WIXLIB

STUXNET PART I : HISTORY, MYTHS AND REALITIESknowledge that was necessary, the human andmaterial resources necessary and lastly, the cost ofsuch an organization make certain countries idealsuspects. Among the list chosen by the researcher wereIsrael, the United States, Germany and Russia.Trey Ratcliffvulnerability present within the Windows print spooler.Lastly, to end the month of September, the publishers ofthe antivirus solutions ESET and Symantec published afirst version of their report, on 30 September,presenting their almost-complete analyses of themalware. In fact, both publishers did not wish todisclose information on vulnerabilities that had not yetbeen corrected by Microsoft.The following month, on 20 November, Joshua J.Drake published new exploitation code within theMetasploit framework to exploit the vulnerability presentwithin the Windows task Scheduler.Finally, to prevent the exploitation of the last securityvulnerability exploited by Stuxnet, Microsoft, on its"Patch Tuesday" of 12 October, published its securitybulletin MS10-073 that gave a patch for the vulnerabilityrelated to the management of the keyboard. Then, aftertwo months of waiting, in its "Patch Tuesday" of 14December, Microsoft published its security bulletinMS10-092 offering a patch to correct the securityvulnerability related to the task scheduler.ACTU SÉCU 27The progress made by Ralph LangnerOn 16 September, Langner announced that Iran, andparticularly the nuclear power station at Bushehr,which was built in cooperation with Russia, was themain target. The researcher was also the first to speakof cyber war. On each following day, he published newhypotheses and new discoveries. The researcherapproached numerous entities, such as Congress, theDHS and the INL in the United States, and alsoappeared on television. On 13 November, Langnerannounced, just after Symantec, that he had come tothe same conclusions concerning the malicious code315 and the PLCs targeted. He took advantage of thisto present the K-1000-60/3000-3 steam turbinesmanufactured by the Russian manufacturer "PowerMachines" which, according to him, equipped theBushehr nuclear plant. The following day, he presentedhis analysis concerning the entity that probably orderedthis attack: for him, only a government could have beeninvolved in such a scenario: the complexity of theOn 15 November, Langner presented a technicalsolution allowing the malicious code 315 to destroygas centrifuges. He was then supported by the nuclearspecialist from ISIS (Institute for Science andInternational Security), David Albright. On the same day,a second announcement gave the details of the attackperformed by the code 417. In the days that followed,numerous details of this second attack were presentedand a hypothesis concerning the targets was given:according to the researcher, the code 315 targeted theIR-1 centrifuges present in the Natanz enrichmentcentre, while module 417 targeted the steam turbines inthe electrical power station at Bushehr. A singleweapon, malware, which contained two payloads: thecode modules 315 and 417, targeting different PLCs.At the end of November, the former psychologistannounced that Iran and Venezuela had concluded anagreement in 2008. This alliance allowed Iran to installballistic missiles on Venezuelan territory in exchange forThis document is the property of XMCO Partners. Any reproduction is!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![7]strictly prohibited.WWW.XMCO.FRThanks to the work done by the German researcherRalph Langner, which began as soon as the mediabegan to take an interest in the malware, it has beenpossible to identify numerous trails related to the originof Stuxnet, to its potential targets and to the people whoare hiding behind this attack. Of course, all informationpublished by this former psychologist should be treatedwith caution. Even so, it appears, with hindsight, thatmany opinions that he gave have been subsequentlyvalidated by other researchers (such as Symantec) orby documents coming from third-party sources.

STUXNET PART I : HISTORY, MYTHS AND REALITIESAt the end of December, helped by the publication ofthe report from ISIS, which gave an analysis of thenuclear infrastructure situation reported by theinspectors from the International Atomic Energy Agency(IAEA ), Langner announced that he had discoveredthe precise target of the malware, and more precisely,of block 417. This was the safety system associatedwith cascades of centrifuges used to enrich uranium. Inhis opinion, the PLCs targeted were used every twoyears in the functioning of an enrichment centre such asNatanz.agreement, one month before the end of his term ofoffice in January 2009, to the establishment of asecret program aiming to sabotage the electrical andcomputer systems at the main uranium enrichmentcentre at Natanz. From the beginning of his term ofoffice, Barack Obama, who had been informed of thisbefore taking office, accelerated this program on theadvice of those knowledgeable concerning the case ofIran.Trey Ratcliffthe help provided by Iran in setting up a nuclearprogram in the host country. A situation in which theUnited States would surely not be delighted to finditself; and therefore, in his opinion, a justification for theestablishment of this secret program.ACTU SÉCU 27“Asingle weapon, malware, whichcontained two payloads: the code modules315 and 417, targeting different PLCs . ”At the beginning of January, the researcher presented anew hypothesis on the role of blocks 315 and 417.According to him, their main objective was not thedestruction of the centrifuges, but rather to make theseproduction systems massively inefficient. Byanalyzing the data embedded in the code, andtheoretical calculations on the yield of uraniumproduction, the researcher discovered that theoperations performed by the two blocks of code woulddrastically reduce the yield of the centrifuges.The "New York Times" theoryFor the first time since the beginning of this scenario, anarticle published by the New York Times on 16 Januarydescribed a plausible scenario. Even though thisscenario is based more on a correlation between eventsand facts, rather than on tangible proof, these authorshave the distinction of being among the first to officiallyname the various protagonists. It should therefore betaken with caution and is the responsibility only of thejournalists who wrote the New York Times article.In this scenario, the United States set up a plan tohinder Iran in its quest to produce nuclear weapons.According to the journalists, President Bush gave hisStill according to the New York Times journalists, thisprogram was based on work performed at the IdahoNational Laboratory (INL) in partnership with theDepartment of Homeland Security (DHS) and Siemens.During 2008, they claim that Siemens requested theINL to test the security of its Step7 software used tocontrol a set of industrial systems (tools, probes, etc),using controllers such as PCS7 (Process ControlSystem 7). The results obtained, including numeroussecurity vulnerabilities, were presented in July at aconference that was held in Chicago.Several months later, American diplomacy succeeded inestablishing an embargo on certain componentsnecessary to the correct functioning of a uraniumenrichment centre. According to a diplomatic cableThis document is the property of XMCO Partners. Any reproduction is!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![8]strictly prohibited.WWW.XMCO.FRTo summarize, over the course of these few months,Langner was probably the researcher whocommunicated most concerning Stuxnet.

STUXNET PART I : HISTORY, MYTHS AND REALITIESIsrael of having ordered these assassinations. After thissecond suspect event, the Iranians took the decision to"hide" Mohsen Fakrizadeh, the third (and last?)nuclear specialist.The article presents Israel as a principal ally of theUnited States in manufacturing and testing thismalware. This "small" country, which is highly advancedtechnologically, and particularly in cyber-warfare, isalleged to have built a replica of the Natanz enrichmentcentre in its own nuclear research centre: Dimona. Thejournalists gave two reasons for this alliance. Amongthe Americans' other allies, none of them would be ableto make the IR-1 centrifuges work properly. These werederived from the Pakistani P-1, which themselves werecopied from plans of the German G-1 stolen by thedoctor of physics Abdul Qadeer Khan (father of thePakistani nuclear bomb and in charge of a networkspecialized in the sale of nuclear material that helped tospread sensitive technology to Iran, North Korea andLibya). The second reason was that Israel had longbeen openly seeking to prevent Iran from obtainingnuclear weapons.“In this scenario described by the Times,the United States is alleged to have set up aplan to hinder Iran in its attempt toproduce nuclear weapons. ”According to the authors of this article, other informationrevealed the magnitude of this American program.Massoud Ali Mohammadi, an Iranian nuclearspecialist, was killed in January 2010 by an explosioncaused by a remotely-triggered bomb fixed to amotorbike. On 29 November 2010, when Iranrecognized for the first time that Natanz had suffereddamage related to Stuxnet, a second physicist, MajidShahriari, was the victim of a second fatal "accident".On both of these occasions, president MahmoudAhmadinejad directly accused the United States andLudo BenoitAt the end of 2010, the Institute for Science andInternational Security (ISIS) reported that 984 defectivecontrollers had been replaced at the end of 2009according to a report by inspectors from the IAEA.Strangely, this figure exactly corresponds to the numberof Siemens controllers contained within an enrichmentcascade. Nevertheless, what is the relationshipbetween these 984 defective controllers and Stuxnet?These controllers were replaced between the end of2009 and the beginning of 2010, while Stuxnet made itsfirst public appearance at the beginning of 2010although it was not yet identified.Forbes's counter theoryAnother article published by journalists at Forbesʼ thefollowing day strongly criticized this analysis. Accordingto them, this was based on no tangible proof. Onlygestures made by certain diplomats at pressconferences and the content of several diplomaticcables revealed by Wikileaks gave any support to thejournalists' article.The journalists took advantage of trashing this theory topush their own analysis that was published inDecember. According to them, the "real" powers behindStuxnet were Finland and China. The reasoning behindthis was that Vacon, the Finnish manufacturer offrequency converters (variable frequency drives) hada manufacturing plant in China. This would mean thatChina would know precisely which PLCs to target.Furthermore, China is suspected to have access to partof the source code of Windows, which could explain thediscovery and use of four zero-day vulnerabilities.This document is the property of XMCO Partners. Any reproduction is!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![9]strictly prohibited.WWW.XMCO.FRrevealed by Wikileaks, in April 2009, 111 Siemenscontrollers necessary to controlling a uraniumenrichment cascade were therefore blocked at the portof Dubai in the United Arab Emirates.ACTU SÉCU 27

STUXNET PART I : HISTORY, MYTHS AND REALITIESNumerous other details relating China and Finland werealso revealed by the journalists to support their theory.For example, RealTek Semiconductor, the Taiwanesecompany whose certificate was stolen to sign thedrivers, has an establishment in the industrial zone ofSuzhou, in China, not far from Vacon. Finally, Chinawas relatively untouched by the worm.ACTU SÉCU 27and rescue, was controlled by a SCADA system basedon Siemens S7-400 and SIMATIC WinCC PLCs. Thisannouncement occurred during a complex period inIndo-Chinese relationships, because both countries arefiercely competing with each other in the aerospacesector to be the first Asian country to put a man on themoon.Although Symantec and other publishers of anti-virussoftware named Iran as the main victim of Stuxnet, itwas not before mid-October that the subject of Stuxnetwas publicly mentioned by Iran. During this first speech,the Iranian president simply denied the damage that theworm was supposed to have caused to nationalinfrastructure. A month later, in November, the countryrecognized for the first time that it had suffered"slight" problems leading to the postponement of thelaunch of the Bushehr plant. In reaction to this attack,the government arrested some Russian servicecontractors suspected of being spies. These weresubsequently releasedOn 9 July, the Indian satellite INSAT-4B was declaredinoperable. This satellite, which was used fortransmitting telecommunications, televisionbroadcasting, meteorology and for individual searchFrom these samples Symantec was able to producegraphs representing the proliferation of the malware.For this, the researchers used the information recorded(date and time, for example) by the malware when itLastly, very many international experts criticized thequality of the code in the malware. Severalcommentators criticized the amateurism of certainfunctionalities of Stuxnet: the very basic component thatcommunicates with the C&C servers (for example, nocommunications encryption, the lack of robustness ofthe control servers, etc), the absence of additionalprotection (polymorphism, anti-debug and robustencryption), and finally an indiscreet means ofproliferation that is unworthy of an attack carried outdiscreetly by the military, etc. According to thesecommentators, just these observations are evidencethat no government is hiding behind Stuxnet.This document is the property of XMCO Partners. Any reproduction is!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![10]strictly prohibited.WWW.XMCO.FRThe other factors to be rememberedSo, thanks to the 3,280 samples recovered from ESET,F-Secure, Kaspersky, Microsoft, McAfee and TrendMicro, Symantec was able to draw the followingconclusions:- exactly five organizations were targeted;these five organizations are all present in Iran;- most of the 12,000 infections corresponding to the3,280 samples can be traced to these variousorganizations;- among the victims used as vectors for propagation,three were attacked once, one was targeted twice andthe third was attacked three times;- these attacks took place at very precise dates: in June2009, one month later in July 2009, then at three furtherstages in March, April and May 2010;- lastly, three variants of the malware corresponding tothe attacks that took place in June 2009, April 2010 andMay 2010 were observed. The existence of a fourthvariant is assumed but has not been observed amongthe samples obtained.According to Symantec, these five companies aresuppliers with links to the Natanz enrichment centre.Ludo BenoitSince the beginning of 2011, numerous other eventswere added to this story. Symantec, by recoveringsamples obtained from various publishers of antivirussoftware in the market, was able to make a statisticalstudy of the attacks.

STUXNET PART I : HISTORY, MYTHS AND REALITIESACTU SÉCU 27infects a new system. These graphs clearly highlight thefive dates corresponding to the attacks and the numberof targets initially contaminated during each of theseevents.“InApril 2009, the researcher CarstenKohler published an article in themagazine Hackin9 presenting a securityvulnerability within the Windows printspooler. No one reacted, not evenMicrosoft, which was clearly concerned. ”The day after this announcement, several mediaechoed another announcement that was particularlysurprising. During a video shown at a party given inhonor of the retirement of general Gabi Ashkenazi, andpublished by the conservative newspaper Haaretz, itwas claimed that the newly-retired general hadsupervised the creation of Stuxnet. Nevertheless, asno official Israeli source has corroborated thisannouncement, it must be taken with caution.Lastly, it was in March 2010 that the first malware in theStuxnet family appeared which exploited the LNKvulnerability.The Stuxnet affair began well before 2010. Thus,Symantec was able to find traces of the malware goingback to 2008. On 20 November 2008, Symantecobserved the exploitation of the LNK vulnerability forthe first time. This had not been analyzed at the timeand we had to wait until the appearance of Stuxnet todiscover that pirates had known about this vulnerabilityfor more than two years. The virus in question was thenidentified as "Trojan.Zlob" and does not appear to berelated to Stuxnet.In April 2009, the researcher Carsten Kohler publishedan article in the magazine Hackin9 presenting asecurity vulnerability within the Windows printspooler. No one reacted, not even Microsoft, whichwas clearly concerned! Several months later, in June2009, Symantec detected a new malware that is nowidentified as the first version of Stuxnet. This was verysimple and did not carry all of the payloads that weknow today. According to Symantec, it was in January2010 that the first malware in the Stuxnet familyappeared using the certificate from RealtekSemiconductor Corp. to sign one of the components ofthe malware.ConclusionStuxnet has caused a lot of comment and beenhighly publicized. The various theories, analysesand hypotheses made until now do not allow anyconclusions to be drawn with certainty, eitherconcerning those ordering the attacks or thetargets. However, according to the variousdiscoveries made by several researchers andjournalists (Symantec, Langner and the New YorkTimes), Iran seems to have been targeted,especially the nuclear enrichment centre at Natanz.Concerning those ordering the attack, and bearingin mind its complexity, the resources used and thedifferent information revealed by the journalists,Israel and the USA appear to have played a role inthis affair. We must also bear in mind that all of theinformation revealed by the various observers isalways subjective

ACTUSÉCU 27 XMCO This document is the property of XMCO Partners. Any reproduction is strictly prohibited.!!!!! [1] CONTENTS Stuxnet: complete two-part article on THE virus of 2010 Keyboard Layout: analysis of the MS10-073 vulnerability used by Stuxnet Current news: Top 10