A group of legal experts invited to study at NATO’s Cyber Defense Center of Excellence released a report over the weekend that names 2010 Stuxnet cyberattack on Iran’s nuclear power plants as an illegal “act of force.”

The study is called The Tallinn Manual on the International Law Applicable to Cyber Warfare and is supposed to act as a “textbook,” as one of its writers Michael Schmitt explained to the Washington Times. It shows how traditional international law and cyberwar can be interpreted together.

It outlines an act of force as anything that kills or injures humans or otherwise destroys or damages objects. The Stuxnet virus, which infects SCADA systems, or the computers that control industrial infrastructure, infected Iran’s Natanz nuclear power plants. Specifically, it critically damaged the section of the plant that released an important gas into its centrifuges.

The malware is suspected to be a joint effort between the governments of the U.S. and Israel, though neither have accepted responsibility.

As Schmitt noted, however, the U.N. states that acts of force can be used by countries in self-defense, whether that’s in response to an act of force or a preemptive strike against anticipated danger. Though the manual states this attack is probably considered illegal under traditional law, the U.S. and Israel fear nuclear attacks from Iran, making it plausible that the “act of force” was in self-defense. That is, if these two countries are behind the attacks as is suspected.

How other countries should react, however, is up to them. The manual is not intended to be law or an outline of rules. Rather, it is a proposed way of putting existing law into action around cyber attacks. However, some say that the current laws aren’t good enough for cyberwar given the lack of experience we’ve had with real, war-time cyberattacks.

hat tip Wired; Iran nuclear plant image via President.ir

SAN FRANCISCO — Symantec uncovered a new, earlier version of Stuxnet today, the malware that attacked Iran’s nuclear systems in 2010. This version, Stuxnet 0.5, predated the Stuxnet we all know, and it was created four years earlier than we expected.

Stuxnet 0.5 was active between 2007 and 2009, though Symantec researchers were able to trace its origins back to 2005. The Stuxnet we are familiar with was first created in 2009.

“We are now entering close to the end of the first decade of weaponized malware,” said Francis deSouza, Symantec’s president of products and services, who spoke at the RSA conference in San Francisco today.

The malware that later attacked Siemens SCADA systems controlling the motors in the Natanz nuclear facility originally attacked the valves that controlled a certain type of gas released into the centrifuges.

The earlier version was disseminated through infected USBs and sought out Siemens Step 7 project files. The malware was officially taken offline January 2009 when it stopped communicating with its command-and-control servers, but traces of it can still be found within Step 7 files on computers around the world.

It was built in part on the Flamer platform, the same one built, of course, Flame. The Russian security firm Kaspersky Lab discovered Flame last year and quickly called it one of the most sophisticated cyber-espionage tools ever.

The later version of Stuxnet was moved to the Tilded platform, relating it to Duqu.

Further differentiating itself, this Stuxnet 0.5 was slightly less sophisticated in that it didn’t move from system to system exploiting a vulnerability in Windows.

Nuclear plant image via Shutterstock

The United States has been watching Iran for cyber activity for some time now with a fear that cyber espionage and war tactics are getting even stronger. One Air Force commander is jumping on board with this concern, saying Iran in particular is a “force to be reckoned with.”

U.S. Air Force Space Command General William Shelton told Reuters he believes Iran was provoked by the Stuxnet attacks in 2010, and has been building up its cyber war tactics ever since. In order to prevent future attacks, Shelton explained that the Defense Department plans on expanding the number of civilian Air Force employees working on network security by 1,000. This adds to its current 6,000 employees, as Ars Technica notes.

Stuxnet, the virus that Shelton says may have caused Iran to increase its cyber warfare development, attacked the country’s Natanz nuclear plants in 2010. The virus attacks SCADA systems, or the computers that control industrial, physical equipment such as nuclear fueling infrastructure, all the way down to prison doors. The attacks did just that, and reportedly damaged the fueling equipment used in this nuclear facility.

It was later uncovered that Stuxnet was a joint effort between the United States and Israel.

Defense Secretary Leon Panetta warned of more of these attacks in a recent speech saying we can expect a “cyber Pearl Harbor” on our hands. He pointed out how connected devices, water supplies, and electrical grids can all be tampered with and that we need to prepare for cyber war in the future.

Air Force image via Shutterstock

Iran is claiming that Stuxnet, the powerful virus that infected its nuclear power facilities in 2010 is back on the attack, targeting other power and governmental systems in the past few months.

The reports come out of Iranian news organization ISNA, according to the Associated Press, which quoted Iran’s provincial civil defense chief Ali Akbar Akhavan as confirming the events. Akhavan reportedly went on to say that the attacks were focused on Iran’s province of Hormozgan, including a power plant located there. The issue was supposedly mitigated by Iran, and suspected to be of U.S. and Israeli origin given that the virus Stuxnet is the suspected culprit.

Iran’s Culture Ministry may have also been a target, according to the New York Times.

Stuxnet is a computer virus that attacked Iran’s nuclear power plants systems in 2010, specifically the computers that controlled the fueling of its nuclear power plants. The attack was later believed to be a joint U.S. and Israel project as a result of growing fears that Iran was building nuclear weapons.

The virus attacks “SCADA” systems, or supervisory control and data acquisition. These systems control major physical infrastructure such as power plants, prison door systems, and electrical grids more. Stuxnet attacks SCADA specifically, shutting down the processes they control. SCADA systems are a scary target, as they control very important entities. For example, one researcher discovered that by hacking a SCADA system, he could open all the prison doors on a maximum security prison.

It is not uncommon to see malware reappear in the wild with slight tweaks that help it fool barriers put up against it. It has not been confirmed, however, whether the Stuxnet virus was behind these attacks.

Power plant image via Shutterstock

U.S. Defense Secretary Leon Panetta is freaked out, and for good reason. He advised America today that the country is in danger of a cyber attack that could end in civilian death.

According to the New York Times, Panetta aired his concern during a speech in New York City saying we may experience a “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

Specifically, he referenced the growing potential for hacks on critical infrastructure, energy grids, and other smart devices. He mentioned derailing trains and contaminating water supplies. There’s evidence to support his concerns, starting with the Stuxnet attacks in Iran in 2010. Stuxnet infected the fueling systems of Iran’s nuclear power plants, causing them to malfunction. The malware attacked “SCADA” systems used to control infrastructure used in all different kinds of businesses including oil facilities to prisons. Indeed, researchers already believe the prison doors to maximum security prisons could be opened due to a similar attack.

Other than to warn the American public about it’s future doom, Panetta was also there to pull support for a cybersecurity bill. Panetta wants a new kind of communication between private businesses and the government sector, so that law enforcement can find out about and assess new viruses quickly.

“Attackers only need to find one weak point in any target, and every major target that Secretary Panetta is concerned about has a truly massive attack surface to check. The need for automation has gone from high to extreme – every critical organization must automate their assessment of whether their attack posture is weak,” said RedSeal Networks chief technology officer Dr. Mike Lloyd in an email to VentureBeat. “However, the Federal Government cannot defend all the private infrastructure we depend on – the banks, the power companies, the transportation infrastructure. These companies have to appreciate the threat to their shareholders and the general public, and this is why Secretary Panetta is making clear how serious the situation is.”

The U.S., according to Panetta, should be watching countries such as Russia, China, and Iran as well. This week the United States Congress Intelligence Committee issued its own warning against Chinese telecommunications vendors Huawei and ZTE stating that they couldn’t be trusted to be out of the influence of the Chinese government. The committee also urged any U.S. companies working with the two should find new partners.

Leon Panetta image via Official U.S. Navy Imagery/Flickr

Flame, the malware related to the infamous Stuxnet that hit Iranian nuclear systems in 2010, may have three sisters in the wild, according to new research by Russian security firm Kaspersky Lab.

Kaspersky Lab first announced the existence of Flame in May, saying it was deployed around two years prior in 2010, and had already affected thousands of computers. Work may have even started on the malware as early as 2007. It targeted a number of countries in the Middle East, and was called one of the most advanced cyber espionage tools to date.

Since May, Kaspersky Lab has been studying Flame’s command and control servers, or the server that receives any data Flame steals and regularly communicates with the malware. When researchers first accessed the command and control server’s dashboard, they immediately assumed it was created by “script kiddies,” or young, inexperienced hackers. The writers also avoided using what Kaspersky calls “professional terms,” including bot, botnet, infection, or malware-command. Instead, they used words like backup, blog, and download. Kaspersky realized that the simplicity of the C&C home as well as the verbiage used was meant to trick anyone who might have audited the server.

In addition to learning about how the malware writers configured their “home base,” Kaspersky also found logs that displayed the nickname of the hacker, along with when the hacker did work on the C&C. Researches hid the nicknames in its analysis report, but provided the initials O, D, H, and R, indicating that there were four separate developers. Each had a different job and accessed a different amount of files within the system .

The four hackers also built four protocols, which communicated with different “clients,” or pieces of malware.

“A close look at these protocol handlers revealed four different types of clients codenamed SP, SPE, FL and IP,” said Kaspersky in its analysis. “We can confirm that the Flame malware was identified as client type FL. Obviously, this means there are at least three other undiscovered cyber-espionage or cyber-sabotage tools created by the same authors: SP, SPE and IP.”

What these three do and whether they are currently active is unknown.

The Flame virus, however, is enough to indicate what the sisters could do. While active, Flame unpacked 20 different modules that spied on the infected computer in different ways. It could tell when you had a communication app open, such as GMail or instant message, and take periodical screen shots to record your conversations. Flame could also turn on the computer’s microphone to record audio happening in the vicinity.

hat tip Wired; Fire equipment image via Shutterstock

Researchers at security firms Kaspersky Lab and Crysys Lab released tools today to detect if your computer is infected by the Gauss virus, a piece of malware that focuses on stealing bank account login credentials.

Gauss was discovered yesterday by Kaspersky Lab, and its function is to steal access credentials to Lebanese banks. These include the Bank of Beirut, BlomBank, EBLF, ByblosBank, Credit Libanais, and FransaBank. It also steals information for Citibank and PayPal. On top of that, the malware grabs browser history, cookies, passwords, system configurations, and more. Researchers have not been able to get much information about the builders themselves, as the command and control servers were shut down, leaving the malware in limbo.

Gauss is related to a number of high-profile viruses including Stuxnet, which became famous after attacking nuclear plants in Iran in 2010, and its sister malware, Duqu. It is also related to the recently infamous Flame, which has been referred to as a major advancement in cyberespionage.

Gauss and Flame are closer together in relation. Kaspersky says the two share nearly identical features and were built off of the same code base. The firm says Stuxnet’s creators probably worked closely with those of Gauss and may have even shared source code.

Find the Kaspersky detector here and the Crysys detector here.

via The New York Times; Image via Shutterstock

---

Big Data and Predictive/Real-time Analytics startups: Are you looking to jumpstart development & accelerate market traction? Sign up for the SAP Startup Focus program to receive technology, support, resources and community to help you develop new applications on SAP HANA, a cutting edge database platform. Get started here, and enter promo code “VB2013″ on the form.

---

A purported Iran scientist working for the Atomic Energy Organization of Iran e-mailed an SOS to F-Secure Chief Research Officer Mikko Hypponen this weekend, saying the AEOI was under a cyber attack.

Hypponen, who is well-regarded in the security community, published a blog post this morning saying he can’t confirm the details, or even existence of the attack, but he can confirm that the e-mails were being sent from within the AEOI.

It sounds like the AEOI may have been hit with an infrastructure-targeting malware attack, similar to those that have plagued the Middle East since 2010 starting with Stuxnet. However, there’s no independent confirmation of this attack’s existence.

According to the e-mail, the malware shut down the AEOI “automation network” in its Natanz and Fordo facilities. The “scientist” specifically mentions Siemens hardware, which could be a reference to SCADA systems, or control systems that electronically monitor and power various pieces of industrial infrastructure. These systems were targeted by the Stuxnet virus that brought down part of Iran’s nuclear fuel systems in 2010. He also mentions that the malware turned on computer’s volumes to high and blasted what appeared to be ‘Thunderstruck’ by AC/DC. Cyber criminals have to have a little humor too.

Iran has been the target of quite a few new pieces of malware this year, including the latest Flame malware that many describe as one of the biggest advancements in cyber espionage to date. The virus comes with 20 different modules that, when unpacked, spy on the infected computer, sending data back to its command and control servers. It detects when you’re using a communications app such as IM or Gmail, and takes screenshots to record your conversation. It can also turn on the computer’s microphone and record audio in the vicinity, sniff network traffic, log your keystrokes, and more.

Some say the U.S. and Israel came together to create Flame — the same is said of Stuxnet.

A similar piece of malware called Madi was also uncovered recently. Madi enters the system through phishing e-mails. When an attachment in the e-mail is opened and installed, Madi opens up a decoy Word Document or PowerPoint presentation, while quietly downloading the malware in the background. Like Flame, the trojan knows when a communications app is open and takes screenshots, as well as records audio, and logs keystrokes.

Both Flame and Madi attack critical infrastructure firms and government entities.

Whether or not this new attack is real, whether it is associated with either malware, and whether this is a new strain, are all still unknown. See the full e-mail below:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.

We have reached out to Hypponen and F-Secure and will update with more information upon hearing back.

Image via Shutterstock

While security researchers have uncovered many things about the Flame malware, one big question has remained unresolved: Who created it?

They might not be surprised by the answer. According to anonymous Western officials, Flame was the work of the governments of the United States and Israel, reports The Washington Post.

The goal of Flame was just as researchers had initially suspected: Espionage. The US and Israeli governments wanted to thwart the nuclear efforts of Iran, and to do that they needed as much information as they could get their hands on. The CIA, NSA, and Israeli military were all involved in the creation of the malware, sources say.

This confirmation follows a story from The New York Times that reported the U.S. and Israel were also responsible for Stuxnet, which attacked Iran’s nuclear facilities in 2010.

This connection wasn’t lost on researchers, who last week discovered a code-level connection between Stuxnet and Flame. Seeing the strong similarities in certain segments of the workings of both Stuxnet and Flame, researchers concluded that the programs’ creators were working together. The Washington Post‘s sources confirmed this: Both Stuxnet and Flame were developed as a part of a program known as Olympic Games.

According to the report, Iran discovered Flame as a result of a viral strike Israel made on Iran’s Oil Ministry and oil-export facilities in April. The attack, which Israel carried out without warning the U.S., allowed Iran to uncover Flame’s infiltration.

Not that the discovery of Flame and Stuxnet have deterred the NSA and CIA: Both agencies are still hard at work on follow ups.

Recent stories have come out showing how the Flame and Stuxnet viruses are connected, that they are some of most sophisticated malware ever found, and that they could be adapted by other hackers for future attacks.

Now CNet is reporting that senior security specialists are worried about the digital signatures that protect vital systems in key U.S. power plants. Digital signatures are encrypted codes that can be used to verify that messages — or commands — are accurate and sent from approved, authenticated sources. They’re currently used to guard vital infrastructure control computers against unauthorized access.

Stuxnet used faked, or illegally obtained digital signatures to avoid detection by anti-virus security software when it was introduced into computers that controlled how Iran was refining uranium. Once in, Stuxnet then subtly introduced errors into those processes, damaging the refining equipment, and slowing Iran’s bomb-building project.

Source: Wikipedia

US nuclear power stations

What if other nations used code based on Stuxnet, and either cracked or stolen digital signatures to do similar things to the United States? An extreme nightmare scenario could be a rogue nation that shuts down cooling pumps at a power generating station, or mis-reports temperature and pressure conditions in a reactor core.

This is unlikely, but security specialists are worried enough to be complaining to the North American Energy Standards Board, which develops standards for the energy production industry in the U.S. and Canada. The problem they see is that the digital signatures that are currently in use to protect access to American power plants’ computers, provided by Oati and GlobalSign, have too long a lifespan: 30 years.

30 years is an eon in computer time, and codes that are uncrackable now may very well be crackable in the future.

Other cryptographic algorithms have been shown to have security issues, such as MD5. It seems rational to assume that future decryption technologies will be able to decode present-day digital signature technologies — particularly if we ever get a practical, working quantum computer.

The proposed solution is to only issue certificates with a shorter life-span, perhaps five years. At the very least, this would ensure a security upgrade twice a decade.

Of course, this is not the only attack vector. The continental electrical grid has already been penetrated by rogue or state-sponsored hackers. A dedicated and massive security effort is urgently needed to ensure that cyber-warfare doesn’t turn out to be the double-edged weapon it certainly resembles now.

Image credit: ShutterStock

The Flame backstory keeps getting fleshed out. And the latest development is a doozy.

Researchers at security company Kaspersky Labs have discovered that portions of the Flame malware are nearly identical to parts of the famed Stuxnet worm discovered in 2010, and which was recently revealed to be part of a U.S. cyberwar effort against Iran.

The similarities of Flame to Stuxnet haven’t gone unnoticed, but it’s only today that the extent to similarities is finally being realized.

Calling the evidence “conclusive”, Kaspersky researcher Roel Schowenberg found similiaries all across the code of both operations.

For researchers, this could only mean one thing: the writers of Flame and Stuxnet were working together. And this wasn’t just a casual collaboration — the developers actually shared source code. This, Schowenberg said, is a major revelation.

“With these kind of operations, your source code is your ultimate possession — and this was shared,” Schowenberg said in an online press conference on Monday. “You don’t share your source of income.”

“This confirms our beliefs that the projects were developed in parallel, and commissioned by the same entities,” he said.

One of the links comes in the form of  Resource “207″, a module used to automatically infect removable USB drives. A major component of early versions of Stuxnet, portions of the file were also discovered in Flame.

With the newest findings, Kaspersky Lab researchers have concluded that Flame predates Stuxnet, and that Flame itself was used as a platform for the Stuxnet effort. The efforts of the two teams working on the projects split in 2009, Kaspersky believes.

Schowenberg has some theories on the connection, and said that it’s possibile that Stuxnet was meant to be primarily a sabotage operation. Flame, on the other hand, was built for espionage and information acquisition.

“[It's possible that the developers] didn’t want to mix the tools any longer than was strictly necessary,” Schowenberg said.

With every new discovery, researchers are getting not just a clearer picture of Flame, but of something much larger as well.

“If we discover something in Flame, it can tell us something about the whole organization,” Kaspersky lab researcher Vitaly Kamluk said.

All of which underscores the importance of previous findings that the Flame writers were attempting to erase the malware from infected computers. Perhaps this connection is one that the creators of both programs wanted to keep secret.

It’s been rumored for some time that the Stuxnet virus, which attacked Iran’s nuclear facilities in 2010 before escaping and wreaking havoc on the public Web, was a joint effort between the U.S. and Israel. But, aside from security firm reports, their connection was mostly speculation — until today.

A lengthy New York Times report this morning confirms that Stuxnet was indeed an American and Israeli project, and it also reveals some fascinating details about the first major cyberwar effort in the world.

According to the NYT, the cyberwar campaign, dubbed “Olympic Games,” began under President Bush in 2006 as a way to stall Iran’s nuclear ambitions. After virtually mapping Iran’s Natanz plant, the U.S. worked with an Israeli team to create an early variant of Stuxnet, which was programmed to target Siemens equipment and destroy centrifuges being used to purify uranium.

Given that the U.S. was in the middle of several ground efforts in the Middle East, it was tough to rally international support for a physical strike against Iran as well. A cyber-strike made more sense at the time, and it seems President Obama agreed, as he accelerated the cyberwar effort during his first few years in the White House.

“From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision,” a senior administration official told the NYT. “And it’s safe to say that whatever other activity might have been under way was no exception to that rule.”

All was going well until an updated version of the virus made its way out of the Natanz plant. The new version of the virus had an error in its code that allowed it to spread to an Iranian engineer’s laptop, and it spread to the Internet when he left the plant.  White House officials blamed Israel for the mistake, according to the NYT.

Once the virus began replicating itself on the Web and attacking Siemens equipment worldwide, security companies ended up calling it Stuxnet.

Flame, the most recent virus targeting computers in the Middle East, wasn’t a part of Olympic Games, American officials told the NYT. They didn’t comment on whether the U.S. was behind Flame.

There are plenty of advantages to cyberwarfare: it involves practically no human casualties and lengthy ground campaigns, to name just a few. But it’s not a panacea, as relying too much on cyberwar efforts will inevitably make the U.S. a bigger target for cyber-strikes. That’s something that President Obama kept in mind as he accelerated the Olympic Games effort, the NYT reports.

Photo via President.ir

Update: The United Nations is sending out a warning to member countries about cyberwar tool Flame.

Iran has confirmed the presence of a new and highly complex piece of malware targeted at Middle Eastern countries. The virus, called Flame, is said to be as worrisome as Stuxnet, which plagued Iranian nuclear systems in 2010.

“This malware is a platform which is capable of receiving and installing various modules for different goals,” Iran’s CERTCC said in a blog post. “The research on these samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat.”

Iran says that it has created an anti-virus tool that can detect Flame, as well as a removal tool, which is being distributed.

The New York Times is reporting that this virus has hit high-ranking Iranian officials. Russian security company Kaspersky Lab first unveiled the virus yesterday, saying it was one of the most complex cyberwar tools it has ever seen. It may have been running unchecked for at least two years, and was attacking a number of household computers around the Middle East. The firm found Flame while researching another virus called Viper, which was deleting hard drives in the Middle East and recently caused Iran to shut down Internet access to its oil infrastructure.

The United Nations is sending out a warning about Flame to its member countries agreeing that it may be a state-sponsored attack, according to news site Aljazeera.

“This is the most serious [cyber] warning we have ever put out,” said UN cyber security coordinator Marco Obiso, cyber security told Aljazeera.

Flame has the ability to turn on a computer’s microphone and record audio of conversations happening around the computer. It can listen for when you open up “interesting” communications programs, such as an instant message box, and take screenshots to record the conversation. It can also watch for your keystrokes, and listen in on your network, all the while sending this information back to its many command and control servers.

Both Iran’s CERT and Kaspersky note that it is similar to Stuxnet, a state-sponsored virus that was used to attack infrastructure that provided fuel to Iran’s nuclear program. Flame does not attack these types of systems, or SCADA systems. However, Kaspersky believes that like Stuxnet, Flame is a state-sponsored attack, and according to the New York Times, Israel may be hinting its involvement.

“Anyone who sees the Iranian threat as a significant threat, it’s reasonable that he will take various steps, including these, to harm it,” said Moshe Yaalon, Israel’s vice prime minister and strategic affairs minister, on Army Radio Tuesday. “Israel was blessed as being a country rich with high-tech, these tools that we take pride in open up all kinds of opportunities for us.”

via The New York Times; Flame image via Shutterstock

An extremely complex virus infecting computers in the Middle East called Flame was made public today. It’s being likened to the Stuxnet virus, which attacked Iranian nuclear systems in 2010.

“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated,” said Alexander Gostev, Kaspersky Lab’s head of global research and analysis in a blog post. “It pretty much redefines the notion of cyberwar and cyberespionage.”

Kaspersky Lab, a Russian security research team, made light of the extensive virus today, saying it may have run unchecked since 2010 and continues to be developed today. Flame is a Trojan, but it’s point of entry is unknown for the time being. Once in, the virus unpacks 20 modules, each with a different tool. Types of tools include a screen capturing tool, which listens for when an “interesting” app is opened — such as an instant message box — and then takes a screen shot to record your conversation. Another turns on your computer’s microphone and records conversations happening in the room, within the mic’s audio reach. It can also watch and record what your type, sniff network traffic and more, sending all the information to the virus creator’s several command and control servers.

Flame is compared to Stuxnet because of its ties to the Middle East — some of the top countries it is targeting are Iran, Lebanon, Syria, and Israel — its complexity, and because researchers believe this is a state-sponsored attack. Researchers also note that Flame “is not designed to steal money from bank accounts,” and is too complex to be developed by hacktivists, who usually use less intensive attacks such as distributed denial of service attacks.

“It looks like the creators of Flame are simply looking for any kind of intelligence — e-mails, documents, messages, discussions inside sensitive locations, pretty much everything,” said Gostev in the blog post. “We have not seen any specific signs indicating a particular target such as the energy industry — making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.”

Stuxnet, which attacked Iran’s nuclear power infrastructure in 2010 was believed to be a government project, aimed at damaging infrastructure that may have been related to a nuclear weapons program. It does not look like Flame is attacking these systems, called SCADA systems, though it has the capacity to. The virus is also around 20 times larger than Stuxnet, installing at 20 megabytes, and was probably created by different parties.

Stuxnet and its recently discovered sister Duqu were built on the Tilded platform and are said to have three other siblings in the wild. Flame was not, however, built on this platform, according to Kaspersky, and is thus not a sibling.

Kaspersky Lab found the worm while digging around for more information about the Wiper virus — another piece of malware aimed at the Middle East. In this case, Wiper, also known as Viper, would infect a system and delete any number of files from it, wiping out anything that came in its path. At the time, Wiper infected Iran’s Oil Ministry, deleted whole hard drives within the ministry, and eventually caused it to shut down Internet access to all of its oil facilities and rigs.

Flame image via Shutterstock

Iran shut down Internet access to its oil terminals today following a cyber attack that is said to have begun on Sunday afternoon.

The Oil Ministry shut down Internet access to all of its oil facilities, operations, and rigs soon after finding the virus, dubbed “wiper”, according to an anonymous Oil Ministry employee who spoke with The New York Times. According to this individual, Iran’s oil production and exports were not affected.

The virus was responsible for some wiped hard drives within the ministry, appropriately earning its name. Related websites such as the National Iranian Oil Company and the National Iranian Gas Company were also shut down, according to the Times, though whether they were shut down by the virus or the Ministry remains unclear.

This virus isn’t the first of its kind to hit Iranian infrastructure. In 2010, a virus called Stuxnet affected Iran’s nuclear program by attacking its control system called SCADA or supervisory control and data acquisition. The SCADA system controls various processes (both hardware and software oriented) within the nuclear program, including those responsible for creating fuel for potential nuclear weapons.

“Attacks on critical infrastructure are more common than many think,” said McAfee security director Brian Contos in an e-mail to VentureBeat, “Because of a lack of disclosure in these industries, many incidents ranging from sabotage and intellectual property theft to extortion go unreported.”

Other SCADA systems, including those on U.S. soil are flagged as being vulnerable to cyber attack. John Strauchs, who owns a security consulting firm, flagged prison doors controlled by SCADA systems as a potential target. He came to the conclusion soon after receiving a call about a prison’s death-row doors popping open. In that case, the doors were triggered by a faulty wire.

via The New York Times; Oil pump image via Shutterstock

In 2010, Stuxnet infiltrated Iran’s nuclear program. The highly capable malware targets an industrial control system called SCADA, which operates as a management tool for commercial grade software and hardware. It shut down the equipment responsible for creating fuel for nuclear weapons, which Iranian president Mahmoud Ahmadinejad later admitted. In 2011, the Duqu virus was discovered and named as part of the Stuxnet family of malware, bringing the count up to two highly sophisticated worms.

According to a report by Reuters, Russian security company Kaspersky Labs has identified three others. When originally found, Kaspersky said Stuxnet was so mature it could have been made by an intelligence agency. Later, the United States and Israel were both blamed for its creation and eventual dispersal. Neither country has taken responsibility.

Though we don’t know what lab the worms originated from, the same one gave birth to both Stuxnet and Duqu as well as the three siblings. Kaspersky discovered this after observing the two virus’ attempt to find the other three. Costin Raiu, the firm’s director of global research and analysis, explained that when the two are deployed, they search for registry keys that allow them to fully install their malware. When searching for those keys, however, Kaspersky found Stuxnet and Duqu were both searching for three other keys. This means that the worms have siblings that work in tandem with it, strengthening its damaging power.

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” Raiu told Reuters.

Stuxnet specifically attacks equipment running on the Windows operating system. It can erase its tracks, pose as certificate-baring legitimate software and multiply on its own. Duqu, on the other hand, acts as a Trojan, stealing data, potentially acting in the planning stages of an attack.

It’s not yet clear what the siblings can do, but it seems the existing sisters want a reunion.

via Reuters, Malware image via Shutterstock

One Christmas Eve, security consultant John Strauchs received a call about a new maximum security system he’d installed in a US prison. “All the doors popped open on death row,” said the person on the other end.

Strauchs’ (pictured below, right), who owns a security consulting company, thankfully didn’t have his own prison doors hacked into that night. Rather a part of his security system was leaking enough voltage to trip the electronic locks keeping the prisoners safe in their cells. The close call was too close for Strauchs, who knew if this sort of event can happen by accident, there has to be a way to exploit it.

“[I asked myself] what could you do if you [tripped the doors] deliberately? The answer is: we can do anything,” said Strauchs in an interview with VentureBeat.

Soon thereafter, the media started reporting about the Stuxnet virus affecting programmable logic controllers (PLC), or computers that control electronic devices programmed to perform automatically, and Strauchs had an “epiphany.” According to him, most security systems don’t use PLCs, but maximum security prisons are an exception, leading him to believe a similar vulnerability could be exploited.

So, Strauchs and his team went to work poking at the hole in the system, and it didn’t take long to break into a prison system. The team created malicious code, only 30 lines, using legitimate software, which only racked up a $2,500 price tag. Not too much if you’ve got a little extra saved and feel like opening some prison doors on a Saturday, but the price tag gets even lower if you don’t buy the software outright.

“We went totally legimate,” explained Strauchs, “But if we were not scrupulous and got the software off the internet, it would have cost $500.”

Executing the code can be done in one of two ways; you can “social engineer,” or in essence talk your way, into the physical location of the targeted prison and install a USB drive with the malicious code, or you can find internet access and surf your way in. The latter, in theory, should be very hard to execute, as prison central control systems aren’t supposed to have any access to the internet. There’s no reason to have it. But Sean P. McGurk, former director of the National Cybersecurity and Communications Integration Center for the Department of Homeland Security, told the Washington Times that his team always found internet connections in the 400 plus prison control systems he visited.

“I’ve designed 114 justice design systems and I can’t imagine why central control ever needs internet access, or for that matter a USB drive,” said Strauchs, who went on to say he saw a prison guard checking his Facebook account in a control center he once toured.

The more dangerous part is that central control may never know doors have been opened. In fact, the code can cloak its activity, making it seem as if everything is fine. But just because doors have been opened doesn’t mean prisoners can immediately escape. There are a few hurdles to pass before reaching the outside, which is why Strauchs believes an attack like this is more geared toward internal initiatives. Indeed, the malware can be rigged to keep doors closed as well.

“If you are a [gang member], you prevent a door from opening, and you start a prison fire,” Strauchs gave as a possible use case other than freeing convicts.

Before bringing the vulnerability to the masses, Strauchs’ team set up multiple presentations for federal agencies, and in the end promised not to release the code itself, though Strauchs believes it so easy to duplicate that withholding it isn’t protecting people for very long.

Currently, a few agencies have started to look into the issues, despite the one main one which may simply be lack of education.

“I think a lot of it is telling people that there is a vulnerability. Most people in America aren’t computer savvy and don’t want to be,” said Strauchs, “But once they understand this a serious vulnerability … they will comply.”

[Prison doors via Shutterstock]

[via Washington Times]

If you want to buy a million email addresses from criminal hackers, the going rate is $25, according to a second quarter report from antivirus firm McAfee.

The new McAfee Q2 2011 Threats Report also shows that mobile malware is on the rise, with malware targeted at Android devices up 76 percent from the previous quarter. Google’s Android is not only the most popular mobile operating system in terms of adoption rates; it’s also the most-attacked mobile operating system. New forms of malware are appearing as often as 55,000 times a day.

“We are seeing continued growth in the total number of malware samples, just as we did last quarter,” said Toralv Dirro, security strategist at McAfee Labs, in an interview. “There are more tools to create malware in the underground market.”

McAfee estimates that its collection of malware, or “zoo,” will reach a record 75 million samples by the end of the year, based on the first half results.

The quarter also saw some new developments such as the first-ever appearance of a fake antivirus attack for Apple’s Macintosh operating system. That’s a byproduct of the resurgence of the Mac among users, making Apple a bigger target for malware authors.

Overall attacks are becoming more stealthy and sophisticated. That’s one of the outcomes of the launch of Stuxnet last year, a mysterious piece of malware that targeted Iran’s nuclear centrifuges and other industrial equipment. Stealth malware is up 38 percent from a year ago.

High-profile “hacktivist” groups such as Anonymous and LulzSec have changed the landscape by drawing a fine line between attacks for personal gain and attacks meant to send a message. There were roughly 20 major hacktivist attacks in the second quarter alone, mostly due to the alleged activity of LulzSec.

The report also logs important details on the cybercrime underground, such as “price books” that determine the going rate for the purchase of large email address lists, acts of hacktivism, and cyberwar. In the U.S., a batch of 1 million email addresses costs $25. In England, 1.5 million addresses sell for $100.

The cyber war attacks included an attack on the United States’ Oak Ridge National Laboratory and an attack on South Korea’s National Agricultural Cooperative Federation.

McAfee said it discovered 12 million unique samples of malware in the first half of 2011, up 22 percent from a year earlier. That makes this period the business half-year in malware history. McAfee now has more than 65 million samples in its zoo.

Android surpassed Symbian in the second quarter as the most-targeted mobile operating system. The malware is contained in everything from calendar apps to comedy apps to text messages and fake Angry Birds updates.

“It used to be hacking for bragging rights on mobile,” Dirro said. “Now it’s for commercial gain.”

Malware apps often secretly send text messages from a compromised phone to premium text message numbers.

Perhaps the only good news is that spam is at historic lows due to the takedown of the Rustock bot net. A bot net is a group of compromised computers that have been hijacked in order to launch group attacks, such as spam broadsides. McAfee expects a sharp rise in the coming months as cybercriminals recover from the Rustock takedown.

Stuxnet

The New York Times delved into that topic today in a long story that examines the evidence and reveals new details about the computer worm, which is among the most sophisticated ever created. The story includes some interesting technology details that show just how clever it was and how much damage it may have done to Iran’s centrifuges, the critical equipment that is used to make fuel for the nuclear facilities in Natanz, Iran. Iranian officials acknowledged that the start-up of the country’s Bushehr Nuclear Power Plant has been delayed in part because of Stuxnet.

While it may have done damage to Iran’s nuclear program, Stuxnet is also like a genie out of the bottle. Now that it exists, other cybercriminals will seek to take advantage of its techniques in attacking other targets.

Stuxnet is a Windows-based computer worm first described by security researchers in Belarus in June 2010. It was unusual in that it targeted industrial systems that use Siemens’ software. Russian security firm Kaspersky Labs said that Stuxnet is a “prototype of a cyber weapon that will lead to the creation of a new arms race in the world.” Kaspersky believes that the worm could only have been created with “nation-state support.”

One of the purposes of Stuxnet was to send Iran’s nuclear centrifuges “spinning wildly out of control,” causing irreparable damage. Another clever feature was to record what normal operations at the plant sounded like and then to play the readings back to the plant operators, like a pre-recorded security tape in a bank robbery, so that it would appear “that everything was operating normally while the centrifuges were actually tearing themselves apart.” The ruse prevented a safety system from shutting down the machines.

The attacks were only partially successful, but it is possible the worm contains the seeds for more attacks. Stuxnet also faked digital security certificates, something that suggested a sophisticated creator. Digital signatures are certificates for web sites that verify that they are who they say they are and are malware free. Antivirus software tends to give a free pass to any software that shows it has a digital signature certificate

The worm was also evidently transmitted through shared universal serial bus (USB) memory modules, since the centrifuge machines are not connected to the internet.

The story suggests that the U.S. government had a hand in identifying the weaknesses of the Siemens software. In 2008, the German company worked with the U.S. Idaho National Library, part of the Energy Department, to identify the holes in Siemens systems. Those holes were exploited by Stuxnet. American and Israeli officials have declined comment on whether they collaborated in creating Stuxnet.

The Department of Homeland Security teamed up with the Idaho National Laboratory to study a widely used Siemens industrial controller, known as Process Control System 7, which can control lots of instruments, machines and sensors at the same time. The lab acknowledges it created a report on the cyber-vulnerabilities but did not detail specific flaws.

According to WikiLeaks disclosures, the State Department described urgent efforts in April 2009 to stop a shipment of Siemens controllers, contained in 111 boxes at the port of Dubai, from getting to Iran. The United Arab Emirates blocked the transfer of the Siemens computers. Shortly after that, Stuxnet struck. Symantec found it did a lot of damage in Iran but also struck in countries such as India and Indonesia. Symantec’s Kevin Hogan, a security expert, said that 60 percent of computers infected by Stuxnet at one point were in Iran.

A German security researcher, Ralph Langner, discovered that the worm kicked into gear when it detected the presence of a specific configuration of controllers, running a set of processes that appear to exist only in a centrifuge plant. One piece of the code sent commands to 984 linked machines, Langner found. And nuclear inspectors visiting Natanz in late 2009 found that the Iranians had taken out of service exactly 984 machines that were running the previous summer.

The New York Times said that Israel likely tested Stuxnet on rows of centrifuge machines running at the secret Dimona complex where Israel makes its fuel for nuclear weapons, in the midst of the Negev desert. In November, Iranian president Mahmoud Ahmadinejad said a cyberattack had “caused minor problems with some of our centrifuges.” Two Iranian scientists believed to be part of the nuclear program were hit with car bombs in Iran in late November, which killed one of them and seriously injured the other.

The whole point of the Stuxnet worm was to disrupt the Iranian program, setting it back a few years, without triggering a war between Israel and Iran. But McAfee said that “Stuxnet has infected thousands of computers of unintended victims from all over the globe.”

[stuxnet map: UMBC ebiquity]

The Stuxnet computer worm was discovered in June by a Belarus-based security firm. The worm spies on and reprograms industrial control SCADA (Supervisory Control And Data Acquisition) computers made by German conglomerate Siemens.

Transmitted through shared universal serial bus (USB) memory modules, the worm can reprogram computers and hide its changes. The worm uses the USB transmission technique because many industrial computers are not connected to the web. The original target of Stuxnet wasn’t clear, as it appeared it could attack any device. But news reports suggest that the particular target was Iran’s nuclear facilities in Natanz and its Bushehr nuclear power plant.

“They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,” said Ahmadinejad. “But the problem has been resolved.”

Russian security company Kaspersky Labs said that the worm was one of the most sophisticated ever created, suggesting that it might have been created by an intelligence agency with cyber know-how. Stuxnet exploited multiple unpatched vulnerabilities in Windows, relied on stolen digital certificates to disguise the malware, and hid its code by using software known as a rootkit. Microsoft hasn’t fully fixed the vulnerabilities.

At one point in September, some 60 percent of infected computers worldwide were in Iran, suggesting that the intended target was in Iran. The problem with creating a virus to attack one particular target is that it can be modified to attack any target. With Stuxnet, the genie is out of the bottle. Now the worm can be modified to attack any sort of industrial equipment.

In its own bulletin today, antivirus firm Symantec said, “This specialized malware written to exploit physical infrastructures will continue in 2011 driven by the huge sums of money available to criminal enterprises at low risk of prosecution. These attacks will range from the obvious targets like smartphones, to any number of less obvious yet critical systems like power grid controls or electronic voting systems.”

Meanwhile, antivirus vendor McAfee has said, “More detailed analysis found that Stuxnet is more than just a spy worm, but a weapon written to sabotage critical infrastructure. Stuxnet has infected thousands of computers of unintended victims from all over the globe.”

The worm attacks industrial control systems. Because of that, officials have wondered whether Iran was targeted because hackers wanted to take down its controversial nuclear reactor, which is feared to be making high-grade plutonium for nuclear weapons. The Stuxnet worm, first discovered in June by Belarus-based security firm VirusBlokAda, might have been an attempt to disable the Bushehr reactor from afar.

Experts from Iran’s Atomic Energy Organization reportedly met this week to discuss how to remove the malware. The worm targets control systems that use Siemens’ SCADA software (supervisory control and data acquisition), which operates all sorts of factories from power plants to military installations. Symantec reported that Iran was hit hardest by Stuxnet, which was spread through universal serial bus (USB) flash memory drives that were left in areas where unsuspecting employees could pick them up and plug them into their computers.

Roughly 60 percent of all incidents related to Stuxnet have been reported in Iran. The question arises as to who created the Stuxnet worm and whether it was a state that doesn’t want Iran to have nuclear weapons.

Stuxnet exploited multiple unpatched vulnerabilities in Windows, relied on stolen digital certificates to disguise the malware, and hid its code by using software known as a rootkit. Microsoft hasn’t fully fixed the vulnerabilities. U.S. cybersecurity officials told the Associated Press they didn’t know who created the worm or what its purpose is. Certainly, it can disable more SCADA-based machines than just those in Iran.