Quantcast

Where Are We and Where Are We Going 5: Governmental Attacks and Backstage Stuxnet Facts

Shifting the focus of the talk towards governmental attacks, Mikko Hypponen pays particular attention to the situation around Iran, and provides some really interesting facts about the notorious Stuxnet worm.

Governmental cyber attacks can cause tangible real-world damage

Governmental cyber attacks can cause tangible real-world damage

Let’s speak about governmental attacks. Now, like I said in the beginning, it’s quite surprising that it has come to this. Yes, Stuxnet, Flame and Duqu are clear examples of this, but even the cases that we’ve seen elsewhere are pretty remarkable, like the fact that Iran wanted to spy on their own citizens, and they did that in very large scale by their government-owned ISPs which were monitoring inbound and outbound traffic, which led to the situation that dissidents and revolutionary people inside Iran started using encrypted services and started using email providers outside of Iran so that they couldn’t be monitored: services like Hushmail or services like Gmail, because Gmail is always SSL-encrypted and it’s outside of Iran. And once that happens, Iran can’t monitor the traffic of these dissidents, because they can still intercept the traffic, but it’s SSL encrypted. And they can’t set up a fake copy of Gmail inside Iran or a proxy for Gmail inside Iran to trap the traffic because it’s encrypted and the SSL certificate would fail.

And Iran as a country can’t issue a fake certificate for Gmail. Why? Because Iran doesn’t have a CA. Why doesn’t Iran have a certificate authority? Because we, the rest of the world, haven’t trusted them enough to give them a CA. So what did they do? Well, they hacked a CA in the Netherlands – DigiNotar, generated 26 rogue certificates including SSL certificates for gmail.com, hotmail.com, live.com, facebook.com, skype.com, hushmail.com. And now they were able to set a local proxy or a local copy of these services inside Iran, install a fake certificate there, and now it would look perfect, because these were now trusted certificates issued by DigiNotar which were supported by all the browsers in the world. You really wouldn’t be able to tell that it wasn’t really Gmail. You really would have to go and inspect the certificate chain, which very few people do.

In fact, they were able to do this, we think, for at least 2 months, until one guy looked at the certificate chain and started wondering that it’s kind of weird that Google has gotten their certificate from a company in the Netherlands, and that’s how it started unraveling. And by the way, we actually believe that people died in Iran because of this hack. Think about that.

Stuxnet – cyber weapon targeting a specific type of facilities

Stuxnet – cyber weapon targeting a specific type of facilities

So when Stuxnet was found in 2010, and then when we later learned that it was already started as an operation called “Operation Olympic” in 2008, it was a real game changer. I just finished reading the book “Confront and Conceal”, which is the book by David E. Sanger, editor for “New York Times”, which is the book that breaks the story where U.S. government takes the responsibility for Stuxnet, which is interesting indeed.

U.S. government is now investigating who leaked this information; they are not denying; they’re not saying that it’s not true; they just want to find out who leaked it. And, of course, it wasn’t leaked by accident, it was leaked on purpose. Why? Well, I don’t know; something probably to do with the fact that it’s election year in United States. Call me cynical, but that’s what I believe.

Cascade structure inside Stuxnet code

Cascade structure inside Stuxnet code

But before we had this for a fact, we already knew that Stuxnet was targeting the Natanz nuclear enrichment lab in Iran. We knew it for a fact. How did we know that? Well, it’s an interesting story. This was uncovered mostly by Ralph Lander who did the analysis of the cascade structure code inside Stuxnet, because Stuxnet only operates if it finds a very specific cascade configuration of high-frequency power converters, and the configuration has to look exactly like this. There has to be 4 high-speed configurators by each other in this very specific structure, sort of like Fibonacci sequence, but not exactly. And if it doesn’t find the sequence, it does nothing.

And this is very unique. I don’t know much about nuclear enrichment centrifuges, but the experts tell me that this is highly unique. There is probably one place in the world that has a setup like this, and that’s what it was looking for. But the question becomes: does Natanz have a cascade of high-frequency power converters spinning centrifuges, or does it not?

Website of the Iranian President could have been the clue for Stuxnet authors

Website of the Iranian President could have been the clue for Stuxnet authors

So how do we find out? How could we possibly find out if Natanz has a configuration of centrifuges which would look like this? Well, one solution is to go to this website (see image). I don’t know if you visit the website of the Iranian President very often, but if you would, you would find out that President Mahmoud Ahmadinejad has a collection of photos on his page, photos of when he goes and visits places. And in 2008 he visited Natanz. There’s a photo from inside Natanz on the President’s website, a photo where he’s walking by the centrifuges – the centrifuges which were targeted by Stuxnet. And if you look closely, you can notice that indeed they are 4 by each other. That’s interesting, but it doesn’t tell us much yet, because there’s no way to calculate how many there are, and you won’t be able to see the actual cascade structure, because that’s just logical structure, there’s nothing physical to see.

Clearly discernible cascade configuration

Clearly discernible cascade configuration

So close, but not exactly what we need. But if you keep looking, you will find this photo (image to the left). And these photos were taken with a Canon EOS-DSLR, which means that they posted the original images, full-resolution images on the website, which means you can actually zoom in. And if you change the coloring values here, that’s actually what’s on the screen, and when you compare this sequence, you’ll see that it’s an exact match to what’s inside Stuxnet. Can you believe that? We know it was Natanz-based, on the photos leaked by the official website of the President of Iran. Quite remarkable. And by the way, the picture is still there, I checked it last week – it’s still there, 4 years later.

Open-source copy of Stuxnet

Open-source copy of Stuxnet

I actually went and tried finding out how long it would take me to find a copy of Stuxnet from open sources. It took me 3 minutes to find a copy of Stuxnet, just like that. So the risk of somebody going and actually modifying Stuxnet exists as well. It’s not a very easy thing to modify, it’s not trivial, it’s far from trivial, but obviously it would be easier to modify it than to recreate it from scratch, which brings us to Flame.

Read previous: Where Are We and Where Are We Going 4: GPCode, Police and Banking Trojans
Read next: Where Are We and Where Are We Going 6: Case Flame

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: