Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/16/2016
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Stuxnet Part Of Widespread Cyber-Intrusion Of Iranian Infrastructure, New Film Claims

New Stuxnet documentary that debuts tomorrow in Berlin reportedly reveals how Israel blew its cover, and the worm just one element of a much larger US-Israel cyber spy operation in Iran.

One of the most intriguing mysteries of Stuxnet is why such a super-stealthy operation spread beyond its targets in Iran’s nuclear facility and exposed the malware -- and ultimately, the attack campaign itself.

There has been plenty of speculation since Stuxnet first was discovered in 2010: A bug in the code caused it to go awry. Israel launched a splinter attack. The US and Israel just went for it in their quest to knock out the uranium-enrichment centrifuges at Iran’s Natanz facility. The debate has raged on.

Now a new documentary on the unprecedented cyberattack weapon maintains that Israel acted on its own with a more aggressive version of Stuxnet. According to media outlets that screened the film “Zero Days” – which was directed by Alex Gibney and debuts tomorrow at the Berlin International Film Festival -- Israel’s aggressive push to annihilate the centrifuges basically ended up derailing subsequent planned attacks by the US and Israel to thwart Iranian nuclear weapon development.

According to reports by Buzzfeed and The Jerusalem Post, both of which viewed the film in advance, the so-called Olympic Games operation that included Stuxnet was just one element of a much larger and more comprehensive cyber initiative called Nitro Zeus in which US (NSA and CIA) and Israeli intelligence agencies had infiltrated key systems supporting Iran’s infrastructure. The film also reveals that Britain’s’ GCHQ unit assisted in the operation, but that the US and Israel were the leads.

Stuxnet’s exposure in 2010 appears to have thwarted further plans to disrupt other nuclear ops, including sabotaging systems at Iran’s Fordow nuclear enrichment plant. “We spent millions on this operation to sabotage all of the computers of the Iranian infrastructure in the instance of a war,” The Jerusalem posts quotes a source from the documentary. “We penetrated the government, electricity lines, power stations and most of the infrastructure in Iran.”

Liam O’Murchu, a Symantec researcher who was one of the first to study the Stuxnet worm, says the film’s reported theory of a more aggressive variant of the Stuxnet malware follows what his team had witnessed. “We did see the threat get dramatically more aggressive, and the end of 2009 and the beginning of 2010, when they added the USB and zero-day” elements to spread it, says O’Murchu, who manages Symantec’s security response operations team for North America. 

Symantec in early 2013 revealed that it had discovered an earlier variant of Stuxnet that shows the attacks on Iran’s Natanz nuclear facility dated back as early as 2005, and targeted another piece of uranium-enrichment equipment. That new timeline and malware version revealed how the attackers became increasingly aggressive in their attacks with the later versions of the malware.

“When we looked at this telemetry, it did strike us as strange that previous versions had been so quiet and [spread] in such a discreet manner. And then this version spread all over the world,” recalls O’Murchu, who says he and his team were interviewed for the documentary and showed the film’s producers samples of Stuxnet code to support the technical details. O’Murchu is currently in Berlin to attend the film at its debut tomorrow.

“When we found those [earlier] versions [of Stuxnet], they were less aggressive in the way they spread” and the configuration files allowed the malware to spread for a shorter period of three weeks versus the later version, which spent up to three months of infecting machines, he says.

Ralph Langner, a renowned Stuxnet expert who is also interviewed in “Zero Days” but has not yet seen the film, says he’s not convinced of some of the conclusions reported by the media outlets’ early screenings of the film.  For one, he disagrees that the 2009 version of the Stuxnet worm was “hastily” developed, as some reports of the film suggest, he says.

“Code analysis does not show any evidence that the spreading that we have seen in the 2009 version of Stuxnet was unintentional,” say Langner, who is founder of The Langner Group. “I also do not see that the 2009 version of Stuxnet was developed hastily, thereby causing detection that prevented [widening] the whole operation to other targets like Fordow.”

Langner documented his postmortem study on Stuxnet in November of 2013, in a report entitled “To Kill A Centrifuge.”

“Multiple deliberate design elements in the 2009 version of Stuxnet suggest that the developers had anything in mind but to stay under cover and widen the operation for another couple of years,” Langner says. “Deliberate design features -- such as bringing 1,000 centrifuges simultaneously to overspeed and then almost [completely] stop -- rather seem to indicate that the perpetrators were eager to find out how incompetent Iranian engineers really were.”

“I'm more inclined to believe that the film does not accurately account the hidden plans of the perpetrators which it, obviously, cannot fully know,” he says.

[Symantec finds 'missing link' in infamous Stuxnet malware that sabotages another piece of equipment in Iranian nuclear facility--attackers became more aggressive as campaign ensued. Read Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered.]

The Jerusalem Posts quotes an unnamed NSA source interviewed in the film, who says while US intel kept a “low profile,” the Israeli intelligence team “constantly pushed to be more aggressive.”
“Our friends from Israel took a weapon that we developed jointly, among other things in order to defend Israel, and did something crazy with it, and actually blew the operation. We were very furious,” The Jerusalem Post quotes a source as saying.

The two nations had agreed they could act on their own as long as they kept one another in the loop, according to the reports. That’s where the disconnect may have occurred with the louder, more aggressive version of Stuxnet allegedly unleashed by Israel.

Gen. Michael Hayden, who served as the director of the NSA and the CIA, is interviewed in the film, saying US officials worried that “the real goal of an Israeli attack [against the nuclear facilities in Iran], would be to drag us into war” with Iran.

Operation Olympic Games began in 2006 during President George W. Bush’s presidency, and carried over to President Barack Obama’s first term.

Symantec’s O’Murchu says the attacks indeed required heavy reconnaissance to pull off, and it makes sense that the attacks were part of a broader cyber operation against Iran. “We didn’t have any idea it was as large as what’s being described in the articles” about the documentary, he says, such as malware that could control systems other than centrifuges.

“We haven’t seen evidence of that … But it certainly fits with the strategies of what countries are thinking about in cyberwar nowadays,” he says.

Another mystery that remains unsolved is just what the official code name for Stuxnet really was. O’Murchu says he’s interested in seeing if the film reveals any hints there.

Related Stories

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kwcharlie
50%
50%
kwcharlie,
User Rank: Apprentice
2/16/2016 | 4:23:00 PM
Very Good
Thank You 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.