The code inside code; Cyber attacks against Iran

July 19, 2012, 6:00AMANS Nuclear CafeDan Yurman

The New York Times reveals who did it

In a massive article that took 18 months to complete, New York Times reporter David E. Sanger reveals for the first time the details about sophisticated cyberattacks on computer systems that run Iran's uranium enrichment program.

The attacks, which have been authorized by two U.S. presidents, Bush and Obama, temporarily disabled up to 5,000 uranium centrifuges by sabotaging the software inside the Siemens programmable logic controllers (PLCs) that set the spin rate of the machines. In short, the centrifuges, which operate at over 7,000 rpm, spun themselves to pieces when malware programmed erratic changes in their performance.

According to the New York Times article, the cyber software, known as the Stuxnet work, was developed jointly by the U.S. government working through multiple agencies and their counterparts in Israel. The joint effort also had the political effect of convincing Israel that the stealthy destruction of the centrifuges via software was a preferable option to starting a Middle East war by bombing Iran's uranium enrichment plants.

It isn't clear how successful the cyberattacks have been as tactics. Also, the latest rounds of sanctions against Iran, which include severe reductions on oil sales to Europe, have not resulted in progress at the negotiation table between western powers and Iran.

The country continues to robustly support its nuclear program while the economy takes a dive. Fuel and food prices are rising sharply. The national airline has difficulty getting spare parts for its commercial fleet. In some ways, Iran is becoming more like North Korea where military priorities trump civilian needs.

History of Stuxnet revealed

The New York Times article reveals that Stuxnet and a predecessor worm dubbed "Flame" hid in plain sight on computers in Iran's uranium enrichment plants because they cloaked themselves in "signatures" from Microsoft. The Siemens PLCs that were the targets of the Stuxnet work use the Windows operating system.

The cyberattack had two phases. The first program maps networks for infiltration. The second follows the maps to do the dirty work. Specifically, finding the location of PLCs on computer networks in the uranium enrichment plant was essential.

That was the job for Flame that appears to have been deployed at least five years ago. The Stuxnet attack, which was revealed in 2010, followed the roadmaps provided by Flame and caused the centrifuges to crash by disrupting the operation of the PLCs.

The U.S. effort to develop both pieces of software was undertaken in close collaboration with Israeli developers. Even more interesting is the revelation that the U.S. tested the effect of the software with replicas of the Iranian uranium centrifuges. In a classic case of application of OPSEC (operational security), the testing was divided up among U.S. Department of Energy laboratories to prevent any one of them from seeing the whole picture.

The Wall Street Journal for June 1, 2012, reported that some of the work was done at the Idaho National Laboratory that has a test center for protecting critical infrastructure, such as power substations, from cyberattacks. The newspaper reported that lab scientists identified weaknesses in the PLC's software.

The Stuxnet software was successful and reportedly drove the Iranians crazy because they could not figure out why the centrifuges were breaking down. It reported normal operations of the centrifuge while in fact it was destroying it.

Getting the software into the underground facilities, which were not directly connected to the Internet, turned out to be surprisingly easy. The project relied on transmission of the information via thumb drives, some possibly loaded with popular music or other entertainment and carried into the plant by unsuspecting workers.

Stuxnet was supposed to remain a secret, but it got out when the thumb drives were carried to other nations. Siemens was able to document the flow of the computer virus as it attacked its PLCs installed on other machines in other countries.

Israel goes after Iran's oil plants

The Flame virus showed up in the radar screen of cyber security experts in May 2012 after Iran said through state controlled news media that it had discovered it in computers at the nation's oil refinery operations. It turns out, according to an Associated Press report for June 19, that Israel unilaterally used the virus to attack the oil processing plants.

While the U.S. and Israel have reportedly collaborated on the development of Flame, its use to disrupt oil refining operations appears to be a unilateral operation by Israel.

The New York Times reported May 29 that Iran's Computer Emergency Response Team went public with its identification of the cyberattack on oil facilities. Kamran Napelian, an official with the team, said in a web site posting that Flame was designed to mine data from personal computers and that it had entered Iran's networks through USB sticks.

"This virus copies what you enter on your keyboard; it monitors what you see on your computer screen," Mr. Napelian wrote. That includes collecting passwords, recording sounds if the computer is connected to a microphone, scanning disks for specific files, and monitoring Skype.

"Those controlling the virus can direct it from a distance," Mr. Napelian said. "Flame is no ordinary product. This was designed to monitor selected computers."

Share and share alike

Like Stuxnet, the Flame virus hid in plain sight by appearing to computer firewalls as a certified Microsoft update to the Windows operating system. Cyber security experts say the sophistication of the effort is revealed by the fact that Flame and Stuxnet share some of the same computer code and that they successfully avoided detection from commercial security software.

The AP article quotes Michael V. Hayden, a former NSA director and CIA director who left office in 2009. "It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage," he said.

The Kaspersky Lab, a Russian security firm, told AP, "We are 100 percent certain Flame and Stuxnet worked together."

Agents of Assassination

A new book published last week by two noted Israeli journalists claims the Mossad, Israel's spy agency, was responsible for at least four deadly bombing attacks inside Iran that killed nuclear scientists. The book is Spies Against Armageddon: Inside Israel's Secret War by authors Dan Raviv and Yossi Melman.

In a July 8 interview with the Associated Press, the two authors said the assassinations had two objectives. The first is that they are Israel's response to threats by Iranian President Mahmoud Ahmadinejad to wipe Israel off the face of the earth. The second is to strike fear in the hearts of Iran's nuclear science community that anyone in a leadership role could be a target.


Dan Yurman publishes Idaho Samizdat, a blog about nuclear energy, and is a frequent contributor to ANS Nuclear Café

Related Articles