Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:13 PM
Connect Directly

Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran

Pirated software the norm in the region

An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. Software smuggling and pirating are commonplace there, including for Windows.

"Piracy is rampant there -- 99 percent of software in that part of the world is pirated. I know because I spent a lot of time in that part of the world," says Ashar Aziz, CEO of FireEye.

Software piracy and smuggling are a big problem in countries, such as Iran, that are banned from many high technology imports under economic sanctions. Stopping those illegal activities in Iran and other trade-sanctioned countries is difficult and often unrealistic, leaving many U.S. vendors to come to accept that their software is pirated there.

The masterminds behind Stuxnet, Duqu, and Flame -- who Obama administration officials say were government technologists and intelligence officials from the U.S. and Israel, according to reports in The New York Times and The Washington Post -- apparently were confident in Iran's use of Windows such that they targeted it. They used zero-day vulnerabilities and other methods for gathering intelligence on Iran's nuclear development program with Duqu and Flame, and then actually sabotaged the operation at the Natanz facility with a Windows worm that ultimately spread to a specific Siemens programmable logic controller that ran the centrifuges. The attack ultimately caused the centrifuges to spin out of control and fail.

Microsoft knows better than any software firm about the perils of pirated software and the difficulty in shutting it down. The software giant, which like other U.S. firms is banned from shipping software to Iran, Cuba, North Korea, Sudan, and Syria, pushes updates to all supported versions of Windows -- even pirated ones -- as a healthy security ecosystem practice. So even pirated Windows machines in Iran theoretically would receive up-to-date versions of Windows if users there apply the patches.

While Microsoft declined to comment on pirated software in Iran, Yunsun Wee, director of Microsoft Trustworthy Computing, did confirm that Microsoft supports of all of its software, pirated or not. "Any supported Microsoft operating system has access to security updates, regardless of genuine status, either by manually downloading them from Microsoft's site or by using Automatic or Windows Updates," Wee says.

Security experts say the Flame, Duqu, and Stuxnet attacks should not be perceived as against Microsoft, even if its products were part of the equation. "It's not that they went against Microsoft ... In no way would I say Stuxnet was built to go against Microsoft. It went after vulnerabilities," says Al Kinney, director of defense cybersecurity capability for HP Enterprise Services.

According to a report in The Washington Post today, officials confirmed that Flame was an effort to slow Iran's nuclear program down as well as to buy some time for sanctions and diplomatic efforts.

[ Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years. ]

Some security experts wonder why the U.S. and Israel bothered creating zero-day exploits and professional software development in the Flame, Duqu, and Stuxnet attacks just to target likely pirated software. "It struck me: Do you really need these complex pieces of malware to be that sophisticated if [the target] is using illegal versions of the software?" says Brian Honan of BH Consulting and a member of the Irish CERT.

The operators behind the attacks appear to have covered most of their bases with the quality of the code as well as the assumption that the Iranians were updating their Windows machines, experts say. Even so, antivirus software exports are banned from the U.S. to Iran as well, so AV tools there, if any, were likely weak links. Gunter Ollmann, vice president of research at Damballa, says that was likely a factor. "I'm sure one of the criteria [in an attack] was whether or not there were security products on the targeted device and if it's capable of detecting [Flame's] bag of tricks," Ollmann says.

But what the attackers did not do so well was keep the code under wraps, which has since led to its unraveling by security researchers around the globe.

"The biggest failure was letting [Stuxnet] escape," FireEye's Aziz says. The attackers didn't ensure it didn't spread beyond its target, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...