Two years ago, as claimed by Iranian military figures, a worm penetrated the control system of a site for enrichment of Uranium in Netanaz, Iran. The worm was a sophisticated and highly destructive piece of software, “Stuxnet,” that sabotaged the nuclear centrifuges at the plant.
Expert reports suspected the worm was developed by “a capable entity” such as the Mossad (Israeli secret service), Intelligence unit 8200, or some U.S intelligence agency. No organization has admitted responsibility yet.
“I’ll first state that I do not know who did it and I have nothing to do with it,” says Shaharabani, a senior expert for data security at IBM, “nevertheless I have some interesting things to say about Stuxnet.”
“First of all, in order to spread itself like any worm, it needs two components: one is the reproducing component, and the other is the component responsible for the actual action of the worm.”
In order to reproduce, Shaharabani explains, it needs to utilize a vulnerability that is known to be in a certain system. There can be known and unknown vulnerabilities. “If a hacker has found a vulnerability in Windows for example, he can use it to spread a worm that can utilize it, or sell the knowledge about the vulnerability to some organization. Both known and unknown vulnerabilities are commonly used. The unknown is relatively hard to get.”
Yet it turns out that “Stuxnet” was based on four unknown vulnerabilities simultaneously—which was unprecedented.
“Four unknown vulnerabilities are not at all something that obvious. Apparently, the worm has no interest in utilizing all four. It better use only one, and when the organization in charge of the system repairs this one, another worm would be sent to use another. A worm that utilizes all those vulnerabilities is one that wants to keep going even if one of them is repaired,” he says.
As we are told, however, in order for the worm to spread effectively, or do effectively what it has been designated to do, the designer must have stolen a “signature” or “private key,” which is a top secret security element. The private keys allow a firm to “sign” the software components they develop so the computer will know that the software is OK to use. This ensured the computer did not activate its warning or alarm systems, such as red lights or requests for confirmation.
“There are only two known companies in the world that produce hardware components along with software and drivers that come with the hardware: JMicron and Realtek. When you install the driver in your computer it operates smoothly because it recognizes that this software has the signature of JMicron or Realtek,” he says.
Whoever developed the Stuxnet worm used the signatures of these two companies to infiltrate the worm without signaling an alarm. The only problem that stood in the way was that usually there is no cable connecting private keys to the Internet. The keys are on a disc-on-key inside a safe.
“I can tell you that the offices of these two companies, JMicron and Realtek, both of whose signatures were stolen, reside on the same industrial park in Taiwan, and are relatively nearby one-another. It means that whoever developed Stuxnet was an organization with the power to bring people to break into those offices and steal these signatures.”
One of the challenges for the worm was entering the nuclear facilities. Anyone who knows a bit about secret services knows that computers in secret organizations are usually “rigid.” They are not connected to the Internet by cables, and it is very difficult to connect any external devices to them, such as disc-on-keys.
“In organizations where the computers are very ‘rigid’ and nothing can be installed, one must use the process ‘installing procedure’ that the organization runs to install things it needs in the computers,” such as updating the operation system, outlook, a new software for the centrifuges, he says.
Shaharabani explains that while this updating is being done, one can utilize the moment to plant the worm in the organization’s computers. Another possible option is that one of the staff inside that organization used, mistakenly or deliberately, a memory card in that organization’s computers.
Once the worm infiltrated the nuclear facilities, it did something very similar to what we see in action movies. Shaharabani says “first of all, the software component recorded regularly all the activities of the centrifuges. After recording the proper activity in the controlling systems, it did two things: it sent an order to the centrifuges to rotate as fast as they could without paying any consideration to the heat check-up control. As a result they got burned. At the same time it sent the recorded proper activity to the control systems.”
“It’s like you see in the movies, that the security camera is recorded and replayed and the security guy sees it and thinks that everything is ok. It was really, really impressive,” Saharabani says.