More on this book
Community
Kindle Notes & Highlights
by
Kim Zetter
Read between
August 4 - August 15, 2018
The next year, in fact, a group of teenagers broke into military networks using the same kinds of low-level techniques, in a case dubbed Operation Solar Sunrise. The intruders, who pilfered sensitive data across five hundred systems, turned out to be two California teens on a digital joyride, egged on by an Israeli hacker named Ehud Tenenbaum. At the time, the DoD was prosecuting two military campaigns, in Bosnia and Herzegovina and in Iraq. The intrusion, to military leaders, looked a lot like what enemy attackers would do if they were trying to gain a battlefield advantage.
Teenage hackers who seemed to be behaving like a government mounting a digital attack. Similar to War Games. People got spooked.
The need for a longer lead time is one of the primary drawbacks of digital operations—designing an attack that won’t cascade to nontargeted civilian systems requires advance reconnaissance and planning, making opportunistic attacks difficult.
Good point. Also means that if rushed, could easily have unintended consequences, which seems a likely outcome, no matter the actor.
But he had never heard of Fararo Paya converters before. This was significant: he and his staff closely followed Iran’s procurement and manufacturing activities for the nuclear program and weren’t aware that Iran was making its own converters. If Iran was using such converters at Natanz, then the attackers had knowledge of the enrichment program that even some of its closest watchers didn’t possess.
Attackers had deep inside knowledge, given that they knew to attack the Iranian-made frequency converters as well.
Kaspersky and Symantec had always suspected that prior to Stuxnet’s assault on the centrifuges in Iran, the attackers had used an espionage tool to collect intelligence about the configuration of the Siemens PLCs. The information could have come from a mole, but now it seemed more likely that a digital spy like Duqu had been used.
Malware discovered after stuxnet (“Duqu”) and very similar to it (even though its zero days had been published) may have been deployed earlier, probably in order to collect the intelligence necessary to craft and launch stuxnet itself. Perhaps in part as well to steal certs that stuxnet used.
Gauss also took another precaution with its payload. Unlike Stuxnet, the keys for unlocking this mysterious payload were not stored in the malware. Instead, the warhead could only be decrypted with a key that was dynamically generated from the configuration data on the machine it was targeting.
First it collected very specific configuration data from the targeted machine—information about directories, program files, and other resident data—then combined the names of each file, one by one, with the name of the top directory in the Windows Program Files folder on the machine. To this string of data it added a special value, then ran it through the MD5 hash algorithm 10,000 times, rehashing the resulting hash to produce a new hash each time.25 If, at the end, it generated the correct hash it was seeking, the malware proceeded to the next step.
That’s intense, and seems it could be really prone to false negatives unless they had continuous access to target machines?
Even when Gauss arrived at the hash it was seeking, it didn’t immediately unlock the payload. Instead, it recalculated the 10,000th hash using a different added value. The hash from this operation then became the key that unlocked the warhead.
Intense. All of this was effective. As far as we know, the specific target/target configuration and thus the full function of Gauss hasn’t been discovered by security researchers.
Obama decided not only to reauthorize the digital sabotage program but to accelerate it. It was in this environment that he gave the green light for a new, more aggressive, version of Stuxnet to launch—the one that targeted the frequency converters at Natanz.
First attack on the valves was in progress as Bush and Obama began transition. Obama was quickly convinced to continue program and also authorized the next generation of stuxnet that targeted the frequency converters (and was more aggressive in its infection to reach its targets, and thus was more easily detected). It seemed clear that the valve attack was working but not well enough. Iran was slowed but not stalled.
The United States was interested in pursuing constructive ties with Iran that were “honest and grounded in mutual respect,” he said, and was seeking a future in which the Iranian people, their neighbors, and the wider international community could live “in greater security and greater peace.”
But while Obama was extending one metaphorical hand in peace to the Iranian people, other hands were preparing a new round of digital attacks on Natanz.
Why the attackers increased their firing power to reach their target at this point is unclear. Perhaps the two years they’d spent inside Natanz’s computers had merely made them reckless, overconfident. But the most likely explanation is that the earlier versions of Stuxnet had been delivered via an insider or someone with close access to the target machines. If Stuxnet’s creators had subsequently lost this access, they would’ve felt the need to ramp up the spreading power to improve their chances of reaching their target.
Stuxnet had a disinfect feature that allowed the attackers to remove it from an infected machine. As Stuxnet began to spread wildly out of control and the attackers started seeing infected machines reporting in to their server from Indonesia, Australia, and elsewhere, they could have sent out a disinfect command to delete the code from those machines. There were a limited number of possible reasons that they didn’t do this.
It’s possible that subsequent versions of Stuxnet were unleashed but were so much more tightly controlled that they’ve never been found.
There was no telling what it might have accomplished over time as Iran installed more centrifuges and cascades. For this reason Barzashka believed the attackers made a mistake in unleashing Stuxnet too soon. Had it been held in abeyance until more centrifuges were installed and more uranium gas was in play, its effects on the program might have been more detrimental.
They made stuxnet too aggressive under Obama and decreased its effectiveness? But it did bring Iran to the table for the treaty with US, Europe.
IF THERE IS one thing to be said in Stuxnet’s favor, it’s that the digital attack, along with other covert operations, did succeed in staving off an ill-advised military attack against Iran. And despite continuing tension and gamesmanship, nobody has been willing to take that step in the wake of Stuxnet—
Stuxnet’s authors had mapped a new frontier that other hackers and nation-state attackers will inevitably follow; and when they do, the target for sabotage will eventually one day be in the United States.
The Pentagon also wants a system capable of launching speed-of-light strikes and counterstrikes using preprogrammed scenarios so that human intervention won’t be necessary.
Almost as scary as hands-off nuclear retaliation
Of all the nations that have a cyberwarfare program, however, the United States and Israel are the only ones known to have unleashed a destructive cyberweapon against another sovereign nation—a nation with whom it was not at war.
Didn’t Russia strike Ukraine and/or Georgia? Or is that speculation as far as the unclassified world is concerned?
The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.
“My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms,” Symantec’s Kevin Haley wrote of the post-Stuxnet future.8 LoveLetter, the Conficker worm, and even the Zeus banking Trojan would become quaint reminders of the days when attacks were simpler and, by comparison, more innocent.
Stuxnet was a remarkable achievement, given its sophistication and single-minded focus. But it was also remarkably reckless. Because like the atomic bombs detonated over Hiroshima and Nagasaki, it introduced the use of a powerful technology that will have consequences for years to come.
At least cyberweapons have the potential to be far more selective in their damage—though of course they can be just as devastating, if not more so, in their collateral damage. And as demonstrated in this analysis, it takes a lot of extra work to make the weapons specifically targeted and to avoid unintentional damage.
How ironic then, Benedict noted, “that the first acknowledged military use of cyberwarfare is ostensibly to prevent the spread of nuclear weapons. A new age of mass destruction will begin in an effort to close a chapter from the first age of mass destruction.”
The nations, of course, that are most at risk of a destructive digital attack are the ones with the greatest connectivity. Marcus Ranum, one of the early innovators of the computer firewall, called Stuxnet “a stone thrown by people who live in a glass house.”
“The question is, would Microsoft have allowed this?” Lotrionte asks. “That’s what would concern me. The intelligence community will try everything, and I often wonder why companies put themselves at risk. I’m thinking if it was operational use and if they were put on notice, that’s interesting.” Sources knowledgeable about the situation say that Microsoft was not notified and did not provide permission for the operation. “If that happened, it would be the end of the company,” one said. “That’s a gamble nobody [at the company] would take.”
Did Microsoft know about the attack (the portion that allowed windows update to be redirected to a local network replacement, with the certificate hash collision)? Seems not, but some argue that government has obligation to notify the company in a case like this that tampers with trusted infrastructure.
In 2011, Pentagon officials took at least one step in this direction when they announced that any digital attack against the United States that took out portions of the electric grid or resulted in casualties would be considered an act of war and receive the appropriate response—even a kinetic military response, if the situation called for it, using “all necessary means.”53 In other words, as one military official put it, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
Yes , though the real trick is identifying the actor without possibility that it was someone else posing as the supposed actor. So much opportunity for framing another nation or group to provoke a conventional warfare response.
policy, unlike the interpretation of the Tallinn experts, doesn’t distinguish between an act of force and an armed attack—the two are considered the same. Under this interpretation, then, Stuxnet was an illegal armed attack, and Iran could have made a case for responding in self-defense.
Martin Libicki, an expert on cyberwarfare with the RAND corporation, questions the wisdom of allowing cyber conflicts to be resolved with kinetic attacks. He wonders if it wouldn’t be wiser to apply “Las Vegas rules” to cyberwarfare so that what happens in cyberspace stays in cyberspace. “Your escalation potential, if you go to the kinetic realm than if you stay in the cyber realm, is much greater,” he says. “So a rule that says you can only match cyber with cyber puts a limit on your topside risk.”
