Stuxnet analysis

I read the Stuxnet portion of David Sanger’s Confront & Conceal. Stuxnet is actually only a small part of the book, but it is the first sensational story in the Prologue to capture the reader’s attention and most of Chapter 8.

I had called the earlier NY Times article based on the book “a historical fiction”. After reading the relevant sections, that is a bit harsh. Mr. Sanger has direct interviews, still unnamed, with people that were in the room with President Obama at key meetings — very high level people in government. Given human nature, there probably is some shading of the truth to make various people and organizations look good or bad, but the basic fact that President Bush and Obama authorized Stuxnet must be true unless the author fabricated the whole thing.

The technical details and inferences were very interesting. They raised questions and are almost certainly wrong in places. This does not mean the author isn’t reporting the interview information accurately. What it appears to be, and this is pure speculation on my part, is the author talking to the senior level people who did not really understand the technical detail. I’m sure many loyal blog readers have experienced this in their organizations.

Perhaps now that this sizzling information is out in the open we will learn more technical information from some of the authors currently writing books on Stuxnet. Here are the technical issues and questions the book made me consider or reconsider:

Stuxnet Getting Loose

The author claims that Stuxnet got out of Natanz and spread through the world as “a careless error” or  “poorly tested new releases” or “it started propagating its code”. If you read Byres’ How Stuxnet Spreads or any of the other quality papers on Stuxnet, it is clear that the version that we know as Stuxnet was designed to have multiple methods of propagation between Windows systems. Multiple 0days, anti-virus avoidance, P2P and more. It was selective in what S7 PLC’s it attacked to limit the impact to a specific project – Natanz.

At least one unnamed interviewee and VP Biden blamed the Israelis for the propagation features. This raises the interesting question of whether early versions were not designed to spread to Windows PC’s in a variety of ways that were present in the discovered Stuxnet variant. Maybe a number of early versions were loaded by a corrupted USB stick to a system and did not try to infect any other Windows systems over the network.

The Windows propagation was not a programming error unless you believe in the infinite monkey theory. It could have been a management error where the risk of propagation was not understood by those running the program.

The book also ties the aggressiveness of the attack logic downloaded to the PLC with the propagation problem. I don’t see how those would be related, but maybe I’m missing something. Perhaps the Stuxnet creators felt that they needed to attack infect multiple PC’s to get the rogue code into all the PLC’s. Does Natanz have Area of Responsibility (AoR) separation?

Stuxnet Triggers or Use

This may be nitpicking, but the book talks about “each major use of the cyberweapon”. As Ralph Langner explained in his Stuxnet Deep Dive presentation at S4, the code waited for a certain condition that then triggered an action and replay to avoid detection of the action.

My guess is they modified the trigger and action from time to time, gradually getting more aggressive and this is what Mr. Sanger’s sources meant by each major use. The book states “with the president’s authorization to proceed with the next step – sometimes a strike riskier and bolder than what had been attempted previously”. The risk was likely that the affect on the process could be so significant that it would cause them to doubt the information coming back from the control system.

Isolation, Beacons, and Project Files

I have always assumed that somehow the Stuxnet creator had the target’s project file(s), either through HUMINT or a different cyber attack on perhaps a consultant or engineer’s system. The book talks about the first step inserting code “a bit of computer code called a “beacon” that could be inserted into the computer systems at Natanz to map their operations and determine how they controlled the centrifuges”.

The project file(s) would explain the entire system, albeit with a sizable effort to understand the project. Perhaps the “beacon” would provide them with performance data that would help the Stuxnet creators select the trigger condition and the malicious action, or variety of malicious actions in the multiple iterations.

The book goes back and forth on the system being isolated and connected to the Internet. Stuxnet had Command and Control servers on the Internet which would lead one to believe it was connected. The book also states that the US remotely changed the action.

It also states that the systems were not connected, that there was an “air gap”, “so the first challenge was to leap the gap”.

Mr. Sanger said the US Government asked, and he agreed, to remove some of the technical details on Stuxnet from the book. I wonder if it is related to how the inserted and communicated with Stuxnet. Maybe the US Government has their own special version of a Pwnie Express.

Should We Shut It Down?

President Obama decided against shutting down Stuxnet after it was discovered outside of Natanz. This was a wise decision because the damage was done. It was out and available to be analyzed. Shutting it down would not have changed this.

Playing Defense

I’m sure loyal blog readers have heard the don’t throw stones in a glass house analogy. The book claims that “it was Obama, more than any president before him, who was raising alarms about the need to harden America’s own infrastructure …”

Maybe President Obama raised alarms and wanted to accomplish this, but his administration failed to make significant progress. It’s hard to think of any significant effort, even a failed effort, that was attempted in the last 3.5 years.

Aurora, CNN and Hell to Pay

According to the book, US and Israel were working on Stuxnet in 2007. In Sept 2007 a DHS video showing how a cyber attack could destroy a turbine was aired by CNN. It shakes and then smokes. While the subsequent “what are you doing about Aurora” focus was disturbing, it was an effective demo of a cyber attack affecting a physical system.

Rather than get kudos for such an effective demo, heads rolled at DHS. Maybe people briefed in Olympic Games didn’t want this idea out there. Speculation.

Siemens and Natanz

Someone needs to check this. The book claims that Siemens “was maintaining the system every few weeks, updating the software” and they were the carrier of some of the information. I had thought that Siemens pulled out of this project long before Stuxnet. A bit of my searching didn’t find the answer.

Best Line

“As the designers of the attack knew, if they could get inside the controllers, they would likely have free rein to take control of them”.