Flame on: The greatest cyberweapon ever?

posted at 5:21 pm on May 29, 2012 by Allahpundit

Now that you’re done with the NYT piece on Obama’s Al Qaeda “kill list,” take 10 more minutes and dive into Wired’s fascinating read on the greatest spy machine ever invented. Unlike Stuxnet, this one doesn’t mess with industrial equipment; all it does is record virtually everything you’re doing on your computer — or within earshot of your computer — while leaving almost no trace of its existence.

The apparent target is just who you’d think it’d be.

The [Flame] malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware…

Among Flame’s many modules is one that turns on the internal microphone of an infected machine to secretly record conversations that occur either over Skype or in the computer’s near vicinity; a module that turns Bluetooth-enabled computers into a Bluetooth beacon, which scans for other Bluetooth-enabled devices in the vicinity to siphon names and phone numbers from their contacts folder; and a module that grabs and stores frequent screenshots of activity on the machine, such as instant-messaging and email communications, and sends them via a covert SSL channel to the attackers’ command-and-control servers.

The malware also has a sniffer component that can scan all of the traffic on an infected machine’s local network and collect usernames and password hashes that are transmitted across the network. The attackers appear to use this component to hijack administrative accounts and gain high-level privileges to other machines and parts of the network.

Current estimates are that 1,000 computers worldwide are infected, a plurality of which are in Iran. Interestingly, though, Flame doesn’t replicate automatically. Stuxnet did — so much so that Richard Clarke theorized there must have been a flaw in its programming. Not only does replication make it more likely that the virus will be detected but these are, after all, the cyber equivalents of atomic bombs. The more freely available the virus is, the more likely it is that hackers and/or U.S. enemies will reverse-engineer the program to wreak havoc. (Then again, hackers can already access virtually any unsecured U.S. network, in which case who needs Flame?) The braintrust behind Flame evidently took care to make sure its exposure was limited, which helps explain why it wasn’t discovered as quickly as Stuxnet.

Apparently there are almost no similarities between Stuxnet and Flame except, per Wired, one possible likeness in their export function as well as the ability to spread via USB sticks by exploiting code vulnerabilities. Does that mean the two programs came from different sources or are the differences simply a function of what they’re designed to do? Flame is vastly bigger and more complex according to cybersecurity experts (one says it’s “20 times” more complicated than Stuxnet), but then it’s designed to perform many more tasks than merely controlling the spin of uranium centrifuges. Another clue: The two viruses seem to have emerged at roughly the same time. Stuxnet has been traced to as early as June 2009 but started circulating more widely in early 2010. Flame apparently started circulating at around the same time although it may have been around as early as 2007, says Wired, noting that Stuxnet is believed to have been written in this same period. Indeed, we already know from the NYT that Stuxnet began development during Bush’s administration and was, reportedly, accelerated by Obama. Looks like Flame might have been on the tasklist too.

We also know from the Times that Stuxnet was likely a joint U.S./Israeli project. ABC sees another common thread there:

A top Israeli official hinted today that his country could be behind the most sophisticated cyber espionage program ever developed, known as Flame, which infiltrated and has spied on computer systems throughout the Middle East, including those in Iran, for the past two years.

“Whoever sees the Iranian threat as a serious threat would be likely to take different steps, including these, in order to hurt them,” Israel’s vice prime minister Moshe Yaalon told Israel’s Army Radio today, referring to the cyber attack. “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.”…

So far, researchers in the U.S. and abroad have said Flame appears to only be used for spying purposes, rather than being used to cause physical damage to systems, like Stuxnet. Still, Kaspersky Labs said in a blog post, “such highly flexible malware can be used to deploy specific attack modules” that could target a country’s critical infrastructure and there could also be variations of the code that have yet to be discovered.

In other words, Flame might have some sort of built-in Stuxnet-like capacity to take over industrial machinery if need be. (One of the UN’s own cybersecurity experts said, “I think it is a much more serious threat than Stuxnet.”) No one knows yet because they’re only just now starting to unpack it; it’s like an alien autopsy where you’re suddenly looking at an advanced physiology you’ve never seen and have to figure out what each of the organs does. Two obvious possibilities, then, on what Flame might be designed to do. One: It could detect Iranian chatter about how far along their nuclear program is, which in turn would tell Israel when time has run out and an attack needs to be launched. Right now they’re impatient with the halting negotiations between the west and Iran but willing to tolerate them, maybe because Flame is telling them that Iran hasn’t reached nuclear “breakout” capabilities just yet. Two: It could be a way to disable Iran’s air defenses in advance of an attack or, more ambitiously, Iran’s enrichment facility at Fordo, which is buried deep inside a mountain and virtually impervious to a conventional attack. If bombs can’t take that out, they’ll need another way in. Then again, if Israel has already penetrated Fordo well enough to get Flame onto the computers there, they probably already have another way in. Anything else I’m missing here, techies? All theories welcome. Exit quotation: “If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”


Related Posts:

Breaking on Hot Air

Blowback

Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.

Trackbacks/Pings

Trackback URL

Comments

Spooky…

OmahaConservative on May 29, 2012 at 5:24 PM

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”

This should scare every freedom/liberty-loving citizen in the world. The technology/process can target you too, and will.

Schadenfreude on May 29, 2012 at 5:25 PM

Wow, LUA. That would be a short list of programmers at that time.

oldroy on May 29, 2012 at 5:29 PM

Call me when Flame can create an explosion 200 feet below ground…

Rixon on May 29, 2012 at 5:30 PM

Call me when Flame can create an explosion 200 feet below ground…

Rixon on May 29, 2012 at 5:30 PM

Well, it might let some folks know where an explosion 200 feet below ground would do some good.

oldroy on May 29, 2012 at 5:33 PM

Imagine what we DON’T KNOW !!!!

jake-the-goose on May 29, 2012 at 5:33 PM

How I Stopped Worring about Stuxnet,
and Learned to Love the Internet DoomsDay
Device!
———-I’mWearingADinnerJacketInSaneNutJob!!
(snark)

canopfor on May 29, 2012 at 5:33 PM

This should scare every freedom/liberty-loving citizen in the world. The technology/process can target you too, and will.

Schadenfreude on May 29, 2012 at 5:25 PM

Big dogs and nuclear weapons scare me too, but that doesn’t mean I don’t want them available. As long as it is on a leash.

Just make damn sure the leash is strong. In this case, that leash had better mean Fourth Amendment protections that recognize true security in one’s house and papers.

JohnGalt23 on May 29, 2012 at 5:34 PM

Brazilians trying to get free instructions on how to build centrifuges?

oldroy on May 29, 2012 at 5:35 PM

skynet’s self-awareness clock just ticked another minute…..

t8stlikchkn on May 29, 2012 at 5:37 PM

When we charge Iran in the court of public opinion with having violated the Non-Proliferation Treaty, they are gonna be so busted.

J.E. Dyer on May 29, 2012 at 5:38 PM

Another possibility is the possibility of subtle sabotage. Stuxnet was designed to cause problems late in the process, at an unexpected location, and to be difficult to find.

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step. Stuxnet was designed to sabotage the centrifuges. I wouldn’t be surprised if this did the same. I’d have it mess with the machine tools so that they’d make too-small-to-notice errors in the dimensions of parts. I’d infect their chemical analyzers to show too much, then too little, purity in the uranium. I’d mess with the process control systems to make too much or too little coolant (or other liquids) flow. I’d have it report exactly what software is being used to program the detonation devices, and then infect that software so as to make the detonations misfire by a few milliseconds. I’d mess with missile guidance systems to make them report one set of flight telemetry while using a different set to make actual flight calculations.

That’s just the technical side. There’s also the social engineering side–send a not-so-anonymous email from a key technician or scientist maligning Allah, or offering to cooperate with western intelligence agencies. Change numbers in emails so that it reads “we have 200kg of uranium” instead of “20kg”. Create false alarms in the process control system. Spoof someone pulling a fire alarm. Set off an air-raid siren. Take over a radio station and announce a mandatory week-long holiday. Install a keylogger that occasionally inserts random letters while someone types, so they have to spend more time fixing typos.

In short, do everything possible to make the process of building a nuke so expensive, so time-consuming, and so painful that it becomes not worth the effort.

Mohonri on May 29, 2012 at 5:39 PM

Wow, LUA. That would be a short list of programmers at that time.

oldroy on May 29, 2012 at 5:29 PM

I have dabbled in LUA a little (very little). I guess I should turn myself in.

NotCoach on May 29, 2012 at 5:40 PM

There has been a lot of this going on over there. One little gremlin took over a gig of file space and send everything home including conversations in the room. I think Israel confessed to this. Not sure.

That Kaspersky.Lab anti-mal is super (got 100% in tests) and comes with a KGB Guarantee.

Latest rumor is that the bombing was a bluff all the time since O didn’t like it. President declined to bomb during his tenure.

IlikedAUH2O on May 29, 2012 at 5:40 PM

JohnGalt23 on May 29, 2012 at 5:34 PM

Watch who holds the leashes.

Schadenfreude on May 29, 2012 at 5:41 PM

When we charge Iran in the court of public opinion with having violated the Non-Proliferation Treaty, they are gonna be so busted.

J.E. Dyer on May 29, 2012 at 5:38 PM

Apparently Non-Proliferation in Persian doesn’t mean what we think it means.

oldroy on May 29, 2012 at 5:41 PM

I meant to write “President Bush declined to bomb way back..”

IlikedAUH2O on May 29, 2012 at 5:41 PM

it’s gonna be one really bored hacker that follows me around on the internet…

DanMan on May 29, 2012 at 5:42 PM

Watch who holds the leashes.

Schadenfreude on May 29, 2012 at 5:41 PM

As carefully as I can, every day of my life.

JohnGalt23 on May 29, 2012 at 5:44 PM

…so what will Britt Kimberlin do with it?

KOOLAID2 on May 29, 2012 at 5:44 PM

Colossus: The Forbin Project

Rixon on May 29, 2012 at 5:44 PM

Apparently Non-Proliferation in Persian doesn’t mean what we think it means.

oldroy on May 29, 2012 at 5:41 PM

Try Persian for “Ninety days notice”.

JohnGalt23 on May 29, 2012 at 5:45 PM

Try Persian for “Ninety days notice”.

JohnGalt23 on May 29, 2012 at 5:45 PM

So, as best as I can tell, almost anything in Persian carries several meanings? One of which is always: “I don’t really mean what I just said.”

oldroy on May 29, 2012 at 5:48 PM

oldroy on May 29, 2012 at 5:48 PM

Except the expression “wipe Israel off the map.” That translate directly from Farsi, Arabic and every dialect in between

Rixon on May 29, 2012 at 5:51 PM

On a more down to earth note, AP is the consummate chicken little. These pea brained idiots ain’t never gonna reverse engineer any virus to be a threat to us. They don’t write their own software, they buy it. They don’t build their own hardware, they buy it. They also likely need extensive outside help to perform machine integration. Stuxnet and Flame work so well because they are being used against early 19th century technologists with 6th century brains.

NotCoach on May 29, 2012 at 5:51 PM

So, as best as I can tell, almost anything in Persian carries several meanings? One of which is always: “I don’t really mean what I just said.”

oldroy on May 29, 2012 at 5:48 PM

Please, dazzle us with your Persian language skills.

What is Persian for “Ninety days notice”? Because I expect we’ll be hearing it at some point in the not-too-distant future.

JohnGalt23 on May 29, 2012 at 5:51 PM

Wow. I wonder if the Flame developer gets royalties for each computer it is installed on. Could he sue if each copy wasn’t paid for? I wonder if I could find an open-source clone of Flame on github….

oldroy on May 29, 2012 at 5:52 PM

Hmm, why Stuxnet AND Flame? If Flame could do what is listed here I can’t see the need for Stuxnet.

SteveMG on May 29, 2012 at 5:55 PM

90 روز اطلاع

oldroy on May 29, 2012 at 5:56 PM

Hmm, why Stuxnet AND Flame? If Flame could do what is listed here I can’t see the need for Stuxnet.

SteveMG on May 29, 2012 at 5:55 PM

Stuxnet to hide Flame?

oldroy on May 29, 2012 at 5:58 PM

Flame probably doesn’t work on IOS. There is no app for that.

oldroy on May 29, 2012 at 5:59 PM

Be quicker to just delete AkhmaDinnerJacket’s iTunes library…

8thAirForce on May 29, 2012 at 6:00 PM

Hmm, why Stuxnet AND Flame? If Flame could do what is listed here I can’t see the need for Stuxnet.

SteveMG on May 29, 2012 at 5:55 PM

Stuxnet preceded Flame. Stuxnet was also specifically designed to screw with known industrial controls and the logic program running inside those controls. I don’t know that Flame has such capability especially since Stuxnet was most likely built with a considerable amount of insider information. Whoever built Stuxnet had access to the exact logic programs the Siemens controllers were running.

NotCoach on May 29, 2012 at 6:01 PM

…what if Britt Kiberlin gets it?

KOOLAID2 on May 29, 2012 at 6:02 PM

Paging Montgomery County Judge James Vaughan! It’s the President of Iran on the phone for Judge Vaughan!

He’s the go-to guy for bad men seeking protection from the truth, after all.

MTF on May 29, 2012 at 6:05 PM

Whoever built Stuxnet had access to the exact logic programs the Siemens controllers were running.

NotCoach on May 29, 2012 at 6:01 PM

Embedded C programs that were available with similar Siemens equipment worldwide?

oldroy on May 29, 2012 at 6:07 PM

Hmm, why Stuxnet AND Flame? If Flame could do what is listed here I can’t see the need for Stuxnet.

SteveMG on May 29, 2012 at 5:55 PM

Espionage and Sabotage are different apps.

dogsoldier on May 29, 2012 at 6:07 PM

Flame (of many things) may have been discovering API’s before stuxnet, and then stuxnet did the damage.

oldroy on May 29, 2012 at 6:09 PM

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step …

Mohonri on May 29, 2012 at 5:39 PM

Yeah. This app just isn’t … it just isn’t. It sounds like some weird CIA … IrfanView or something. It’s versatile, but it sounds just like a single-minded “spy” program with functionality I could literally code on this machine and compile on gcc, down to the Bluetooth. It’s even structured as a simple program, not a virus (apparently).

But Mohonri, your counter-intelligence measures, on the other hand, are pretty good. If you aren’t NSA, go take a test. And I recommend you call the suite “Gremlin.”

Also, stay the hell away from my network. :) Well, unless you want a job. Basically, sit down or go far away.

Imagine what we DON’T KNOW !!!!

jake-the-goose on May 29, 2012 at 5:33 PM

Hope it’s all as single-minded and psychotic as Mohonri’s thinking.

Axe on May 29, 2012 at 6:09 PM

Embedded C programs that were available with similar Siemens equipment worldwide?

oldroy on May 29, 2012 at 6:07 PM

No. Logic controllers (PLCs, PACs) are not like typical PCs. They don’t come with optional software packages. They are blank slates and the logic program is written by the customer, or a 3rd party engineer.

NotCoach on May 29, 2012 at 6:11 PM

Another possibility is the possibility of subtle sabotage. Stuxnet was designed to cause problems late in the process, at an unexpected location, and to be difficult to find.

You can stuff incredible amounts of functionality into 20MB of code. If I were designing the ultimate stop-them-from-using-nuclear-weapons virus, I would design something which would subtly subvert their efforts at every step. Stuxnet was designed to sabotage the centrifuges. I wouldn’t be surprised if this did the same. I’d have it mess with the machine tools so that they’d make too-small-to-notice errors in the dimensions of parts. I’d infect their chemical analyzers to show too much, then too little, purity in the uranium. I’d mess with the process control systems to make too much or too little coolant (or other liquids) flow. I’d have it report exactly what software is being used to program the detonation devices, and then infect that software so as to make the detonations misfire by a few milliseconds. I’d mess with missile guidance systems to make them report one set of flight telemetry while using a different set to make actual flight calculations.

That’s just the technical side. There’s also the social engineering side–send a not-so-anonymous email from a key technician or scientist maligning Allah, or offering to cooperate with western intelligence agencies. Change numbers in emails so that it reads “we have 200kg of uranium” instead of “20kg”. Create false alarms in the process control system. Spoof someone pulling a fire alarm. Set off an air-raid siren. Take over a radio station and announce a mandatory week-long holiday. Install a keylogger that occasionally inserts random letters while someone types, so they have to spend more time fixing typos.

In short, do everything possible to make the process of building a nuke so expensive, so time-consuming, and so painful that it becomes not worth the effort.

Mohonri on May 29, 2012 at 5:39 PM

The one problem with this is that other vulnerabilities and technical specifications need to be known and exploited. Not saying it can’t be done, but a lot of other pieces need to be managed.

I’d say the most important part of this new exploit does leave open the possibilities you raise, though. The fact that new modules can be downloaded is brilliant. It gives the people who are managing the weapon the option to add new features on an ad hoc basis. Frankly, I don’t know why I haven’t heard of this before. I know how to do this kind of programming, and it’s really not hard. I’m really surprised that it’s not in the wild.

nukemhill on May 29, 2012 at 6:15 PM

“If Flame went on undiscovered for five years, the only logical conclusion is that there are other operations ongoing that we don’t know about.”

Are you kidding? If Team Barry had something to crow about, there’d already be a package deal with Hollywood. Expect a film out sometime in mid-October.

Barry will be featured prominently, writing computer code while dressed in a white lab coat.

GarandFan on May 29, 2012 at 6:16 PM

Are you kidding? If Team Barry had something to crow about, there’d already be a package deal with Hollywood. Expect a film out sometime in mid-October.

Barry will be featured prominently, writing computer code while dressed in a white lab coat.

GarandFan on May 29, 2012 at 6:16 PM

No white coat. It would be Obama in shorts, sandals, and a two day beard sitting in the corner of the local starbucks, coding away.

oldroy on May 29, 2012 at 6:22 PM

NotCoach on May 29, 2012 at 6:11 PM

I doubt centrifuges are being run with PLC’s. Can’t say for sure, but I do doubt it.

Charlemagne on May 29, 2012 at 6:24 PM

Espionage and Sabotage are different apps.

Or Flame was intended to monitor/record the effects of Stuxnet?

SteveMG on May 29, 2012 at 6:29 PM

Are you kidding? If Team Barry had something to crow about, there’d already be a package deal with Hollywood. Expect a film out sometime in mid-October.

Barry will be featured prominently, writing computer code while dressed in a white lab coat.

GarandFan on May 29, 2012 at 6:16 PM

No white coat. It would be Obama in shorts, sandals, and a two day beard sitting in the corner of the local starbucks, coding away.

oldroy on May 29, 2012 at 6:22 PM

Coats will be behind him at the press conference. In the movie, he’ll tap a pen against his teeth, look excited, and call the keystone-coats with “I’ve got it!” Then a montage where he’s explaining something from a laptop, a napkin, and a blackboard.

Axe on May 29, 2012 at 6:33 PM

I doubt centrifuges are being run with PLC’s. Can’t say for sure, but I do doubt it.

Charlemagne on May 29, 2012 at 6:24 PM

Stuxnet is old news, and according to that old news they were. And why wouldn’t you control a centrifuge through a PLC? We aren’t talking about single stand alone centrifuges. We are talking about several in a single facility. It is much easier to use a single PLC networked to an HMI for complete control of all of the centrifuges in that circumstance.

Through the HMI operators would turn them on and off and control their speed. The PLC would be the on, off switch and the speed controller. Stuxnet screwed with data handling though through the Siemens controller and falsified the data files the monitoring devices were using to monitor the centrifuges.

NotCoach on May 29, 2012 at 6:35 PM

Coats will be behind him at the press conference. In the movie, he’ll tap a pen against his teeth, look excited, and call the keystone-coats with “I’ve got it!” Then a montage where he’s explaining something from a laptop, a napkin, and a blackboard.

Axe on May 29, 2012 at 6:33 PM

Would there be a scene with him learning to program? Maybe in Indonesia? Outpacing the rest of the class, teaching the teacher? One of his many real-world skills that we didn’t know about?

oldroy on May 29, 2012 at 6:40 PM

If these are our methods and operations, who’s leaking them and why?

Iblis on May 29, 2012 at 6:43 PM

Iran’s Supreme Leader Ayatollah Ali Khamenei has called the Internet a threat to national security and a dangerous double-edged knife that has benefits as well as risks.

Since 2009, Mr. Khamenei has instructed security forces to train and form units to battle cyberattacks to curb the influence of social-media websites.

In March, Mr. Khamenei issued a decree ordering the creation of the Supreme Council of Cyberspace, a committee consisting of high-level military and intelligence officials tasked with supervising cyber activity and warfare.

From WSJ. That bit about “Supreme Council of Cyberspace” is making me laugh. It’s like they are finally returning to the mothership.

… was out looking to see if centrifuges are controlled by PLCs. :) Could be controlled by 6502s and duct-tape for all I know.

Axe on May 29, 2012 at 6:46 PM

One of his many real-world skills that we didn’t know about?

oldroy on May 29, 2012 at 6:40 PM

It’s hard for us to really understand him, cause, he’s like, you know, he’s like, on another level. His smartness is like, you know, he’s like — wow.

*up-twinkles*

Axe on May 29, 2012 at 6:49 PM

Flame on: The greatest cyberweapon ever?

The best ones aren’t detected.

lexhamfox on May 29, 2012 at 6:49 PM

If these are our methods and operations, who’s leaking them and why?

Iblis on May 29, 2012 at 6:43 PM

Russian cyber-security firm that Iran hires to fix their own stupidity.

NotCoach on May 29, 2012 at 6:56 PM

Why does this phrase come to mind…?

“They turned it on…

… and then ran like hell!”

Seven Percent Solution on May 29, 2012 at 6:57 PM

Axe on May 29, 2012 at 6:46 PM

The Wiki writeup on Stuxnet is surprisingly good.

NotCoach on May 29, 2012 at 7:01 PM

Axe on May 29, 2012 at 6:49 PM

PLC infection
Siemens Simatic S7-300 PLC CPU with three I/O modules attached


The entirety of the Stuxnet code has not yet been disclosed, but its payload targets only those SCADA configurations that meet criteria that it is programmed to identify.[23] Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran.[40] Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807 Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or gas centrifuges.

Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[34] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[40] It also installs a rootkit—the first such documented case on this platform—that hides the malware on the system and masks the changes in rotational speed from monitoring systems.

They had insider info on the Iranian setup coming out their ears. The spy network inside Iran might make for a good movie someday.

NotCoach on May 29, 2012 at 7:07 PM

The Wiki writeup on Stuxnet is surprisingly good.

NotCoach on May 29, 2012 at 7:01 PM

If there’s no politics involved, Wiki can be useful.

slickwillie2001 on May 29, 2012 at 7:08 PM

Ralph Langner: First of all, the programmable logic controller [PLC] is the interface between a program and the actual machines that do something useful in the real world. This is not a computer in the sense that we see a Windows operating system or hard disk, et cetera. But you can think of it as a very small computer system that operates in real time, and in a single-tasking mode. This is where the actual attack routine from Stuxnet takes place. And by the way, Steven, to follow up on your introduction, the very interesting part is it’s an actual surgical strike that you’re seeing here. The Stuxnet program that is downloaded from a Windows PC, where the programmable logic controller first checks the type of PLC. But that’s not all. It then continues to check if a specific program is loaded onto that controller, which is really something freaky, and that explains why from around the 100 000 infections that we see, even those with the automation equipment installed, that even there we don’t have reported damage. The only sites with reported damage are as you mentioned Bushehr and Natanz, and this can be explained easily by this capability of Stuxnet to check if a specific program is running on the PLC. But it even gets better. Once the rogue ladder logic is on the PLC, it checks for specific program conditions. So it doesn’t start right away to do the evil task it’s carrying out. It’s just sitting put and looking for a specific process condition, so for example, a specific drive to accelerate, and when that condition is reached, then the original ladder logic is no longer carried out, and Stuxnet takes over control.

IEEE, from your wiki.

I hate being this dumb in public, but I was tripping over the structure of the network, and Stux wasn’t helping with the fact that it lived half its life in a Windows PC and the other half on a PLC, presumably not running Windows. :)

So, this is a network of workstations, presumably PCs (and friends), connected to centrifuges (and friends) where programmable logic controllers are embedded, and Stux wormed over the network in the usual PC->PC way, but just looked around for the particular links it wanted, and when it found them, … did its thing on the PLC itself?

That even close?

Axe on May 29, 2012 at 7:24 PM

Axe on May 29, 2012 at 7:24 PM

Sounds about right. All PLCs today are interfaced with using Windows based software. The programming software is used to write the program on your PC and you network your PC to the PLC to upload the program. That is how Stuxnet attached itself to the PLCs. PCs though are likely not connected to the centrifuges directly. PCs may have been used to monitor the centrifuges, but it was through HMIs or PC based monitoring software networked to the PLCs which just read data files on the PLC.

NotCoach on May 29, 2012 at 7:31 PM

NotCoach on May 29, 2012 at 7:31 PM

Ok. I’ve written for hardware, and I can program a microcontroller; but I’ve never programmed for an industrial process before. I can see it now. Thanks for babysitting for a bit. :) I think I’m up to speed.

They had insider info on the Iranian setup coming out their ears. The spy network inside Iran might make for a good movie someday.

It knew exactly what it was looking for, and it was designed such that it could circulate indefinitely before it found it. That explains that whole “lay low” activity profile it had. It never had to be introduced at any particular point.

Geez. Maybe I should have paid more attention when the story was the story, instead of just making myself a quick “virus messed up centrifuges” bumper sticker and skipping by. Stux kinda rocked.

Axe on May 29, 2012 at 7:51 PM

*they found it.

Axe on May 29, 2012 at 7:53 PM

Axe on May 29, 2012 at 7:51 PM

No problemo. This stuff is right in my wheelhouse. It’s what I do for a living. Although I’ve never screwed with PLC drivers or firmware beyond updating them.

NotCoach on May 29, 2012 at 7:59 PM

LUA is an excellent choice for this sort of thing. Ordinarily, TCL would be an even better choice, but for a stealth app like this you would really need the smaller footprint, and a GUI would be just bloat.

tom on May 29, 2012 at 8:36 PM

code that is written in the LUA programming language

RUN FOR TEH HIIIIIILLLLLLLLLLLLS!!!!!!

Kenosha Kid on May 29, 2012 at 11:43 PM

LUA is an excellent choice for this sort of thing. Ordinarily, TCL would be an even better choice, but for a stealth app like this you would really need the smaller footprint, and a GUI would be just bloat.

tom on May 29, 2012 at 8:36 PM

FWIW guys, it’s not “LUA”, it’s “Lua”, as in the Portuguese word for “the Moon”.

platapapin on May 30, 2012 at 12:59 AM

Methinks somebody is having a little fun with the gullible journalistic types at Wired. Read that blockquote description of the “greatest spy weapon ever” a couple of times, and tell me it doesn’t start to sound faintly ridiculous.

platapapin on May 30, 2012 at 1:07 AM

Good stuff.
But you know, all this is is a delay. Flame’s discovery was only a matter of time, just as the other yet-undiscovered viruses and activities are.

What really will make this program stop is if the Iranians decide to. Either that, or a bombing campaign every 2-3 years to blow up Iranian nuke plants. Actually, that too will not stop the program, since the Iranians will adapt.

Gotta convince them to change course somehow.

AlexB on May 30, 2012 at 1:37 AM

Purpose leak. Similar to the Special forces parachuting into North Korea story. The stuff that goes on involving this crap. We will NEVER know. Unless it’s trying to get the 2008′s Nobel peace prize winner another trophy. Expect Putin to put the screws to prez milquetoast.

Of course never expect O to denounce Pakistan for protecting Bin Ladin. Since O visited there as a younger guy. I’m not a birther, but how did O travel to Pakistan when he did. With restrictions on Americans traveling there?

Gedge on May 30, 2012 at 5:48 AM

Holy Batman, there is more breaking news that scares me about cyber mischief/warfare. Read about this and the new Boeing 787:

Cyber-attack concerns raised over Boeing 787 chip’s ‘back door’

Researchers claim chip used in military systems and civilian aircraft has built-in function that could let in hackers

http://www.guardian.co.uk/technology/2012/may/29/cyber-attack-concerns-boeing-chip

SC.Charlie on May 30, 2012 at 5:49 AM

Chinese hackers have probably already installed their own version of FLAME onto all our defense and state department computers. Smile your on Candid Camera.

MaiDee on May 30, 2012 at 6:40 AM

Wow, LUA. That would be a short list of programmers at that time.

oldroy on May 29, 2012 at 5:29 PM

Except for the fact that it’s the language base for plugins in a certain 10 million subscriber video game and there’s a helluva lot of people that know it. Including me.

Kanyin on May 30, 2012 at 9:59 AM

Yes. But this would’ve been built in 2006 or 2007. Was WOW plugin development already being done in LUA at that time?

oldroy on May 30, 2012 at 11:03 AM

Yes. But this would’ve been built in 2006 or 2007. Was WOW plugin development already being done in LUA at that time?

oldroy on May 30, 2012 at 11:03 AM

WoW was released in late 2004 and it was plugin friendly from the start. To answer your question, yes.

I actually thought you were being sarcastic in the post Kanyin quoted. You weren’t? Lua is open source, first version released in 1993, and millions of people around the world can program in it.

NotCoach on May 30, 2012 at 12:01 PM

No white coat. It would be Obama in shorts, sandals, and a two day beard sitting in the corner of the local starbucks, coding chooming away.

oldroy on May 29, 2012 at 6:22 PM

Sorry. That was too easy.

BillH on May 30, 2012 at 12:32 PM

NotCoach on May 30, 2012 at 12:01 PM

Nope..didn’t know…had no use to keep up with WOW or lua. But a lua plugin for WOW isn’t exactly just a step away from writing something like “Flame”.

oldroy on May 30, 2012 at 12:48 PM

Unless Irans Supreme Council of Cyberspace and Nuclear Secutiry made the nuke program plugin friendly. :)

oldroy on May 30, 2012 at 12:51 PM

Sounds about right. All PLCs today are interfaced with using Windows based software. The programming software is used to write the program on your PC and you network your PC to the PLC to upload the program. That is how Stuxnet attached itself to the PLCs. PCs though are likely not connected to the centrifuges directly. PCs may have been used to monitor the centrifuges, but it was through HMIs or PC based monitoring software networked to the PLCs which just read data files on the PLC.

My last job was working with process controls, and I did a presentation on Stuxnet. Stuxnet worked its way through the networks to the Windows PCs which were running the code development software (I forget the exact name of the software). From there, it infected the firmware which was then loaded on the PLCs. Once on the PLCs, it did its business messing with the speed on the VFDs, but it went further than that. It acted as a rootkit on a PLC, which at the time was rather novel. If a user attempted to download a clean, uninfected firmware to the PLC, the infected firmware on the PLC would infect the new firmware as it was downloaded. So you could try and update the PLC with clean firmware all day long without success. This also has the side effect of making it look like the PLC isn’t the problem–typically when debugging, if you update the firmware and the behavior doesn’t change, the problem is most likely elsewhere.

Mohonri on May 30, 2012 at 1:59 PM