Ever since Flame, a gigantic piece of malware that lifts data from infected computers, was uncovered by security researchers three weeks ago, people have been wondering who could have built such a thing. Its powers, and the fact that it had apparently been operating in secret for years, shocked experts, who called it “one of the most complex threats ever discovered.”
More revelations followed: World-class mathematicians had worked on it, doing new science to develop its attacks. At first it was thought that Flame had nothing in common with Stuxnet, the US and Israeli-built virus that targeted Iran’s nuclear program and has become synonymous with the new age of cyberwarfare. Closer analysis, however, revealed that an early module of Flame had identified and exploited a then-unknown weakness in Microsoft Windows. The same capability showed up later in Stuxnet. The two pieces of malware had apparently communicated at least once, with Flame, which primarily gathers information, passing data to Stuxnet, which used that data to inflict damage.
When the piece of malware given the name “Flame” was found last month, initial analysis indicated that it did not share code with Stuxnet and Duqu, two previously discovered programs also directed at Iran and other nations in the Middle East. However, researchers at the Kaspersky Lab have found that a chunk of early Stuxnet code called “resource 207” is also found in Flame, which indicates a connection between the authors of both programs.
An early version of Stuxnet from 2009 included the resource 207 module, which helped spread the virus to new machines via USB drives by exploiting a then-unknown security flaw in the Microsoft Windows operating system. The later incarnation of Stuxnet could accomplish the same task with different sections of code, and resource 207 was discarded. But when Kaspersky Lab researchers began studying an early module of Flame, they found its code bore a strong resemblance to Stuxnet’s resource 207. They believe that Flame was created first (which means it must date back to at least 2009), and its module lent a hand to the early stages of Stuxnet until the younger malware had been developed enough to stand on its own.
A massive piece of malware, nicknamed “Flame” by security researchers at Kaspersky Lab, has been discovered attacking computers in Iran and the rest of the Middle East. The scale and sophistication of the malware suggests that it was commissioned by a nation-state, perhaps by the same parties that built StuxNet, which destroyed Iranian uranium centrifuges several years ago, and Duqu, a related Trojan that culled information from infected computers.
Flame doesn’t share any code with StuxNet or Duqu. But it is much larger—Duqu, for instance, was just 500 kilobytes, while Flame is 20 megabytes—and it impressed the Kaspersky researchers with its array of functions, which make it a kind of giant Swiss Army knife of malware.
Stuxnet seems to become scarier every time you hear about it. The sophisticated piece of malware came to the world’s attention in September; shortly thereafter we heard that it was perfectly designed to attack nuclear centrifuges, and in fact had disrupted some nuclear research in Iran. Now comes more news about how it works, and who might be using it next.
The security group Symantec has been trying to analyze and understand the waves of Stuxnet attacks against Iran, and now its researchers have found the base of the attacks, according to Symantec’s Orla Cox.
The new research, which analysed 12,000 infections collected by various anti-virus firms, shows that the worm targeted five “industrial processing” organisations in Iran. “These were the seeds of all other infections,” said Ms Cox. The firm was able to identify the targets because Stuxnet collected information about each computer it infected, including its name, location and a time stamp of when it was compromised. [BBC News]
Though Symantec isn’t naming the five targets in Iran, another security expert studying Stuxnet’s code, Ralph Langner, told CNET the likely target of the whole attack was the Natanz nuclear enrichment plant.
While a certain bacterium that can thrive in arsenic has dominated the science press this week, the big story in the world at large is on the ongoing WikiLeaks saga. The release of an enormous trove of confidential documents from the U.S. State Department has provoked plenty of fall-out: there’s governmental embarrassment and anger, and WikiLeaks founder Julian Assange is now wanted in Sweden on alleged sex crimes. But we’re most interested in how the never-ending story touches several science and tech stories, some of which have unraveled here on 80beats.
Get That DNA
One embarrassing revelation of the leaked diplomatic cables was that American diplomats were supposed to be part spy; they were asked to try to gather genetic material from foreign governmental officials. Once the cables leaked, the State Department couldn’t exactly deny that this happened, but it now says that these suggestions came from intelligence agencies. And relax—the requests were voluntary.
A senior department official said the requests for DNA, iris scans and other biometric data on foreign government and U.N. diplomats came from American “intelligence community managers.” The official said American diplomats were free to ignore the requests and that virtually all do. [Washington Post]
China Source of Google Hack
Early in 2010 we reported on the large cyber-attack against Google. Though rumors swirled, the Chinese government denied its involvement; the country and the search engine giant went through months of tension before arriving at a truce in the summer. According to WikiLeaks, leaders of the Chinese Communist Party were directly connected to the hack.
China’s Politburo directed the intrusion into Google’s computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. [The New York Times]
Between murders and leaked documents, there’s disarray and intrigue all around Iran’s burgeoning nuclear program.
Yesterday, two prominent nuclear scientists in Iran were attacked in car bombings.
According to [Iranian new service] Fars, scientists Majid Shahriari and Fereydoun Abbasi were parking their cars in separate locations near the university campus about 7:45 a.m. local time when they were attacked.Witnesses said each car was approached by a group of men on motorcycles, who attached explosives to the vehicles and detonated them seconds later, the news agency reported. Shahriari was killed instantly. Abbasi was wounded. Both men were with their wives, who were also wounded. [Washington Post]
Unsurprisingly, Iranian President Mahmoud Ahmadinejad quickly pointed the finger of blame at the West and Israel. Both of the targeted scientists are reportedly connected to the Iranian nuclear program, which the government maintains is for the purpose of energy, but the United States and other nations oppose out of fear of an Iranian bomb.
Abbasi-Davani, whose handful of publications on neutron physics are mainly in Iranian journals, is a key figure in Iran’s nuclear programme. He is reported to be a scientist at the country’s defence ministry, and a member of Iran’s revolutionary guards since the 1979 Islamic Revolution. He was also named as being among “Persons involved in nuclear or ballistic missile activities” in the 2007 UN Security Council Resolution 1747, which imposed sanctions on Iran over its refusal to stop enrichment of uranium. [Nature]
It was late September when the world got wind of Stuxnet, the complex piece of malware that appeared to specifically target Iranian nuclear sites. Now, analysis of Stuxnet suggests it was almost perfectly designed to corrupt nuclear centrifuges, according to David Albright of the Institute for Science and International Security.
On Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart. In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed. [The New York Times]
Computer experts don’t know Stuxnet’s origin for sure, though the Times’ story drops a few cryptic hints of Israeli involvement. And further study of the attack shows that although Stuxnet appears calibrated to disrupt centrifuges, it could be easily adapted to seize the reins of other systems.
The widespread interconnection of corporate networks and use of SCADA systems [supervisory control and data acquisition] means that industrial infrastructure is increasingly vulnerable to software attack. Such control systems are used in virtually every industry—food production, vehicle assembly, chemical manufacturing—and are commonly exposed to insecure networks. This leaves them vulnerable to tampering, such as with Stuxnet, as well as intellectual property theft. [Ars Technica]
After decades of development, Iran’s first nuclear power plant is close to operational. This week the country’s TV service announced that engineers have begun loading the fuel rods into the core of the Bushehr plant in southern Iran.
The 1,000-megawatt Bushehr plant has been under construction since before Iran’s 1979 Islamic Revolution. It was first contracted to a company that later became German industrial giant Siemens; more recently work was done with the help of Russia’s state-owned atomic energy company. [Los Angeles Times]
The plant’s 1000-megawatt capacity is comparable to the power put out by many of the nuclear plants scattered across the United States.
A virus has been popping up in industrial plants and personal computers worldwide, and is now posing a looming threat over Iran, where more than 60 percent of the computers infected with the virus are located.
Some experts believe that virus, first discovered in June, was developed by high-level government programmers (possibly from the US, Israel, or Germany), and is directed toward a specific target, most likely Iran’s Bushehr nuclear power plant. It is believed to have been around for over a year.
The virus was written to exploit five security vulnerabilities (four of which were previously unknown, and only two of which have been patched) in a piece of software used in many different industrial systems. The virus is inserted into the system using a thumbdrive, then spreads from computer to computer.
The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. [The New York Times]
The software tool called Haystack was supposed to protect dissidents in Iran who wanted to use the Internet free of the government’s censorship. If third-party software testers are correct, though, flaws in the system meant to help those dissidents could have led authorities right to them. The Censorship Research Center, the San Francisco-based organization that created Haystack, has now pulled it back and asked users to destroy the existing copies.
“We have halted ongoing testing of Haystack in Iran pending a security review,” HaystackNetwork.com said in a brief statement. “If you have a copy of the test program, please refrain from using it.” [AFP]
Jacob Appelbaum, a security expert who volunteers with WikiLeaks, sounded the alarm.