

Stuxnet may have destroyed 1,000 centrifuges at Natanz - yuvadam
http://www.jpost.com/Defense/Article.aspx?id=200843

======
ratsbane
There is another possible explanation, though it sounds even more like an
airport novel than the Stuxnet story does.

Consider that a lot of people, including the US, Israel, and just about
everyone else on the planet would like to do anything possible to derail the
Iranian nuclear activities. Making the centerfuges self-destruct by
introducing Stuxnet would do that - but making the Iranians _think_ that a
virus was the problem would have the same effect. I'm sure that the Iranians
spent a lot of effort trying to remove the malware from the computers
controlling the centerfuges and they probably even took them off-line until
they were sure that the controllers were clean. Why would you risk the very
valuable remaining centerfuges until you were sure the problem was fixed? They
might have even tried to replace the Windows controllers with something
running Linux or Solaris or something. It's quite likely that the clean-up
from Stuxnet delayed the enrichment process even more than the original
damage.

Malware is a convenient excuse for computer problems. "I don't have my
homework because the computer crashed" certainly sounds valid but it's also an
excuse that people immediately understand and have a hard time disputing. The
Iranians may have internally blamed Stuxnet for the problems but isn't it
possible that someone at Natanz might be using that to off-load blame for some
other problem?

It's also a convenient story for Israeli and Western Intelligence. Perhaps the
Israelis really did do something to destroy the centerfuges - perhaps they had
a mole on the inside who unbalanced the centerfuges with sweaty fingerprints
or grains of sand. It's reasonably likely, especially this close to the time
of the event, that the story they would want the Iranians to believe isn't the
actual story. Put out a false account and watch the Iranians running around
reformatting their computers while your man on the inside stays safe and ready
to act again.

If the Stuxnet story is true it shows remarkable technical cleverness by
whoever did it. But if they're _that_ clever they might be even slightly more
cunning - enough to throw off the Iranians as to the _actual_ cause and retain
the ability to bung up the works again.

------
Luyt
These ultra-centifuges spin at 1000-1500 revolutions _per second_ and can
easily break when not carefully controlled. The Zippe-type centrifuges
(<http://en.wikipedia.org/wiki/Zippe-type_centrifuge>) are probably used in
Natanz for enrichment. During the spinning, a temperature gradient of 300C is
applied to the cylinder which induces a convection inside (filled with
uranium-fluoride gas). The lighter fraction collects at the top and is
captured. These centrifuges operate in a vacuum, and can turn frictionless due
to magnetic bearing.

------
rms
Great hack, or greatest hack of all time? I am inclined to think the latter.

~~~
acqq
I'd say neither: there are 10000 centrifuges and only 1000 were replaced, it's
not certain that that has anything to do with the virus, the virus gained a
lot of press early on which prevented it from staying put and silently
disrupting for any longer period of time (which was the supposed mode of
operation). Not to mention that it was so "overdesigned" that it was too
obvious that it's a too well funded operation etc.

~~~
Swannie
The virus had been in place a relatively long time before it's public
disclosure in June. Also the way the virus was designed it wasn't going to
damage all of the rotors anyway.

~~~
acqq
> the way the virus was designed it wasn't going to damage all of the rotors
> anyway

Why not? Why shouldn't it make as much damage as possible, as it attracted too
much attention anyway?

> had been in place a relatively long time

I think the version that became analyzed all over the world (with the last
certificate) was discovered very soon after it was introduced.

It still sounds to me more like something for what somebody got some promotion
than something that did the damage appropriate to the money/time invested.

~~~
Swannie
I'd suggest anyone who has a real interest in this checks out the Symantec
dossier: <http://www.symantec.com/connect/blogs/w32stuxnet-dossier>

The virus was first identified in late 2008, and was in the wild, in various
forms until June 2010 when it was identified and advertised to the world.
Let's assume it went 2 years from release to June. That's a relatively long
time, even if half of that was reconnaissance.

To quote the Symantec document: "Thus, the targeted system is using Profibus
to communicate with at least 33 frequency converter drives from one or both of
the two manufacturers, where sequence A is chosen if more Vacon devices are
present and sequence B is chosen if more Fararo Paya devices are present."

The upshot (to my understanding) is that only one type of frequency converter
drive can be targeted per bus. If the buses are mixed, e.g. 50/50, only half
the drives on that bus will be targeted.

Additionally, if the bus has less than 31 devices on it, then it is not
targeted. We can assume that at least a few of these buses were not hooked up
to a full compliment of converter drivers.

~~~
acqq
> The virus was first identified in late 2008

No. According to the document you link, the first known exploit of the vuln
_used later by Stuxnet_ was in Nov 2008, but _by some other trojan_. The
oldest known Stuxnet is from June 2009, one year later it was already
prominent. It had just a little over one year to "quietly do its magic."
Results? Already one month ago:

[http://www.iranlivenews.com/2010/11/20/stuxnet-worm-was-
perf...](http://www.iranlivenews.com/2010/11/20/stuxnet-worm-was-perfect-for-
sabotaging-bushehr-centrifuges/)

"Iran has experienced many problems keeping its centrifuges running, with
hundreds removed from active service since summer 2009."

And that, compared to what? How often do you have to remove the centrifuges
during the normal operation if you have 10 thousands of them on one location
and you are just developing the process? Couldn't it be the normal rate of
failure for that situation?

Note also that the latest _brand new certificate_ used in the latest Stuxnet
variant was from July 2010 (at the time it was already known by antivirus
companies) which means that the authors still failed to have it at the target,
otherwise they wouldn't need to make the new variant with the new certs!
Doesn't it seem like they panicked because the goal was not reached at the
time the antivirus companies started to actively detect it?

~~~
Swannie
I stand corrected as to the date. I should have fact checked against the
dossier :-(

Well if you've been successfully exploiting a broken certificate, and it gets
busted, and you have another spare one, are you going to use it or leave it?
Probably use it.

Ahmadinejad is quoted by Reuters as saying "They succeeded in creating
problems for a limited number of our centrifuges with the software they had
installed in electronic parts". Sounds like it got in to me.

~~~
acqq
> Well if you've been successfully exploiting a broken certificate, and it
> gets busted, and you have another spare one, are you going to use it or
> leave it? Probably use it.

No: if you reached the target with your trojan and if your trojan is made to
quietly disrupt then the last thing you want is to raise the awareness of your
target by making a newer version with a newer certificate, which is then
immediately recognized by all antivirus vendors, and which induces your target
to recheck all their configurations and add the protections.

------
dshankar
Prime example of cyberwarfare.

------
varjag
..or it may have not. But it doesn't make such a great headline.

Anyway, if it is true and I had to make a bet about authorship, it would be on
the USA. The USA has been doing that since 1970s (Siberian pipeline incident).
Mossad is great at machinegunning waiters at Norwegian ski resorts, but high-
tech ops have not been their strength.

------
marze
They've probably switched to homegrown motor drives now, but other weaknesses
are probably waiting to be exploited.

~~~
gregschlom
> They've probably switched to homegrown motor drives now

According to Wikipedia [1]: _it was reported in 2006 that the tiny amount of
material deposited in fingerprints on Iran's prototype centrifuges were enough
to cause the machines to shatter._

It's not like that's the kind of stuff anyone can build at home.

[1] <http://en.wikipedia.org/wiki/Zippe-type_centrifuge>

~~~
marze
If you can build a centrifuge, you'd think you could build a variable speed
motor drive which is about 100 times easier.

------
ohashi
I find that attack awesome in the true sense of the word, I am in awe.

------
pdelgallego
Well, I don't know how smart is to piss off people with nuclear material, and
not to much to lose. Attack other nation territory is considered a Casus
belli.

~~~
jhamburger
Nuclear material != nuclear weapons. And I'm not sure why you think they'd
feel they don't have much to lose.

------
iwwr
What are the sources for these news?

~~~
tedunangst
Well, the picture at least is cited as "Photo by: Courtesy", but you can find
a bigger version on wikipedia.

<http://en.wikipedia.org/wiki/File:Gas_centrifuge_cascade.jpg>

