The protests continued throughout the week, though, and on June 19, in an attempt to calm the crowds, the Ayatollah Ali Khamenei sanctioned the election results, insisting that the margin of victory—11 million votes—was too large to have been achieved through fraud.
The crowds, however, were not assuaged. Two days later on June 22, a Monday, the Guardian Council, which oversees elections in Iran, officially declared Ahmadinejad the winner, and after nearly two weeks of protests, Tehran became eerily quiet.
Police had used tear gas and live ammunition to disperse the demonstrators, and most of them were now gone from the streets. That afternoon, at around p. While the streets of Tehran had been in turmoil, technicians at Natanz had been experiencing a period of relative calm. Around the first of the year, they had begun installing new centrifuges again, and by the end of February they had about 5, of them in place, close to the 6, that Ahmadinejad had promised the previous year.
Not all of the centrifuges were enriching uranium yet, but at least there was forward movement again, and by June the number had jumped to 7,, with 4, of these enriching gas.
In addition to the eighteen cascades enriching gas in unit A24, there were now twelve cascades in A26 enriching gas. An additional seven cascades had even been installed in A28 and were under vacuum, being prepared to receive gas. The performance of the centrifuges was improving too. Despite the previous problems, Iran had crossed a technical milestone and had succeeded in producing kilograms of low-enriched uranium—enough to achieve nuclear-weapons breakout capability.
If it continued at this rate, Iran would have enough enriched uranium to make two nuclear weapons within a year. This estimate, however, was based on the capacity of the IR-1 centrifuges currently installed at Natanz. But Iran had already installed IR-2 centrifuges in a small cascade in the pilot plant, and once testing on these was complete and technicians began installing them in the underground hall, the estimate would have to be revised.
The more advanced IR-2 centrifuges were more efficient. It took 3, IR-1s to produce enough uranium for a nuclear weapon in one year, but it would take just 1, IR-2 centrifuges to do the same. To get their weapon into the plant, the attackers launched an offensive against computers owned by four companies. All of the companies were involved in industrial control and processing of some sort, either manufacturing products and assembling components or installing industrial control systems.
They were all likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees. To ensure greater success at getting the code where it needed to go, this version of Stuxnet had two more ways to spread than the previous one. Stuxnet 0. Based on the log files in Stuxnet, a company called Foolad Technic was the first victim. It was infected at a.
But then it was almost a week before the next company was hit. The following Monday, about five thousand marchers walked silently through the streets of Tehran to the Qoba Mosque to honor victims killed during the recent election protests. Late that evening, around p. The entire mechanism we have described so far—an infection caused by a USB drive, the spreading through an organizational network, and the hacking of Step 7—was the thruster.
Now that Stuxnet has found its target, it is time to activate the payload, the part of Stuxnet that makes it so unique, unprecedented and frightening; it is this part of the virus that will be the focus of our next part of this episode. In the next section, we will also learn about the damage that Stuxnet caused to the Iranian uranium enrichment facility.
But despite my efforts, I was always worried that I missed something and would get infected by some malware. Every time my computer acted slightly weird, I immediately wondered whether it had to do with a virus. Slow Internet? It might be a virus! Some software stopped working? A trojan! The hard-disk is over active? You get the picture. I was a digital hypochondriac. But why am I telling you this? Because I believe that right now, a few thousand miles away, perhaps inside an underground bunker somewhere, there are programmers and technicians who are sitting in front of their computers and experiencing the same paranoia.
In the first part of this episode, I introduced you to Stuxnet, a malicious software that flipped the IT security world upside down when it was exposed in Unlike typical viruses, an APT is a targeted threat, sort of like a guided missile aimed at a specific target. One question, however, was not addressed in the previous episode, and it is the topic of this episode. Were they all targets, or just a few of them? He immediately obtained a copy of the malware and started analyzing it.
It turned out that Ralph Langner was the right person in the right place at the right time. In fact, Siemens sometimes sent its employees to him for professional seminars on using their equipment.
Langner and his two colleagues spent weeks decoding the secrets of Stuxnet and were able to paint a clear picture of how it operated. Stuxnet checked whether software called Step7, made by Siemens, was installed on the PC.
If Step7 was on the PC, Stuxnet hacked it using a secret password that was built into the software. If Stuxnet found a PLC, it took over it as well. Once Stuxnet took over the PLC, it checked to see which electrical components were attached to it.
Specifically, it was looking for two microchips that control the rotation speed of engines, made by two specific companies: Vacon from Finland, and Fararo Paya from Iran.
If Stuxnet found the two microchips it continued to look for an even more specific condition—the rotation speed of the engines connected to the microchips, specifically, between and Hertz. A computer on which a specific software made by Siemens was installed, connected to Siemens PLC, itself connected to two microchips made by two specific companies that controlled rotating engines at a very specific speed range.
The convergence of such a precise set of conditions is comparable to searching the phonebook for a Mr. Butterworth who lives in Michigan, in the city of Livonia, and on Shadyside Street. If you found Joe, he is most likely the person you were looking for, since the chances of there being two people with the same name at the same address are slim.
In other words, Stuxnet was looking for a very specific target. This level of preciseness, atypical for computer viruses, astonished Ralph Langner. Who would invest that much effort in order to harm one specific facility? The answer was almost obvious: It could only be a country that wanted to attack a military facility of some other country. Langner contacted several of his colleagues and clients and asked whether they knew of an industrial facility whose characteristics matched the specific pattern Stuxnet was after.
Soon after he found a match—a gas centrifuge for a uranium enrichment facility in Natanz, Iran. Uranium is the vital material for nuclear fission, the process that takes place in nuclear power plants and nuclear bombs. Only one particular flavor, known as uranium , can support the process of nuclear fission. Luckily, uranium is rare and makes up less than one percent of the uranium found in nature, which is why uranium deposits are not spontaneously exploding on their own.
In order to use uranium in a nuclear power plant or to make a nuclear bomb, it must be enriched. That is, the percentage of uranium in the original material needs to be increased. The most common method for enriching uranium is by using a gas centrifuge. An enrichment centrifuge is a rapidly rotating tube, into which hot uranium gas is injected. In other words, the percent of uranium is higher than it was before the gas was injected to the machine. If five to 10 percent of the Uranium atoms are uranium , then it can be used as fuel in a nuclear power plant.
If the concentration goes up to 20 percent, it can be used in a nuclear bomb. Now only you, I and Wikipedia know it. If all the conditions we talked about were fulfilled the specific microchips attached to engines rotating at a specific speed then Stuxnet would interfere and force the engines to change their speed.
Initially, it would speed them up, then slow them down so that they almost stopped, before returning them to their original rotation speed. Stuxnet initiated these weird speed changes in the centrifuges once every 27 days. Well, to understand that, we have to appreciate how sensitive these machines are. A typical centrifuge rotates at tens of thousands of revolutions per minute—the edge of the tube travels almost half a mile each second.
The tremendous speed at which they rotate, combined with the high temperature of the radioactive gas inside them, makes the centrifuges extremely sensitive to any sort of rattling and turbulence. Think of a centrifuge as a motorcycle on a highway running into a rock. If the motorcycle is fast enough, even a small stone could cause great damage. If a spinning centrifuge experiences uncontrolled rattling, the shaking and extra friction can be disastrous.
The best-case scenario is that the centrifuge will be worn out sooner than expected and need to be replaced at huge cost. In the worst-case scenario, the centrifuge will disintegrate and break into pieces.
According to past media reports, The United States and Israel have previously tried to sabotage the Iranian nuclear program by replacing sensitive components with false or failed ones. Robert Langner suspected that Stuxnet was another such sabotage attempt.
But he needed to learn more about the Iranian nuclear program. Ironically enough, one of his main resources in doing so was the Iranian Public Relations Office. Langner analyzed every image and frame he could get a hold of in order to figure out what equipment the Iranians were using, and was convinced that Iran was the target. His conclusion was bolstered by the fact that about 60 percent of the infected computers were located in Iran. He doubted that anyone would take his ideas seriously, but he was wrong.
The IT security world was enthusiastic about the news—and it was only then that the mainstream media realized what was happening.
The impact of it was immediately clear, and part of that had to do with just the technical aspects of it. Those who were dissecting it, this took time. They were trying to find where it came from, what it was trying to do, what the malicious payload was.
Nowadays, the consensus among experts is that Stuxnet was indeed developed in order to damage the uranium enrichment centrifuges in the nuclear facility in Natanz. What damage did it cause? According to media reports, the Iranian nuclear program was often delayed in , and more than 1, centrifuges were replaced due to severe defects. Leaked documents referred to a possible nuclear accident that took place in the first half of Now you may be asking: How is it possible that no one in the Iranian facility noticed the changes in the rotation speed caused by Stuxnet?
This brings us to what is probably the most brilliant — or perhaps nefariously brilliant — aspect of Stuxnet. That way, when Stuxnet drives the centrifuges crazy—the monitors are still showing the appropriate speed, temperature and more. But upstairs in the control room, All Systems Are Go.
If a hundred centrifuges usually need replacing in a typical month, and all of the sudden go out of order almost simultaneously— someone will start asking questions. The executives will inquire and the technicians will report that no alarm went off.
Here is where the brilliantness of Stuxnet comes into play. Now, put yourselves in the shoes of that Iranian programmer. Expensive centrifuges are being destroyed daily, and upper management is going nuts. The pressure on you, the programmer, is tremendous. Your boss is constantly looking over your shoulder. So how is it possible that centrifuges can disintegrate without any warning?
Which brings us back to the notion of paranoia. Once Stuxnet was exposed in the media we can assume that the Iranians understood what was really going on in their facility. Given the sophisticated level of programming they were dealing with—they would have to become extremely suspicious and paranoid. Every computer failure, every small malfunction, could potentially indicate the existence of a new and advanced malware. According to one report, the Iranians were so suspicious of their equipment that at a certain point they sat people in front of the centrifuges in order to manually monitor the rotation speed of the machines.
Ralph Langner thinks this paranoia—this digital psychological torment—might have been the real intention of whoever was behind Stuxnet. So Stuxnet was a unique piece of malware. Stuxnet in a sense did not invent any kind of new attack. Stuxnet took the most powerful, the most effective and the most advanced of any technique that anyone had ever described—and put them all together, and made them work really well in one package, and this had never been seen before.
This was the big thing. According to Ginter, Stuxnet must have been the result of a huge investment in time, money and expert IT programmers. I wrote software, I managed teams that wrote software—I know how much it costs to produce software. This worm installed cleanly on every machine I tried it on. Everything from Windows NT up to the Windows OS of the day, all of the different variants—it installed clean and it ran clean on all of them. I know how hard it is to produce a legitimate product that works on that wide a variety of equipment.
My estimation is that there were at least millions of dollars spent on the worm. It might have been tens of millions. This last point raises another interesting question. If Stuxnet was so sophisticated and polished, why was it ever exposed? According to the media, earlier versions of Stuxnet successfully meddled with the Iranian facility for five whole years before it was ever discovered.
Something must have gone wrong…. The makers of Stuxnet had reliable intelligence regarding the computers at the facility, so Stuxnet operated without any problems. But at a certain point, Stuxnet began spreading to other places and other computers…a lot of other computers.
The people analyzing the worm have concluded they have discovered what they think is a bug. And so this bug caused the worm to propagate. Instead of there being tens or hundreds of copies of the worm in the world, there grow to be at one point over , copies. As a result, instead of only infecting three new computers at a time — it ended up infecting exponentially more. To produce that much code that is that reliable is extremely costly.
You know, I have a reason to believe that some of the listeners of this podcast—both in the US and in Israel—might have had something to do with the creation of Stuxnet. If I am correct, and you are listening—then hold on tight for the next—and final—installment of this episode, since we will be talking about… you. Could it be that exposing Stuxnet was part of a bigger plan, and not so coincidental?
All that and more in Part III. The last two parts of the episode focused on the technological characteristics of Stuxnet, a computer virus that attacked the uranium enrichment facility in Iran, and was exposed in , almost accidentally, by a small IT company from Belarus. Now it is time to talk about the people who created it. In the computer security business, this question is usually considered to be secondary. In most cases even if we do catch the creators of malicious software and punish them, the software itself still continues to spread.
It is like a man releasing a lion from its cage; we might be able to punish the man, but the priority is catching the lion before it gets downtown. On the contrary: if it is possible to prove that it was created by a government agency, then Stuxnet becomes much more than a computer virus—it becomes a cyber-weapon.
If Stuxnet is indeed a weapon developed by a country, then it might reveal something about this secret world. When IT experts analyzed Stuxnet, they found the software included a communication channel with its operators. When Stuxnet infected a computer, it searched for Internet access. Once online, it sent its current status and other information to servers located at these addresses:.
The physical computers storing the servers for these websites were located in Denmark and Indonesia respectively. But before we suspect the Danish or Indonesian governments, it is important to remember that anyone can launch a Web server from anywhere around the world, regardless of his or her physical location. For instance, the website for this podcast is hosted on servers located in the United States, but it could have just as easily been hosted in Europe.
Netter Beitrag zum Thema Computervirus. Bitte unbedingt weiterbloggen. Separately, we looked at marrying age, divorce rates, and those who never married. About Membership Projects Learning Newsletter. Become a Member Log in. Anatomy of a computer virus explained. Stefan Lasiewski — June 28, at pm. Martin von Wyss — June 28, at pm.
0コメント