Viewing a single comment thread. View all comments

ramriot t1_j4gl0fi wrote

Not off the top of my head & I'm not rewatching & rereading my research paper collection after 20 years. Just know that no documentary can tell the whole story here.

But if you push me one aspect is, I don't believe they fully describe the original exploit in sufficient detail so a viewer can understand how it was specifically targetted for release inside an air-gapped network. Only later was it altered & indiscriminately released in a way that made it look like a broader infection.

Though had it not been misused after initial targetting we would most probably have never heard of it.

64

abitrolly t1_j4h796y wrote

I worked at the company that originally discovered it. Siemens SCADA software are run on Windows machines that are not connected to the Internet, and hence never patched. So any kind of malware that uses autorun exploits can get there. Knowing that, it is easy to target the machines. What is not that easy is to develop a fuzzer that once installed, will properly send disruptive commands, instead of just freezing PC.

35

charleswj t1_j4ht5go wrote

>not connected to the Internet, and hence never patched

These two things are not mutually exclusive and is almost criminal in a nuclear facility

19

80burritospersecond t1_j4imm1t wrote

It's also kinda poor design to have all your emergency stop smash buttons be nothing but PLC inputs when they should be independently cutting power to the prime movers in whatever system is being controlled.

7

Burdekin_Boy t1_j4jv36w wrote

Yeah Estops into PLCs should only really be for signal/logging. Stand-alone safety relays should be in use.

3

TheImmortalIronZak t1_j4jvgft wrote

Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons. They can never be “hacked” or the like due to that. And as for the Iranian governments uranium enrichment center the air gapped machine’s control all aspects of the enrichment process, the centrifuges, etc for the same reason.

0

charleswj t1_j4k0o72 wrote

>Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons.

This is actually not true except in some edge cases. Most of the "air gapped" networks are actually only logically separated. For example DOD's NIPR (often referred to as the "low side") is their version of what most companies have, the network most directly connected to the internet, as well as the DREN (for research and development). No classified data is allowed here.

But they also have other networks, sometimes referred to as the "high side" (i.e. SIPR, JWICS), where classified data (Secret and Top Secret, respectively) can be stored. It's a common misconception that these are air gapped, but they're actually more like a VPN on top of NIPR. Additionally, there are various "gateways" (i.e. DOTS, Cross Domain Enterprise Email Service) to allow limited communication and data transfer between low and high sides.

4

mrflib t1_j4hfb34 wrote

Fuzzer?

7

abitrolly t1_j4hk8md wrote

The program that generates bogus parameters for function calls. In that case values for Siemens controllers to set that will cause chaos in controlled hardware.

17

CupResponsible797 t1_j4hm680 wrote

This is really not a context in which you would normally use the term fuzzer. Stuxnet did not "fuzz" these PLCs, it performed a series of specific steps to identify its targets and cause them to break.

26

faux_glove t1_j4k1nxx wrote

What would a fuzzer do, then?

1

CupResponsible797 t1_j4l9cr6 wrote

A fuzzer is a tool which automatically feeds semi-random data to another program in order to discover anomalous behaviours.

2

hamburglin t1_j4jnrce wrote

Thank you. Not sure what this guy has been smoking but he's got some type of imaginary cyber security world built in his head.

0

muerto1964 t1_j4j1omi wrote

The thing was genius. I think it had a total of 9(?) Zero day exploits! Most malware will only have 1 if they are very very lucky.

3

Why_Did_Bodie_Die t1_j4jpsi7 wrote

I know almost nothing about computers. I remember in the documentary they made this seem pretty significant. Can you tell me a little about what a zero day is and why it is so significant? Are they really hard to do/make/get? Maybe EILI5.

2

tygghb t1_j4k3xcu wrote

Software exploits that are "brand new" (ie. that the general public did not previously know about). Once an exploit is publically known about, the companies usually work quickly to patch them. They are therefore rare and highly sought after by bad actors.

The going rate is about $100,000 each on the dark web. When a bad guy writes malware, they typically use one zero-day exploit, maybe even two.... but to have NINE or whatever Stuxnet had, is unheard of and was a tell-tale sign that the software was created by a nation-state since the average bad guy is not going to spend $900,000+ to write their malware.

2

so_futuristic t1_j4jrpzb wrote

software vulerabilities that are unknown but to the people exploiting then

1

muerto1964 t1_j4kufni wrote

A zero day exploit is an attack vector that nobody has ever seen before. No one has seen it and therefore we probably have little defense against it. 1 is rare. 9 in the same piece of malware is unheard of

1

hamburglin t1_j4jmx0p wrote

... autorun... exploits? (I'm going to pretend that's a term in the cyber security and forensics industry that actually makes sense to continue on here). In any context that has anything to do with being relevant about getting into air gapped networks? You sure you know what you're talking about?

You then reference the use of a fuzzer in a highly targeted attack? Wth? You think they're going in there and potentially bluescreening machines and trying "best guesses" at what they need to do to perform command and control operations? That would have already been known before deploying their malware and tools.

Safe to say even if you worked there then you still don't know what you're talking about.

1

ramriot t1_j4hj9kd wrote

I could be wrong but I'm guessing by the date that the development of the exploit predates the availability of modern fuzzing software.

−4

abitrolly t1_j4hkjjs wrote

Fuzzing is a method of putting unexpected stuff into function parameters. You can write a fuzzer yourself, like `for x in random(): call(x)`.

5

charleswj t1_j4hsj4b wrote

That's only part of it. It's purpose is to discover vulnerabilities. That's not what was happening there

5

Optimistic__Elephant t1_j4nvpoj wrote

What does this fuzzing accomplish? Is the idea to find an input that returns an error of some sort?

1

abitrolly t1_j5b6xmw wrote

Find the value that will bypass safety checks and destabilize connected hardware. Just sending random noize might not help, so the fuzzer could try to steadily increase some values or execute another logic that is known to be harmful for typical process control mechanisms. I called it fuzzer because I assume it doesn't know what is the real mechanism on the other end. If you have source code and schematic of the plant, you don't need to guess and can directly write targeted destructive code.

2

CupResponsible797 t1_j4gnhkz wrote

>Though had it not been misused after initial targetting we would most probably have never heard of it.

How was Stuxnet “misused” after initial targeting? It was inert outside of the specific systems targeted.

8

OwlBeneficial2743 t1_j4hes8j wrote

I believe that others used one or more of the zero days in subsequent malware; Flame was one. I don’t think it’s been proven Flame wouldn’t exist without Stuxnet, but it’s likely.

5

CupResponsible797 t1_j4hgmur wrote

Flame was developed by people involved in developing Stuxnet, no surprise that they would share elements. There's little indication that Flame is "subsequent malware", everything we know indicates that they were developed at around the same time.

Stuxnet development started around 2005

Flame development started at least as early as 2006

In fact, there are strong indicators that the people who developed Flame provided guidance and technical assistance to the less sophisticated Stuxnet developers. It's difficult to imagine that the development of Flame would have hinged on Stuxnet in any way.

>I believe that others used one or more of the zero days in subsequent malware;

Such as?

9

ramriot t1_j4gpbr8 wrote

Specifically it would need to be to go unnoticed inside the Iranian facility's air-gapped network.

The supposition from evidence presented is that before it was ever seen in the wild it was introduced into possibly inadvertently via a single compromised thumb drive containing a required update to the windows Scada control programming software brought into the facility by a 3rd party engineer.

Later "public" appearances appear to be from proximal but unrelated sources & showed variations in code content that suggest a lower skilled operator had altered the original code.

4

CupResponsible797 t1_j4gqei2 wrote

It seems wholly unsurprising that malware targeting a specific airgapped network would also spread through other networks through whichever means are used to breach the airgap.

> Later "public" appearances appear to be from proximal but unrelated sources & showed variations in code content that suggest a lower skilled operator had altered the original code.

What modifications are you referring to? This documentary makes a vague claim that Israelis modified the spreading code to be more aggressive, but doesn’t really substantiate it.

The documentary certainly doesn’t claim that the changes made by the Israelis weren’t necessary for the operation to succeed.

10

MagnetsCarlsbrain t1_j4gsrx9 wrote

I haven't seen the doc but I've read Countdown to Zero Day and I'm not sure I agree (or maybe I'm misunderstanding). The worm was designed to spread as aggressively as possible, but to remain imperceptible on any system except for the target system.

While they probably planted it in close proximity to the target, they had to know that it was going to spread throughout the world. I don't think that was the result of taking it a step too far, rather it was a result of the core strategy.

9

duffmanhb t1_j4i5jof wrote

That's interesting. I had no idea that it was recoded and rereleased into the wild. Could it have been Israel? It definitely doesn't sound like something the US would do. Maybe Iran after discovering it tried to repurpose it?

I was always under the impression that it got out because the original attack vector was via a USB with some boss's naked wife on their, incentivizing him to bring it into the office... Then they also brought it out

1

CupResponsible797 t1_j4l9n0h wrote

>I had no idea that it was recoded and rereleased into the wild. Could it have been Israel? It definitely doesn't sound like something the US would do. Maybe Iran after discovering it tried to repurpose it?

This didn't actually happen. At best there was some disagreement between the responsible nations about how aggressive the spreading functionality should be.

1

qazedctgbujmplm t1_j4iblwj wrote

All of what you said was in the doc. The NSA even blames the Israelis for fucking it up.

5

Admiral_Minell t1_j4ieecf wrote

Yeah agreed, mentioned by the anonymous NSA person, the private firm guys talk about finding version history, and someone even claims to quote Biden.

1

MissionarysDownfall t1_j4jio4f wrote

They absolutely did describe both those things. The weird graphic woman even swore about the Israelis f-big everything up by being overly aggressive.

3

danderskoff t1_j4jisth wrote

I believe I heard somewhere it got into the facility from USB drives that were dropped in the parking lot near employee cars

1

ramriot t1_j4jkwt9 wrote

That scenario sounds pretty preposterous. Remember this was a remote secure compound. Where one key feature of their security is the air-gapped network.

Does it sound at all possible for someone to first wander onto the Natanz facility, second drop things around people's cars, & then third have those people with access to the centrifuge hall & who know how important the sanctity of the internal network is to just insert a random thumb drive?

That said it was likely a usb drive, but one designed to pass stringent inspection that came from a trusted source & was needed to update internal software.

1

danderskoff t1_j4kocjk wrote

Anything is possible with 3-letter USA agencies. Also, people are pretty stupid sometimes with USB drives. Sometimes they dont understand that you can compromise a system by doing that and I know theres more to the story than just dumping random USB drives. We talked about this in college but that's really the only points I remember

1