Stuxnet’s Finnish-Chinese Connection

[Sabre]

Forbes article

I recently wrote a white paper entitled “Dragons, Tigers, Pearls, and Yellowcake” in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the U.S. targeting Iran’s Bushehr or Natanz facilities. During the course of my research for that paper, I uncovered a connection between two of the key players in the Stuxnet drama: Vacon, the Finnish manufacturer of one of two frequency converter drives targeted by this malware; and RealTek, who’s digital certificate was stolen and used to smooth the way for the worm to be loaded onto a Windows host without raising any alarms. A third important piece of the puzzle, which I’ll discuss later in this article, directly connects a Chinese antivirus company which writes their own viruses with the Stuxnet worm.

Most people who have followed the Stuxnet investigation know that the international headquarters for Vacon is in Finland, but surprisingly, Finland isn’t where Vacon’s frequency converter drives are manufactured. Vacon’s manufacturing plant is actually located in the Peoples Republic of China (PRC) under the name Vacon Suzhou Drives Co. Ltd., located at 11A, Suchun Industrial Square 428# Xinglong Street, SIP Suzhou 215126 China.

Vacon isn’t the only company involved with Stuxnet that has a Chinese connection. The first genuine digital certificate used by Stuxnet developers was from RealTek Semiconductor Corp., a Taiwanese company which has a subsidiary in (of all places) Suzhou under the name Realsil Microelectronics, Inc. (450 Shenhu Road, Suzhou Industrial Park, Suzhou 215021 Jiangsu Province, China).

The question, of course, is what, if anything, does this say about China’s possible role as the source of the Stuxnet worm. There are scenarios under which China would benefit such as the rare-earths scenario that I presented in my white paper, however there’s a lack of data on mining failures that can be attributed to Stuxnet. The closest that anyone has come to identifying compromised operations is at Natanz however their centrifuge failures go back several years according to this February, 2010 report by ISIS, while the earliest Stuxnet sample seen by Symantec’s researchers was June, 2009 and that’s before it had signed driver files or exploited the remote code execution vulnerability that appeared in January, 2010 and March, 2010 respectively. Natanz may very well have been the target of an earlier cyber attack, or even multiple attacks, which had nothing to do with Stuxnet.

Interesting read.

[PGT]

eff me, that's out of left field.

[complacent]

some of the strangest articles have been making their way out into "mainstream" media outlets lately.

[Mr Kleen]

wow.

at least China is with us in opposing Iranian nuclear weapon capabilities. that's good, right? right?

[ElZorro]

http://www.nytimes.com/2011/01/16/world ... wanted=all

Israeli Test on Worm Called Crucial in Iran Nuclear Delay
By WILLIAM J. BROAD, JOHN MARKOFF and DAVID E. SANGER
This article is by William J. Broad, John Markoff and David E. Sanger.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.

In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

The gruff Mr. Dagan, whose organization has been accused by Iran of being behind the deaths of several Iranian scientists, told the Israeli Knesset in recent days that Iran had run into technological difficulties that could delay a bomb until 2015. That represented a sharp reversal from Israel’s long-held argument that Iran was on the cusp of success.

...

[PGT]

I think the first article was disinformation.

in other news, a CIA analyst was arrested on 5 Jan for leaking classified material to the NY Times.

[PGT]

http://www.washingtonpost.com/world/ira ... story.html

By Associated Press, Monday, April 25, 8:11 AM

TEHRAN, Iran — Iran has been hit by a second computer virus, a senior military official said Monday, suggesting it was part of a concerted campaign to undermine the country’s disputed nuclear program.

Gholam Reza Jalali, the head of an Iranian military unit in charge of combatting sabotage, said that experts discovered the “espionage virus,” which he called “Stars.”

[sirwilliam]

"My God, it's full of stars..."

[complacent]

http://www.washingtonpost.com/world/ira ... story.html

By Associated Press, Monday, April 25, 8:11 AM

TEHRAN, Iran — Iran has been hit by a second computer virus, a senior military official said Monday, suggesting it was part of a concerted campaign to undermine the country’s disputed nuclear program.

Gholam Reza Jalali, the head of an Iranian military unit in charge of combatting sabotage, said that experts discovered the “espionage virus,” which he called “Stars.”

i saw that article this morning... tin foil in the house.

[PGT]

that's one tactic....confuse things so much that the opponent doesn't know who/what to trust

[Sabre]

Some interesting quotes:

The official Iranian Islamic Republic News Agency also reported Monday that a major 56-inch gas pipeline had exploded in the south of the country, a week after officials blamed two similar pipeline explosions on “acts of sabotage.” Authorities said pipe corrosion was apparently the cause of the Monday blast.
...
In addition to the virus problems, there has also been a sharp increase in industrial incidents reported by Iranian media. Often they are blamed on accidents, but also increasingly on acts of sabotage.

I'm sorry, but it sounds an awful lot like "Iran is perfect, these infidels are the only reason any thing bad happens!!!"... which is funny, since literally someone of Iranian decent once pretty much said that to me.

In any case, it's interesting that there continues to be new virus' thrown at them considering all the news from the Stuxnet virus. If I were a betting man, I would guess this one came from closer to home.