New thesis on how Stuxnet infiltrated Iran nuclear facility
The Stuxnet worm that attacked Iran's nuclear facility at Natanz came to
light nearly four years ago, but how it got there remains a mystery. A
possible new explanation, outlined Tuesday, cites the supply chain as the
key.
By Mark Clayton, Staff writer / February 25, 2014
A new thesis about that, to be outlined Tuesday at a security conference in
San Francisco, points to a vulnerability in the Iranian facility's supply
chain - and may hold lessons for owners of critical infrastructure in the US
concerning how to guard their own industrial equipment against cyberattack.
Presented by Critical Intelligence, a cyber security firm based in Idaho
Falls, Idaho, the tale of cyber infiltration comes nearly four years after
the covert operation was discovered. It's already been fairly well
documented that the United States and Israel created the Stuxnet worm, which
ultimately infected and destroyed about 1,000 fuel-refining centrifuges at
Natanz. The surreptitious attack sowed confusion within Iran's
uranium-fuel-enrichment program, which the US suspects is aimed at creating
a nuclear bomb, and delayed it for years.
RECOMMENDED: How much do you know about nuclear weapons? Take our quiz.
But how did Stuxnet get in there? As early as 2004, US intelligence agencies
identified an Iranian company, NEDA Industrial Group, that had oversight of
the Natanz facility's computerized industrial control systems, says the
Critical Intelligence report, citing documents gleaned from federal court
cases, leaked State Department cables, and nuclear proliferation reports.
Documents suggest that the US was monitoring NEDA's efforts to procure
components that may be needed for a nuclear weapons program, says Sean
McBride, lead author of the report and director of analysis for Critical
Intelligence. The report is the first to name NEDA in connection with
Stuxnet.
The US, he maintains, had identified NEDA as Iran's leading expert in
Siemens Step7 software used throughout Iran's nuclear program, including its
centrifuge fuel-refining system. Then, probably in 2008, the US targeted
industrial control systems equipment that NEDA had ordered from suppliers
overseas.
Leaked State Department cables posted on the WikiLeaks website show the US
at that time to have been seeking to intercept shipments of equipment headed
to Iran.
"It's my contention that the evidence shows the US targeted the leading
Siemens control systems integrator for Natanz - and that was NEDA," Mr.
McBride says in a phone interview. "NEDA would have had all the plans for
just how the Natanz system was going to be set up, the proper centrifuge
speeds, when they would be turned on and off. The company had all the key
information the US needed to write Stuxnet - and then a way to get the worm
into Natanz."
Sometime around 2008, computerized industrial control system equipment bound
for Iran was intercepted, and Stuxnet or other malware was installed on it
before it was sent on its way, McBride posits.
His thesis runs contrary to prevailing theories that a spy used a memory
stick, or "thumb drive," to introduce Stuxnet into the network. Rather, NEDA
engineers unwittingly installed infected work stations or other equipment,
which then proceeded to infect all of Natanz's systems, McBride says.
Among the report's findings are online documents showing that NEDA was
involved in industrial control systems work in Iran. They include archived
files in which an Iranian control systems engineer, identified only as
"Behrooz," asks during an online Siemens support forum for help dealing with
an unspecified virus that he says had infected all the machines in his
company's network.
Other online documents show that person was probably Mohammad Rez, an
engineer with NEDA. By September 2008, the US Department of Commerce had
added NEDA to a watch list of companies thought to be assisting Iran's
nuclear program. Finally, in December 2012 NEDA and a handful of other
companies were placed on a US Treasury Department list of firms banned from
doing business with the US because of alleged involvement in Iran's nuclear
program. E-mail requests to NEDA seeking comment on the new report were not
returned.
McBride says his findings are not conclusive, and he notes that gaps in
documentation remain. But they do dovetail with recent media reports based
on top-secret National Security Agency documents leaked by Edward Snowden, a
former NSA contractor. One such report reveals aggressive NSA efforts to
"interdict" computer equipment in transit and to install surveillance
software and hardware before the equipment reaches an intended surveillance
target.
Some security experts say McBride's hypothesis makes sense given what is now
known about the frequent cyber vulnerability of corporate suppliers - and is
a warning shot across the bow of critical infrastructure operators in the US
that use them.
"It's certainly a plausible theory," says Jen Weedon, a manager in the
threat intelligence division at Mandiant, a firm specializing in mitigating
cyber espionage attacks on US corporations. "We've seen a lot of targeting
of supply chains and partner companies in the US by the Chinese. For a
difficult target like Natanz, infiltrating the supply chain would make a lot
of sense - and it could work that way in the US, too, if companies aren't
careful."
Worldwide, even large companies with excellent cyber defenses are facing the
fact that smaller business partners may have less robust security and may be
vulnerable to attacks, she and others note.
"It highlights an infection vector - contractors - that almost definitely
would be used against hard targets in the US," writes Ralph Langner, the
cyber security expert who first identified Stuxnet as a cyber weapon, in an
e-mail interview. "A sophisticated attacker wouldn't bother to try directly
attacking a power utility, for example. They would go after the several
hundred contractors with access to critical distribution systems [such as]
electrical substations."
Did US intelligence agencies score one of their biggest cyber attack
victories using clandestine supply-chain infiltration to get Stuxnet into
Natanz?
"I'm not saying other theories about how Stuxnet got into Natanz aren't
true," McBride says. "They could be. But there's plenty of evidence that
what I'm suggesting happened was what actually did happen."
No comments:
Post a Comment