US officials confirm Stuxnet was a joint US-Israeli op

[h3rm35]

Original URL: http://www.theregister.co.uk/2012/06/01/...sraeli_op/
US officials confirm Stuxnet was a joint US-Israeli op

Well, sure ... so why are you telling us, Mr President?

By John Leyden

Posted in Enterprise Security, 1st June 2012 15:14 GMT

Cyberattacks on Iranian nuclear program were a US-Israel effort started under the Bush administration and continued by President Obama, The New York Times reports [1].

The confirmation from Obama-administration officials that Stuxnet was a joint US-operation comes from extracts from a forthcoming book [2], Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, by David Sanger that's due to be published next week.

The NYT teaser piece reports that Operation Olympic Games was devised as a means to throw sand in the works of Iran's controversial nuclear program. It was initially embarked upon in 2006 without much enthusiasm, as a preferable alternative to withdrawing objections against an Israeli air strike against Iran's nuclear facilities. There was little faith that either diplomacy or tougher economic sanction would work, especially since the international community might be expected to regard warning about another country developing weapons of mass destruction with extreme scepticism after the Iraq War debacle.

General James E Cartwright, head of a small cyberoperation inside the United States Strategic Command, developed the plan to create Stuxnet. The first stage involved planting code that extracted maps of the air-gapped computer networks that supported nuclear labs and reprocessing plants in Iran.

Development of the payload came next and involved enlisting the help of Unit 8200 – the Israeli Defence Force's Intelligence Corps unit – which had "deep intelligence about operations at Natanz", and the NSA. Bringing the Israelis on board was important not just for their technical skills but as a means to discourage a pre-emptive strike by Israel against Iranian nuclear facilities.

Keeping the Israelis on-side involved persuading them that the electronic sabotage by "the bug", as it was known, stood a good chance of succeeding. This involved destructive testing against P1 high-speed centrifuges, surrendered by the the former Libyan government of General Gaddafi when it abandoned its own nuclear programme back in 2003. Iran also used the same P-1 centrifuges, sourced from a Pakistani black market dealer.

Small scale tests were a great success, prompting a decision to plant the worm in Natanz using spies and unwitting accomplices (from engineers to maintenance workers) with physical access to the plant, around four years ago in 2008.

Operation Olympic Games proved successful at infecting industrial control systems and sabotaging high-speed centrifuges while getting the Iranians to blame themselves or their suppliers for the problems.

Obama allowed the operation to continue even after the Stuxnet code escaped from Iran’s Natanz plant back in 2010, via an engineer's computer, allowing the code to begin replicating across the net, something only possible due to a design mistake. Obama gave the go-ahead for the continuation of the scheme, with the development of fresh version of Stuxnet, after hearing the the malware was still causing destruction.

Sanger's account of the joint US-Israeli effort to develop Stuxnet is based on interviews with current and former US, European and Israeli officials involved in the (still secret) program.

The US government only recently admitted the existence of programs to develop offensive cyberweapons, and has never admitted using them. There's was discussion about using electronic attacks against Libyan air defence systems in the run-up to NATO-led air attack against the Gaddafi regime last year but that option was rejected.

The US relies more heavily on technology than almost any other country in the world and is much more vulnerable to cyber-weapons than most. Using cyber-weapons, even if they were narrowly targeted and closely controlled, could enable hostile government or hackers to justify electronic attacks against US interests.

Stuxnet is back in the news because of this week's publicity about the Flame worm, a cyber espionage toolkit that infected computers in Iran and elsewhere in the Middle East. US officials told Sanger that Flame was not part of Olympic Games, while declining to say whether or not the US was behind the headline-grabbing attack.

Industry experts had long speculated that Stuxnet, which involved the use of zero-day exploits and knowledge of industrial control systems, was a state-sponsored project highly unlikely to have been the work of criminal hackers. A US-Israeli joint project was widely rumoured to have led to the creation of Stuxnet.

Sanger's research is more evidence in support of this theory and the only real question is why officials have begun talking about the secret spy op.

The reasons could be political, security experts speculate.

"Obama wanted to get credit for Stuxnet, as that makes him look tough against Iran," said [3] Mikko Hypponen, chief research officer at F-Secure. "And he needs that as Presidential elections are coming." ®
Links

http://www.nytimes.com/2012/06/01/world/...ted=1&_r=2
http://www.amazon.com/Confront-Conceal-S...B006LTIS7G
http://twitter.com/mikko/status/208526748017631233

Related stories

'Super-powerful' Flame worm actually boring BLOATWARE (31 May 2012)

http://www.theregister.co.uk/2012/05/31/..._analysis/
Super-powerful Flame worm could take YEARS to dissect (29 May 2012)

http://www.theregister.co.uk/2012/05/29/..._analysis/
Complex cyberwar tool 'Flame' found ALL OVER Middle East (28 May 2012)

http://www.theregister.co.uk/2012/05/28/...lame_worm/
Stuxnet ≠ cyberwar, says US Army Cyber Command officer (16 May 2012)

http://www.theregister.co.uk/2012/05/16/..._cyberwar/
Iran wrestles Duqu malware infestation (14 November 2011)

http://www.theregister.co.uk/2011/11/14/...festation/

[h3rm35]

Original URL: http://www.theregister.co.uk/2012/09/17/flame_analysis/
Flame espionage weapon linked to MORE mystery malware
Command systems weren't just directing data-raiding worm
By John Leyden
Posted in Security, 17th September 2012 16:26 GMT

Forensic analysis of two command-and-control servers for the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected - and has links to other mystery software nasties.

Flame was built by a group of at least four developers as early as December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations' International Telecommunication Union.

The malware, which infected Microsoft Windows computers [1] across the Middle East, came to light in May when the Iranian authorities found it siphoning off data to foreign handlers.

Over the past six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.

Despite these efforts, the well-funded Flame handlers left behind a number of clues. "The C&C servers were disguised to look like a common content management system to hide the true nature of the project from hosting providers or random investigations," a statement by Kaspersky Labs explained. "The servers were able to receive data from infected machines using four different protocols; only one [was used by] computers to attack with Flame.

"The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown."

The command-and-control infrastructure associated with Flame has since been dismantled.

"They [the command servers] are all dead," Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. "About 35 C&C servers were active during the past two to three years, I believe five or six were active in May 2012."

Flame's control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers ran the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like an ordinary web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded to the systems.

"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers," said Alexander Gostev, chief security expert at Kaspersky Lab. "Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep.

"Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale."

There's no evidence to suggest that Flame's command servers were used to control other known cyber-weapons - such as Stuxnet or Gauss - but they were used to operate a mystery malware strain, codenamed "SPE" by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.

A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here [2].

Eternal Flame

The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.

Flame weighs in at a monster 20MB - 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 hash collision attack to create counterfeit Microsoft security certificates, allowing malicious software posing as legitimate Windows Update downloads to be installed.

Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran's controversial nuclear enrichment programme. This information was used by Stuxnet to target the country's nuke centrifuge cyber-sabotage mission.

The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory although hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®
Links

http://www.theregister.co.uk/2012/05/31/..._analysis/
http://www.securelist.com/en/blog/750/Fu...ol_servers

Related stories

Iran: Our nuke facilities still under attack by US, Israelis 'and MI6' (22 June 2012)

http://www.theregister.co.uk/2012/06/22/...complaint/
Flame was scout ahead of Stuxnet attack on Iran nukes - US spooks (20 June 2012)

http://www.theregister.co.uk/2012/06/20/...ael_flame/
Source code smoking gun links Stuxnet AND Flame (12 June 2012)

http://www.theregister.co.uk/2012/06/12/...searchers/

[FastTadpole]

Wowzers and admission, but what of the Chinese involvement? Was that just to throw us off the scent?

This all amounts to more egg on the face of the US and Israel, by design?

Related Threads:

Flame and STuxNet Developed by Israel and U.S, unleashed on Middle east
http://concen.org/forum/showthread.php?tid=46052

although 2 teams worked on Stuxnet and Flame, programmers "cooperated at least once¨
http://concen.org/forum/showthread.php?tid=46065

Stuxnet: Anatomy of a Computer Virus
http://concen.org/forum/showthread.php?tid=46114

Stuxnet (BIG thread)
http://concen.org/forum/showthread.php?tid=35110

Stuxnet Attack on Fukushima - TheUglyTruth - 2011.03.15
http://concen.org/forum/showthread.php?tid=38768

[h3rm35]

As far as China is concerned, I think that was just the only viable boogeyman they could come up with to create fear around cyberwar so they could pull off things like SOPA/PIPA/CISPA, TIA, Perfect Citizen, and all the other stuff in the threads "U.S. Cyber Command: Waging War In World’s Fifth Battlespace", Pentagon's Cyber Command: Civilian Infrastructure a "Legitimate" Target, and Cyberwar, the Internet and the Militarization of Civil Society

on an administrative note, this thread as well as http://concen.org/forumshowthread.php?tid=46065 can probably be merged with the larger stuxnet thread. The first two cyber command threads can be merged as well.