Wednesday, February 26, 2014

New thesis on how Stuxnet infiltrated Iran nuclear facility


New thesis on how Stuxnet infiltrated Iran nuclear facility



The Stuxnet worm that attacked Iran's nuclear facility at Natanz came to

light nearly four years ago, but how it got there remains a mystery. A

possible new explanation, outlined Tuesday, cites the supply chain as the



By Mark Clayton, Staff writer / February 25, 2014


A new thesis about that, to be outlined Tuesday at a security conference in

San Francisco, points to a vulnerability in the Iranian facility's supply

chain - and may hold lessons for owners of critical infrastructure in the US

concerning how to guard their own industrial equipment against cyberattack.


Presented by Critical Intelligence, a cyber security firm based in Idaho

Falls, Idaho, the tale of cyber infiltration comes nearly four years after

the covert operation was discovered. It's already been fairly well

documented that the United States and Israel created the Stuxnet worm, which

ultimately infected and destroyed about 1,000 fuel-refining centrifuges at

Natanz. The surreptitious attack sowed confusion within Iran's

uranium-fuel-enrichment program, which the US suspects is aimed at creating

a nuclear bomb, and delayed it for years.


RECOMMENDED: How much do you know about nuclear weapons? Take our quiz.     


But how did Stuxnet get in there? As early as 2004, US intelligence agencies

identified an Iranian company, NEDA Industrial Group, that had oversight of

the Natanz facility's computerized industrial control systems, says the

Critical Intelligence report, citing documents gleaned from federal court

cases, leaked State Department cables, and nuclear proliferation reports.


Documents suggest that the US was monitoring NEDA's efforts to procure

components that may be needed for a nuclear weapons program, says Sean

McBride, lead author of the report and director of analysis for Critical

Intelligence. The report is the first to name NEDA in connection with



The US, he maintains, had identified NEDA as Iran's leading expert in

Siemens Step7 software used throughout Iran's nuclear program, including its

centrifuge fuel-refining system. Then, probably in 2008, the US targeted

industrial control systems equipment that NEDA had ordered from suppliers



Leaked State Department cables posted on the WikiLeaks website show the US

at that time to have been seeking to intercept shipments of equipment headed

to Iran.


"It's my contention that the evidence shows the US targeted the leading

Siemens control systems integrator for Natanz - and that was NEDA," Mr.

McBride says in a phone interview. "NEDA would have had all the plans for

just how the Natanz system was going to be set up, the proper centrifuge

speeds, when they would be turned on and off. The company had all the key

information the US needed to write Stuxnet - and then a way to get the worm

into Natanz."


Sometime around 2008, computerized industrial control system equipment bound

for Iran was intercepted, and Stuxnet or other malware was installed on it

before it was sent on its way, McBride posits.


His thesis runs contrary to prevailing theories that a spy used a memory

stick, or "thumb drive," to introduce Stuxnet into the network. Rather, NEDA

engineers unwittingly installed infected work stations or other equipment,

which then proceeded to infect all of Natanz's systems, McBride says.


Among the report's findings are online documents showing that NEDA was

involved in industrial control systems work in Iran. They include archived

files in which an Iranian control systems engineer, identified only as

"Behrooz," asks during an online Siemens support forum for help dealing with

an unspecified virus that he says had infected all the machines in his

company's network.


Other online documents show that person was probably Mohammad Rez, an

engineer with NEDA. By September 2008, the US Department of Commerce had

added NEDA to a watch list of companies thought to be assisting Iran's

nuclear program. Finally, in December 2012 NEDA and a handful of other

companies were placed on a US Treasury Department list of firms banned from

doing business with the US because of alleged involvement in Iran's nuclear

program. E-mail requests to NEDA seeking comment on the new report were not



McBride says his findings are not conclusive, and he notes that gaps in

documentation remain. But they do dovetail with recent media reports based

on top-secret National Security Agency documents leaked by Edward Snowden, a

former NSA contractor. One such report reveals aggressive NSA efforts to

"interdict" computer equipment in transit and to install surveillance

software and hardware before the equipment reaches an intended surveillance



Some security experts say McBride's hypothesis makes sense given what is now

known about the frequent cyber vulnerability of corporate suppliers - and is

a warning shot across the bow of critical infrastructure operators in the US

that use them.


"It's certainly a plausible theory," says Jen Weedon, a manager in the

threat intelligence division at Mandiant, a firm specializing in mitigating

cyber espionage attacks on US corporations. "We've seen a lot of targeting

of supply chains and partner companies in the US by the Chinese. For a

difficult target like Natanz, infiltrating the supply chain would make a lot

of sense - and it could work that way in the US, too, if companies aren't



Worldwide, even large companies with excellent cyber defenses are facing the

fact that smaller business partners may have less robust security and may be

vulnerable to attacks, she and others note.


"It highlights an infection vector - contractors - that almost definitely

would be used against hard targets in the US," writes Ralph Langner, the

cyber security expert who first identified Stuxnet as a cyber weapon, in an

e-mail interview. "A sophisticated attacker wouldn't bother to try directly

attacking a power utility, for example. They would go after the several

hundred contractors with access to critical distribution systems [such as]

electrical substations."


Did US intelligence agencies score one of their biggest cyber attack

victories using clandestine supply-chain infiltration to get Stuxnet into



"I'm not saying other theories about how Stuxnet got into Natanz aren't

true," McBride says. "They could be. But there's plenty of evidence that

what I'm suggesting happened was what actually did happen."

No comments:

Post a Comment