Stuxnet 'weapon' out to destroy Iran's nuclear program?

[PGT]

http://news.yahoo.com/s/csm/327178

Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.

"Until a few days ago, people did not believe a directed attack like this was possible," Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. "What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern."

A gradual dawning of Stuxnet's purpose

It is a realization that has emerged only gradually.

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

A guided cyber missile

On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.

"His technical analysis is good," says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. "We're also tearing [Stuxnet] apart and are seeing some of the same things."

Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner's analysis.

"What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."

"I'd agree with the classification of this as a weapon," Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.

One researcher's findingsLangner's research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls "fingerprinting," qualifies Stuxnet as a targeted weapon, he says.

Langner zeroes in on Stuxnet's ability to "fingerprint" the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.

"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.

"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.

"The implications of Stuxnet are very large, a lot larger than some thought at first," says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. "Stuxnet is a directed attack. It's the type of threat we've been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly."

Has Stuxnet already hit its target?It might be too late for Stuxnet's target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?

Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.

"This will all eventually come out and Stuxnet's target will be known," Langner says. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that."

[PGT]

no replies????? WHAT? You guys are slacking

[complacent]

no replies????? WHAT? You guys are slacking

if the rumors are true, it's going to be very awkward for the US and Germany. Here's hoping not.

Oh, and

[captainslow]

this is what keeps me up at night.

[PGT]

no replies????? WHAT? You guys are slacking

if the rumors are true, it's going to be very awkward for the US and Germany. Here's hoping not.

Oh, and

Attack has since spread to plants and computers in the U.S. and elsewhere, posing serious threat

It's been only a month since the activation of Iran's first nuclear power plant and there's already a major crisis concerning proliferation. But this crisis has nothing to do with nuclear arms proliferation. Rather, the scare has to do with the proliferation of the Stuxnet worm, a malicious computer program that has invaded the plant's computers and since spread to computers worldwide.

http://www.dailytech.com/Israel+Suspect ... e19726.htm

[complacent]

i read an article earlier today claiming the US and Germany had built it.

Now there's one saying Israel did it? I'm glad to see that disinfo is in full swing here.

Oh, I found a new avatar from that article, thanks

[drwrx]

What facinates me is the delivery method, a USB thumb drive with the malware installed on it (supposedly) without the user knowing it isn't shocking. But to get it to the specific target, that has to be the tricky part. How do you get someone to unknowingly take a USB drive to the right place. I guess that is where the real espionage takes place. I am aware of USBs inherent security issues and that a program can be loaded and run off it w/o detection but still, how does that conversation work?

Agent: "Hi, do you work for the Iranian Nuclear Developement Program?"
Mark: "Why yes I do!"
Agent: "Well, congratulations we'd like you to have this free 64 gig USB Flash drive."
Mark: "Wow, thanks, I can't wait to use this at work!"

Or do you install the malware on millions of USB devices and hope it finds it's target? The fact that they have found it the US, Germany, Canada, Iran, Pakistan, India, and Indonesia really makes me wonder how this thing is being disperced.

[PGT]

perhaps this is a piece to the puzzle

http://www.spacedaily.com/reports/Abduc ... n_999.html

[complacent]

perhaps this is a piece to the puzzle

http://www.spacedaily.com/reports/Abduc ... n_999.html

oof, this could get messy.

[drwrx]

I am familar with that news item and all the bizarre twists involved, but I'm not certain I would make that kind of linear leap.
I'm not saying that isn't the case, I'd just need some more convincing evidence.

[PGT]

its not a linear leap. that said, the effectiveness of stuxnet was based on insider knowledge of the systems. just posted that to indicate a data point in the pattern of publicly available info.

there's more info I have that I'm not posting, just, well, because its out there easy enough to find and no point to collate it here.

[Sabre]

Sounds like the guy defected and then changed his mind... and then had to make up a cover story so that he wasn't killed immediately by going back

[PGT]

http://www.nytimes.com/2010/09/27/techn ... virus.html

A Silent Attack, but Not a Subtle OneBy JOHN MARKOFF
SAN FRANCISCO

AS in real warfare, even the most carefully aimed weapon in computer warfare leaves collateral damage.

The Stuxnet worm was no different.

The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe.

The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. But unlike those other attacks, this bit of malware did not stay invisible.

If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings. The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment. Computer security specialists are also puzzled by why it was created to spread so widely.

Global alarm over the deadly computer worm has come many months after the program was suspected of stealthily entering an Iranian nuclear enrichment plant, perhaps carried on a U.S.B. memory drive containing the malware.

Computer security specialists have speculated that once inside the factory and within the software that controls equipment, the worm reprogrammed centrifuges made by a specific company, Siemens, to make them fail in a way that would be virtually undetectable. Whether the program achieved its goal is not known.

Much speculation about the target has focused on the Iran nuclear plant at Natanz. In mid-July the Wikileaks Web site reported that it had learned of a serious nuclear accident at the plant. But international nuclear inspectors say no evidence of one exists.

The timing is intriguing because a time stamp found in the Stuxnet program says it was created in January, suggesting that any digital attack took place long before it was identified and began to attract global attention.

The head of the Bushehr nuclear plant in Iran said Sunday that the worm had affected only the personal computers of staff members, Reuters reported. Western nations say they do not believe Bushehr is being used to develop nuclear weapons. Citing the state-run newspaper Iran Daily, Reuters reported that Iran’s telecommunications minister, Reza Taghipour, said the worm had not penetrated or caused “serious damage to government systems.”

Siemens has said that the worm was found in only 15 plants around the world using its equipment and that no factory’s operations were affected. But now the malware not only is detectable, but also is continuing to spread through computer systems around the world through the Internet.

It is also raising fear of dangerous proliferation. Stuxnet has laid bare significant vulnerabilities in industrial control systems. The program is being examined for clues not only by the world’s computer security companies, but also by intelligence agencies and countless hackers.

“Proliferation is a real problem, and no country is prepared to deal with it,” said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: “All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it.”
The ability of Stuxnet to infiltrate these systems will “require a complete reassessment” of security systems and processes, starting with federal technology standards and nuclear regulations, said Joe Weiss, a specialist in the security of industrial control systems who is managing partner at Applied Control Solutions in Cupertino, Calif.

One big question is why its creators let the software spread widely, giving up many of its secrets in the process.

One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.

While much has been made in the news media of the sophistication of Stuxnet, it is likely that there have been many other attacks of similar or even greater sophistication by intelligence agencies from many countries in the past. What sets this one apart is that it became highly visible.

Security specialists contrast Stuxnet with an intrusion discovered in the Greek cellphone network in March 2005. It also displayed a level of skill that only the intelligence agency of some foreign power would have.

A two-year investigation by the Greek government found an extremely sophisticated Trojan horse program that had been hidden by someone who was able to modify and then insert 29 secret programs into each of four telephone switching computers.

The spy system came apart only when a software upgrade provided by the manufacturer led to some text messages, sent from the system of another cellphone operator, being undelivered. The level of skill needed to pull off the operation and the targets strongly indicated that the culprit was a government. An even more remarkable set of events surrounded the 2007 Israeli Air Force attack on what was suspected of being a Syrian nuclear reactor under construction.

Accounts of the event initially indicated that sophisticated jamming technology had been used to blind the radar so Israeli aircraft went unnoticed. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source as raising the possibility that the Israelis had used a built-in kill switch to shut down the radar.

A former member of the United States intelligence community said that the attack had been the work of Israel’s equivalent of America’s National Security Agency, known as Unit 8200.

But if the attack was based on a worm or a virus, there was never a smoking gun like Stuxnet.


Kevin O’Brien contributed reporting from Berlin

[Mr Kleen]

[complacent]

Here's a Wired article

New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.

Symantec’s paper adds to that speculation. It also provides intriguing data about an update the authors made to it in March of this year that ultimately led to it being discovered. The update suggests the authors, despite launching their malware as early as June 2009, may not have reached their target by March 2010.

The code has so far infected about 100,000 machines in 155 countries, apparently beginning in Iran and recently hitting computers in China. Researchers still have no idea if the malware reached the targeted system it was designed to sabotage.

Liam O’Murchu, researcher at Symantec Security Response, said in a press call Friday that even though the malware’s command-and-control server has been disabled, the attackers can still communicate with infected machines via peer-to-peer networking. Symantec hopes that experts in industrial control systems who read their paper may help identify the specific environment Stuxnet was targeting.

“We hope someone will look at the values and say this is a configuration you’d only find in an oil refinery or power plant,” said O’Murchu. “It’s very important to find out what the target was. You can’t tell what [Stuxnet] does unless you know what it was connected to. ”

The code targets industrial control software made by Siemens called WinCC/Step 7, but is designed to deliver its malicious payload to only a particular configuration of that system. About 68 percent of infected systems in Iran have the Siemens software installed, but researchers don’t know if any have the targeted configuration. By contrast, only 8 percent of infected hosts in South Korea are running Step 7 software, and only about 5 percent of infected hosts in the U.S. do. An apparent “kill” date in the code indicates that Stuxnet is designed to stop working June 24, 2012.

The first clue that may point to Israel’s involvement in the malware involves two file directory names – myrtus and guava – that appear in the code. When a programmer creates code, the file directory where his work-in-progress is stored on his computer can find its way into the finished program, sometimes offering clues to the programmer’s personality or interests.

In this case, Symantec suggests the name myrtus could refer to the biblical Jewish Queen Esther, also known as Hadassah, who saved Persian Jews from destruction after telling King Ahasuerus of a plot to massacre them. Hadassah means myrtle in Hebrew, and guavas are in the myrtle, or myrtus family of fruit.

A clue to Stuxnet’s possible target lies in a “do not infect” marker in the malware. Stuxnet conducts a number of checks on infected systems to determine if it’s reached its target. If it finds the correct configuration, it executes its payload; if not, it halts the infection. According to Symantec, one marker Stuxnet uses to determine if it should halt has the value 19790509. Researchers suggests this refers to a date — May 9, 1979 — that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and prompted a mass exodus of Jews from that Islamic country.

This would seem to support claims by others that Stuxnet was targeting a high-value system in Iran, possibly its nuclear enrichment plant at Natanz.

Or, again, both clues could simply be red herrings.

O’Murchu said the authors, who were highly skilled and well-funded, were meticulous about not leaving traces in the code that would track back to them. The existence of apparent clues, then, would belie this precision.

One mystery still surrounding the malware is its wide propagation, suggesting something went wrong and it spread farther than intended. Stuxnet, when installed on any machine via a USB drive, is supposed to spread to only three additional computers, and to do so within 21 days.

“It looks like the attacker really did not want Stuxnet to spread very far and arrive at a specific location and spread just to computers closest to the original infection,” O’Murchu said.

But Stuxnet is also designed to spread via other methods, not just via USB drive. It uses a zero-day vulnerability to spread to other machines on a network. It can also be spread through a database infected via a hardcoded Siemens password it uses to get into the database, expanding its reach.

Symantec estimates it took between 5 and 10 developers with different areas of expertise to produce the code, plus a quality assurance team to test it over many months to make certain it would go undetected and not destroy a target system before the attackers intended to do so.

The WinCC/Step 7 software that Stuxnet targets connects to a Programmable Logic Controller, which controls turbines, pressure valves and other industrial equipment. The Step 7 software allows administrators to monitor the controller and program it to control these functions.

When Stuxnet finds a Step7 computer with the configuration it seeks, it intercepts the communication between the Step 7 software and the controller and injects malicious code to presumably sabotage the system. Researchers don’t know exactly what Stuxnet does to the targeted system, but the code they examined provides a clue.

One value found in Stuxnet – 0xDEADF007 – is used by the code to specify when a process has reached its final state. Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown.

Two versions of Stuxnet have been found. The earliest points back to June 2009, and analysis shows it was under continued development as the attackers swapped out modules to replace ones no longer needed with new ones and add encryption and new exploits, apparently adapting to conditions they found on the way to their target. For example, digital certificates the attackers stole to sign their driver files appeared only in Stuxnet in January 2010.

One recent addition to the code is particularly interesting and raises questions about its sudden appearance.

A Microsoft .lnk vulnerability that Stuxnet used to propagate via USB drives appeared only in the code in March this year. It was the .lnk vulnerability that ultimately led researchers in Belarus to discover Stuxnet on systems in Iran in June.

O’Murchu said it’s possible the .lnk vulnerability was added late because the attackers hadn’t discovered it until then. Or it could be they had it in reserve, but refrained from using it until absolutely necessary. The .lnk vulnerability was a zero-day vulnerability — one unknown and unpatched by a vendor that takes a lot of skill and resources for attackers to find.

Stuxnet’s sophistication means that few attackers will be able to reproduce the threat, though Symantec says many will try now that Stuxnet has taken the possibility for spectacular attacks on critical infrastructures out of Hollywood movies and placed them in the real world.

“The real-world implications of Stuxnet are beyond any threat we have seen in the past,” Symantec writes in its report. “Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.”


Read More http://www.wired.com/threatlevel/2010/1 ... z11Q2iAqPh

[Mr Kleen]

It was only a matter of time before something like this surfaced.

[PGT]

I tend to think red herring but that date code does make it seem like a big F U

[Raven]

Never underestimate the Jews!

[avriette]

Two things come to mind: the RTM worm was not supposed to propagate as quickly as it did, and it was a simple typo that caused it to be so prolific and crash Sendmail (and subsequently Unix) decades ago. This could be a similar situation. The second is why on earth would anyone put their nuclear reactor on the internet? Most of us know the lengths the United States government goes through to prevent things like USB memory sticks from getting into secure areas; are we really to believe that the people at Esfahan and Natanz are wantonly putting memory sticks into industrial equipment?

The document seems alarmist and perhaps a little ignorant. Somehow I doubt the virus is capable of "blowing up" the Siemens device. Crippling it, sure. But I also have a hard time believing it's propagating on peer-to-peer networks and on industrial machinery. It would be like me writing a piece of C that ran on i686 but also ran on Wonk378 as well. Machine code is not malleable.

What seems more likely to me is that somebody (and only the US and Israel -- and possibly the FSB have the capability of doing this) created the weapon, put it on a portable device and then used a SOCOM team to get in, deploy it, and get out. Like the article stated, it's not exactly clear whether the damage has already been done. My guess is the damage was done and there was contamination during the forensics period. I don't think the Iranians (and really, we're not targeting German industry here) have the ability to break the code down. Bits and pieces, sure. Everybody has a decompiler. But forensics is very delicate work and they just don't have the expertise.

[Sabre]

The second is why on earth would anyone put their nuclear reactor on the internet? ...
are we really to believe that the people at Esfahan and Natanz are wantonly putting memory sticks into industrial equipment?

Machine code is not malleable.

lol, are you really THAT shocked that a reactor was "somehow" put on the Internet? Hell, most of our (US) power grid is! Even if it isn't direct, most places separate by VLAN, not physical separation like they are supposed to.... and we all know how good that really is.

From the analysis above, the shell code was written for the Siemens PLC... so the machine code didn't need to be malleable, the payload just needed to be written for the target. The delivery mechanism could be totally different...

[complacent]

lol, are you really THAT shocked that a reactor was "somehow" put on the Internet? Hell, most of our (US) power grid is! Even if it isn't direct, most places separate by VLAN, not physical separation like they are supposed to.... and we all know how good that really is.

winnAr winnAr, chicken dinnAr.

[drwrx]

It just seems odd to me that as secretive and protective as the Iranians have been about their nuclear program that somehow an internet based attack could work.

So, Stuxnet was able to get in because Samir just HAD to update his facebook status? Really?

[PGT]

It just seems odd to me that as secretive and protective as the Iranians have been about their nuclear program that somehow an internet based attack could work.

you mean how they posted screenshots of desktop with expired windows license, for all to see in 2009?

So, Stuxnet was able to get in because Samir just HAD to update his facebook status? Really?

the attack vector wasn't over the internet but local.

instead of reposting it all here, take a look and follow Langner's blog...excellent explanation of how this went down. http://www.langner.com/en/index.htm Here it is in layman's terms, from their blog:

Let's try to explain Stuxnet to the average computer user.

If Stuxnet was a conventional piece of malware as everybody knows it, it could have done this. It would have checked if a specific word processor is installed on your machine, let's say Microsoft Word. It would then check if you have a specific printer model installed. Now comes the freaky part. Stuxnet would then check for the presence of one specific document on your hard disk. Not based on the document's file name, but based on the document's content. If no match is found, Stuxnet leaves you alone. If Stuxnet finds the document it is looking for and you print out the document, Stuxnet prints its own stuff rather than the original document content. What Stuxnet prints is not random garbage, but completely well-formed sentences in English language.

[complacent]

this is, um, ugly.

us & israel created stuxnet, lost control of it

In 2011, the US government rolled out its "International Strategy for Cyberspace," which reminded us that "interconnected networks link nations more closely, so an attack on one nation’s networks may have impact far beyond its borders." An in-depth report today from the New York Times confirms the truth of that statement as it finally lays bare the history and development of the Stuxnet virus—and how it accidentally escaped from the Iranian nuclear facility that was its target.

The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. The goal of the worm was to break Iranian nuclear centrifuge equipment by issuing specific commands to the industrial control hardware responsible for their spin rate. By doing so, both governments hoped to set back the Iranian research program—and the US hoped to keep Israel from launching a pre-emptive military attack.

The code was only supposed to work within Iran's Natanz refining facility, which was air-gapped from outside networks and thus difficult to penetrate. But computers and memory cards could be carried between the public Internet and the private Natanz network, and a preliminary bit of "beacon" code was used to map out all the network connections within the plant and report them back to the NSA.

That program, first authorized by George W. Bush, worked well enough to provide a digital map of Natanz and its industrial control hardware. Soon, US national labs were testing different bits of the plan to sabotage Natanz (apparently without knowing what the work was for) using similar centrifuges that had come from Libya's Qadaffi regime. When the coders found the right sets of commands to literally shake the centrifuges apart, they knew that Stuxnet could work.

When ready, Stuxnet was introduced to Natanz, perhaps by a double agent.

Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others—both spies and unwitting accomplices—with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.
When Barack Obama came to office, he continued the program—called "Olympic Games"—which unpredictably disabled bits of the Natanz plant even as it told controllers that everything was normal. But in 2010, Stuxnet escaped Natanz, probably on someone's laptop; once connected to the outside Internet, it did what it was designed not to do: spread in public. The blame game began about who had slipped up in the coding.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”
Once released more widely, the Stuxnet code was found and then disassembled by security researchers.

Please don't follow our example

As the International Strategy for Cyberspace notes, these sorts of electronic attacks are serious business. The US in fact reserves the right to use even military force to respond to similar attacks. "All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," says the report. "We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law."

Yet the US had just gone on the cyber-attack, and everyone knew it. Speculation has long swirled around government-backed hackers from nations like China and Russia, especially, who have been suspected of involvement in espionage, industrial trade secret theft, and much else. Would something like Stuxnet damage US credibility when it complained about such attacks? (China has long adopted the "you do it too!" defense on Internet issues, especially when it comes to censoring and filtering of Internet content.)

Obama was at least aware of the likely answer—yes—but pressed ahead, even accelerating the Olympic Games program.

[Obama] repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks. “We discussed the irony, more than once,” one of his aides said.
Stuxnet is old news by now. Even the newly discovered "Flame" malware was developed some time ago. While details about these two targeted attack packages are finally emerging, the next generation of attack tools has no doubt been developed and likely deployed.

[PGT]

yep....read that this morning. ugly is right