
Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon - cyphersanctus
http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant-found/
======
WestCoastJustin
Reverse engineer how something like this was created and it is mind boggling.
The initial intelligence gathering of the target systems, developing the plan
of attack, recruit experts on the siemens hardware and physicists to explain
the things that could go wrong, development and QA must have been grueling,
since the expense of failure is so great! Never mind the deployment and
monitoring to see if it was effective! They probably recreated the entire
environment to test different ways to cause havoc.

 _Stuxnet recorded various data points while the cascades and centrifuges
operated normally, in order to replay this data to operators once the sabotage
began_. They must have had a working system to test this on?! The budget for
something like this is probably in the tens of millions if not more. The HR
requirement must have been pretty large too. Analysts to gather information,
managers, programmers, qa, siemens hardware experts, physicists, deployment,
monitoring, etc, etc.

~~~
JakeSc
> The budget for something like this is probably in the tens of millions if
> not more.

Absolutely. This was a massive defense spending project by any measure. How
many people do you think worked on it? Assuming the project was highly
compartmentalized, I would estimate that there are at least SIX subteams
currently working on the next Stuxnet.

\- 0-Day exploitation of PCs. How big is the team responsible for discovering
/ purchasing 0-day exploits?

\- Hardware/firmware-level infection. This would require expert knowledge of
the specific control systems.

\- Networking / infrastructure. This requires an intimate knowledge of target
network topology.

\- Boots-on-the-ground payload delivery (nontechnical).

\- Spear-phishing payload delivery. Perhaps the points of entry were several
levels removed from the actual target facility (e.g., security guards' wives'
laptops).

\- Testing / QA.

All of this of course has to be backed up by world-class intelligence support,
which I shan't address further. The technical feats of developing this alone
are astounding and intriguing.

Holy shit.

~~~
daeken
> 0-Day exploitation of PCs. How big is the team responsible for discovering /
> purchasing 0-day exploits?

Given the speculation that it was the US behind Stuxnet, this one is a cheap
and easy one. The US has been buying up ready-made exploits for a good while
now (there's a reason that the likes of Raytheon are hiring exploit devs left
and right) and have nice stockpiles of them just ready and waiting for the
likes of Stuxnet.

~~~
contingencies
This is definitely true.

~~~
tptacek
This is true because you heard it's true, or because you know it's true?
Raytheon definitely has a lot of people on staff who are at least peripherally
involved in vuln dev. That's not the same thing as having a staff full of
exploit developers. You get peripheral involvement in vuln dev just by doing
malware reversing, which is pretty low on the food chain, and something the
government definitely (firsthand) spends money on.

~~~
m0nastic
I can also confirm that Raytheon is building up this capability (although less
so than Northrop and Lockheed).

If you're curious what companies are actually committing to vulnerability dev
you can search any cleared jobs site for "offensive"; the companies that have
listings are who you'd imagine them to be (minus a couple placement firms that
just put people right at the Fort).

~~~
lawnchair_larry
People always forget about SAIC and General Dynamics AIS.

------
JakeSc
We cannot begin to imagine the extent to which world military powers are
currently developing and deploying cyberweapons.

Given the success of Stuxnet, it's nearly certain that such offensive
cyberwarfare programs have gotten increased funding and support from the
highest levels of command. From the article, Stuxnet 0.5 C&C servers first
went online in 2005. 2005! George W. Bush ordered the deployment of Stuxnet!

I personally cannot wait to hear about what the cyberweapons fo 2013 look
like.

~~~
cpeterso
Also consider the cyberweapons that haven't been discovered yet. "Only stupid
criminals get caught" and Stuxnet got caught. :)

~~~
OGinparadise
Maybe it was a Mission Impossible /suicide mission for an older but reliable
operative. It did the job but... :)

~~~
mercuryrising
An ex-CIA director did a feature on 60 minutes talking about Stuxnet-
<https://www.youtube.com/watch?v=oCQqmV1LWDo>

------
mirkules
"The 2007 variant resolves that mystery by making it clear that the 417 attack
code had at one time been fully complete and enabled before the attackers
disabled it in later versions of the weapon."

The thing that struck me most was the use of the word "weapon"[1]. Jeff Moss
warned in his 2011 BlackHat opening speech that blurring the line between
cyberwarfare and actual warfare is inevitable. Wired's use of "weapon" here
signifies that shift, and really reinforces the fact that each one of us who
is writing software may play a part in cyber wars, even if inadvertently.

[1]It may have been an unintentional use of "weapon," as Stuxnet is referred
to as a "cyberweapon" throughout the article, but the point that we are moving
towards describing cyber warfare as actual warfare still stands.

------
j_s
Mentions use of an obscure(?) Windows IPC mechanism: Windows mailslots (circa
Windows 2000).

[http://msdn.microsoft.com/en-
us/library/windows/desktop/aa36...](http://msdn.microsoft.com/en-
us/library/windows/desktop/aa365130%28v=vs.85%29.aspx)

    
    
      * a pseudofile that resides in memory
      * use standard file functions
      * cannot be larger than 424 bytes when sent between computers
      * can broadcast messages within a domain

~~~
drivingmenuts
I don't know the ins and outs of Windows to a great degree, but that reads
like an exploit waiting to happen.

Is this sort of functionality still present in Windows? If so, are they idiots
or what?

~~~
jbigelow76
I'm wondering if government agencies like the CIA, NSA and their counterparts
in other countries look for vulnerabilities in programs but never report them
to the vendors for fixing but instead catalog them for possible use in future
exploits.

(actually, I'm not really wondering, it's probably naive to assume they
wouldn't)

~~~
Spooky23
It's beyond that -- they actually have created a market for the trading of
0-days, and bid against each other using various proxies.

~~~
contingencies
My own experience, meeting some of these people, suggests this is certainly
correct.

------
Scramblejams
Single page version here:

[http://www.wired.com/threatlevel/2013/02/new-stuxnet-
variant...](http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant-
found/all/)

------
throwaway29912
On the third page of the article, there's a screenshot of the fake company
website where the command and control servers resided, set up by the
CIA/whoever back in 2006.

Today, if you search for the specific phrases used in the navigation bar,
Google returns only 3 websites:

[https://encrypted.google.com/search?hl=en&output=search&...](https://encrypted.google.com/search?hl=en&output=search&sclient=psy-
ab&q=%22media+planning%22+philosophy+%22creative+services%22+%22search+solutions%22+ecrm+%22ad+serving%22&gbv=1&sei=PxUtUbzfBsWa2AXYkoCQAw)
The terms are: "media planning" philosophy "creative services" "search
solutions" ecrm "ad serving"

Sadly, these sites just look spammy rather than fake sites set up by the CIA
(and Alexa shows some SEO work has been done.... but that could be part of the
facade).

Still, fishing for CIA CNC servers sounds like a fun game, they must be out
there today. Anyone have any ideas how to find them?

~~~
ChuckMcM
_"Anyone have any ideas how to find them?"_

Follow the malware. Dan Danchev [1] used to be quite forthcoming with his
analysis until he wasn't anymore. If you set up a malware aquarium [2] you can
see the C&C servers these things use. Although not all malware reproduces in
captivity.

[1] [http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-
exploit...](http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-
malware.html)

[2] <https://www.xkcd.com/350/>

------
islon
The most amazing thing about stuxnet is that if hollywood were to make a movie
about it we would find it too unrealistic, even if it was less fantastic than
the real facts.

~~~
nitrogen
We would find it unrealistic because Hollywood would get the details wrong.
Encryption would be portrayed as wiggly squares on a screen. "Port scanning"
would be confused with "hacking."

The example I gave to a politically minded friend: Imagine a political drama
with dialog like this:

"We've found a bug in the parliamentary procedure! Call the senator!"

"Oh no! Quick, we've got to omnibus the filibuster before the cloture
overflows and the whole bill crashes!"

~~~
kps
Common law is an iterative and incremental development process.

… that sorely needs to incorporate refactoring.

------
stcredzero
I wonder if such weapons have already been directed against our advanced
fighters, ships, and submarines.

I remember reading about the COTS (Commercial Off the Shelf) program in the
late 90's and the use of Windows NT 4 on AEGIS vessels. Supposedly, there was
a protocol for rebooting everything, every two weeks. Hopefully, nothing
critical would be down the moment there was an attack. (To be fair, the NT4
kernel is rock solid, so long as you leave it unmolested, which Microsoft
didn't.)

~~~
mpyne
Well nothing works forever on a warship anyways, and the Navy is already very
big on Preventative Maintenance (i.e. "fix it until it's broke"). So any plan
assuming that a system will stay up for an entire deployment is negligent from
the start; you might as well practice having to reboot the system from that
perspective.

~~~
stcredzero
My understanding, and my experience from working with NT4 machines back then,
is that you _had_ to reboot them every so often. It wasn't just a matter of
practicing rebooting.

~~~
mpyne
Sure, I'm just saying that was (and is) par for the course already for the
Navy. It would be like complaining that the software comes in a ugly box...
even if it came in a nice box, the Navy would just throw the box away and
stuff it in an ugly box anyways.

~~~
stcredzero
And I'm saying that the boxes wouldn't insist on getting ugly or most of the
equipment wouldn't insist on preventive maintenance in the middle of an
attack. The NT4 boxes might well have insisted on being rebooted at an in-
opportune moment.

~~~
mpyne
> The NT4 boxes might well have insisted on being rebooted at an in-opportune
> moment.

Well I've been on a boat that used NT4 for stupid office tasks and HP-UX
somewhere in the actual Combat Control System.

Guess which one shit the bed in the middle of our graded inspection when we
were supposed to be tracking a simulated enemy in a life-or-death situation?
(Hint: MS didn't write the OS).

To rephrase it a bit, there are vanishingly few pieces of gear that the Navy
assumes that _must_ work in the middle of an attack, and most of the pieces
that do fall under that assumption have manual overrides/backups/inherent
redundancy/etc. In our situation, we switched over to paper-based methods and
managed to keep the contact situation until the system could be rebooted.

So if the Navy builds a ship that is single-point-of-failure on any commodity-
OS-driven computer they deserve what they get. We've known since before WWII
that survivability in combat requires redundancy.

~~~
stcredzero
_> To rephrase it a bit, there are vanishingly few pieces of gear that the
Navy assumes that must work in the middle of an attack_

That's reassuring to know. What are the "must work" bits?

~~~
mpyne
Honestly on a surface ship I can't think of very many 1-hit-kill components.
Even in WWII tiny little Destroyer Escorts were able to withstand multiple
shell hits from Japanese Heavy Cruisers and even the _Yamato_. (The Battle off
Samar, if you want to wiki it).

With the move toward computerization and long-range missile-based combat
there's probably a lot of risk with the Fire Control System, Radars (e.g.
AEGIS), stuff like that. But even blind you can at least run away, and the
CIWS has an independent fire-control radar for last-resort self-defense.

Submarines are more problematic. There's only the one pressure hull, only the
one reactor, only the one main propulsion train, and watertight
compartmentalization only exists for the reactor compartment.

This makes everything about subs more expensive since all work that affects
these things has to be formally controlled and QA'ed, re-tested, etc. to avoid
losing more subs like we lost _Thresher_ and _Scorpion_.

------
jmcqk6
Am I missing something or had stuxnet started development before any of the
centrifuges were installed? Was there perhaps an even larger game afoot which
led Iran to choose certain hardware in the first place?

I suppose development of the software could have started without knowing which
PLC's it would target eventually, but that seems doubtful to me. Of course,
the easiest explanation is that I'm missing something in the timeline.

------
squozzer
Huh. And I thought for sure the missing link was classes12.zip or maybe
vbrun300.dll.

------
martinced
I remember when the "NSA" variable name was found in Windows source code that
accidentally leaked out. Some people claimed that the NSA had backdoors into
Windows and nearly everybody singed happily: _"Conspiracy theorists"_.

I'm not so sure that nowadays with all this Stuxnet insight people would be so
hard-pressed to label these people conspiracy theorists.

Also, no more Windows source code did leak out with all the comments and
variable names in the clear etc.

One has to wonder how "open" Windows actually is to the NSA and if all these
0-days so commonly found are really honest mistakes or not...

