a senior Defense Department official.
After a discussion described as thorough and never vituperative, the cyberwarfare proposals were rejected before they reached the senior political levels of the White House.
Thank goodness it was “never vituperative!” We wouldn’t want the people in charge of cyber-warfare to get angry or anything. The NYT article also states that the officials in charge were worried about how the War Powers Resolution would affect this type of new-age war making. Given how unconcerned the Obama administration was about the WPR concerning real live bombs that seems a bit odd.
One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world.
It took Ralph Langner about a month to figure that out.
While Symantec, the big antivirus company, and other experts pored over Stuxnet’s inner workings, it was Mr. Langner, a industrial control systems security expert in Hamburg, who deciphered and tested pieces of Stuxnet’s “payload” code in his lab and declared it a military-grade cyberweapon aimed at Iran’s nuclear facilities.
Days later, he and other experts refined that assessment, agreeing Stuxnet was specifically after Iran’s gas centrifuge nuclear fuel-enrichment program at Natanz.
After infiltrating Natanz’s industrial-control systems, Stuxnet automatically ordered subsystems operating the centrifuge motors to spin too fast and make them fly apart, Langner says. At the same time, Stuxnet made it appear random breakdowns were responsible so plant operators would not realize a nasty software weapon was behind it.
In the end, Stuxnet may have set back Iran’s nuclear ambitions by years. But it also could prove a Pyrrhic victory for its still-unknown creator – a sophisticated cyberweapons nation state that Langner argues could be the US or Israel. Like the Hiroshimabomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview. […]
CSM: [You] yourself recently decided to demonstrate how simple a Stuxnet attack could be – just four lines of code – to make an industrial system freeze. A time bomb, really. Why did you do that?
LANGNER: I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened. What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish this four-line attack just to make sure no smart-guy tells his boss that this is impossible. I left out some key parts of it so it could not be used. […]
CSM: What are the questions that Stuxnet has left behind?
LANGNER: It raises, for one, the question of how to apply cyberwar as a political decision. Is the US really willing to take down the power grid of another nation when that might mainly affect civilians? Could or should military contractors, instead of soldiers, wage cyberwar? What happens when cyberweapons dealers start selling sophisticated cyberweapons to terrorists? There is also the manner in which Stuxnet was used – which could be considered a textbook example of a “just war” approach. It didn’t kill anyone. That’s a good thing. But I am afraid this is only a short term view. In the long run it has opened Pandora’s box.
![From the man who discovered Stuxnet, dire warnings one year later | CSMonitor
One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world.
It took Ralph Langner about a month to figure that out.
While Symantec, the big antivirus company, and other experts pored over Stuxnet’s inner workings, it was Mr. Langner, a industrial control systems security expert in Hamburg, who deciphered and tested pieces of Stuxnet’s “payload” code in his lab and declared it a military-grade cyberweapon aimed at Iran’s nuclear facilities.
Days later, he and other experts refined that assessment, agreeing Stuxnet was specifically after Iran’s gas centrifuge nuclear fuel-enrichment program at Natanz.
After infiltrating Natanz’s industrial-control systems, Stuxnet automatically ordered subsystems operating the centrifuge motors to spin too fast and make them fly apart, Langner says. At the same time, Stuxnet made it appear random breakdowns were responsible so plant operators would not realize a nasty software weapon was behind it.
In the end, Stuxnet may have set back Iran’s nuclear ambitions by years. But it also could prove a Pyrrhic victory for its still-unknown creator – a sophisticated cyberweapons nation state that Langner argues could be the US or Israel. Like the Hiroshimabomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview. […]
CSM: [You] yourself recently decided to demonstrate how simple a Stuxnet attack could be – just four lines of code – to make an industrial system freeze. A time bomb, really. Why did you do that?
LANGNER: I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened. What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish this four-line attack just to make sure no smart-guy tells his boss that this is impossible. I left out some key parts of it so it could not be used. […]
CSM: What are the questions that Stuxnet has left behind?
LANGNER: It raises, for one, the question of how to apply cyberwar as a political decision. Is the US really willing to take down the power grid of another nation when that might mainly affect civilians? Could or should military contractors, instead of soldiers, wage cyberwar? What happens when cyberweapons dealers start selling sophisticated cyberweapons to terrorists? There is also the manner in which Stuxnet was used – which could be considered a textbook example of a “just war” approach. It didn’t kill anyone. That’s a good thing. But I am afraid this is only a short term view. In the long run it has opened Pandora’s box.](http://25.media.tumblr.com/tumblr_lrygveRs3y1qhvj14o1_400.jpg)
