When 2010 was first discovered, the Stuxnet worm was a puzzle. Beyond the sophistication of the other, one more worrying mystery: its purpose.
Ralph Langner and the team helped break the code Stuxnet revealed what his ultimate goal was. In an exciting glance inside cyber-crime, which explains and guesses (as it seems to do quite rightly) the origin of the Stuxnet.
The speech was presented at TED
Watch the video, below are the translated subtitles.
The idea behind the Stuxnet worm is basically very simple. We don't want Iran to get the Bomb. Their main facility for developing nuclear weapons is the uranium enrichment facility at Natanz. The gray boxes you see are real time control systems. Now, if we can get access to those systems that control speeds and valves, we can really cause a lot of trouble in the centrifuge. Giza boxes do not "run" functionally Windows – is a completely different technology. But, if we manage to put a good Windows virus on a laptop used by a maintenance engineer to set up this gray box, then something happens. This is the plan behind Stuxnet.
1: 08 So we start with a "dropper" for Windows. "Stuxnet" is inserted into the gray box, it damages the centrifuge and the Iranian nuclear program is delayed - mission was performed. Easy, eh? I want to tell you how we discovered this. When 6 months ago we started our research on Stuxnet, our purpose was completely unknown to us. All that was known was the very complicated piece of Windows, the "dropper" (virus) piece used multiple vulnerabilities for "zero day" attack. And it seemed that he was trying to do something with these gray boxes, real-time control systems. So, this has pushed our attention and we started a lab project where we polluted our network with Stuxnet and we started to watch it. And then some very strange things happened. Stuxnet behaved like the lab mouse that did not like our cheese - smelled it, but did not want to eat it. I could not figure it out. And after experimenting with various cheeses, I realized he was doing a guided attack. It is fully directed. The dropper actively lurks in the gray box if a specific setting is found, even if the program itself that is trying to infect runs on the target itself. If not, Stuxnet does nothing.
2:34 That really piqued my curiosity and we started working on it almost around the clock because, I thought, we don't know what the target is. It could be, for example, a power plant in the US or a chemical plant in Germany. So it would be better to find out soon what the target is. So we extracted and decompiled the attack code and discovered that it is structured around two digital bombs — a smaller one and a larger one. We also saw that they were professionally designed by people who apparently had information insider. They knew all the data they needed to attack. They probably also know the operator's shoe number. So they know everything.
3: 19 And if you've heard that its "dropper" Stuxnet it's complicated and high-tech, let me just tell you this: its "cargo" is a natural rocket. It is far superior to anything we have ever seen. Here is a sample of the actual code. We are talking about about 15.000 code lines. It looks very much like the old style of assembly language code. And I want to tell you how we managed to understand this code. So what we were looking for was all the system call functions because we know what they are doing.
3:53 And then we were looking at timers and data structures and trying to relate them to real world, potentially real world targets. So we need goal theories that we can prove or not. To develop target theories, we keep in mind that this is definitely high-profile sabotage, that it must be a high-profile target, and that it is very likely to be in Iran, because that is where most of the infections have been reported. There are not thousands of targets in this one region. Basically, we end up with the Bushir Nuclear Power Plant and the Nasanj Fuel Enrichment Plant.
4:31 Έτσι, είπα στον βοηθό μου, “Θέλω μια λίστα με όλους τους εμπειρογνώμονες μονάδων παραγωγής ενέργειας και φυγοκεντρητών από την βάση δεδομένων μας.” Και τους τηλεφώνησα και ζήτησα τη γνώμη τους σε μια προσπάθεια να συνδυάσω την εμπειρία τους με αυτά που βρήκαμε στον κώδικα και στα δεδομένα. Και αυτό δούλεψε αρκετά καλά. Έτσι, ήμασταν σε θέση να συσχετίσουμε τη μικρή ψηφιακή βόμβα με τον έλεγχο του στροφείου. Το στροφείο είναι το κινούμενο μέρος εντός του φυγοκεντρητή, το μαύρο αντικείμενο που βλέπετε. Και εάν μπορείς να χειριστείς την ταχύτητα του στροφείου, μπορείς στην πραγματικότητα να το breakand even cause an explosion in the centrifuge. What we also saw was that the attack was intended to be done slowly and stealthily — obviously an effort that would drive maintenance engineers crazy, because they wouldn't be able to quickly figure out what was going on.
5: 20 The big digital bomb - we were lucky to look at it very carefully with their data and structures. So, for example, the 164 number really stands out in the code - you can not overlook it. I started researching the scientific literature on how these centrifuges are manufactured in Natanz and found that they are structured in what they call a stack layout and each such device has 164 centrifuges. So that made sense, we had a match.
5: 49 And it got even better. These centrifuges in Iran are subdivided into 15, as they call them, stages. And guess what we found in the attack code? An almost identical structure. So again, this was a very good match. And that gave us a lot of confidence about what we were looking for. Now, do not misunderstand me, it does not go that way. These results were obtained after many weeks of really hard work. And we often reached a dead end and we had to start from the beginning.
6: 21 Nevertheless, we found that both digital bombs were actually aimed at a single goal, but different approaches. The small bomb occupies a stack layout, and increases or decreases the rotation speed of the rotors and the large bomb communicates with six stackets and handles the valves. So, we are very confident that we have actually identified what the goal is. It is Natanz and only Natanz. So, we do not have to worry that other targets can be hit by Stuxnet.
6:54 Here are some really interesting things that we saw that really made me jump out of my seat. Down there is the gray box and above you see the centrifuges. Now, what it does is it monitors input values from sensors — for example, from pressure sensors and vibration sensors — and provides reliable code, which runs even during the attack, with fake input data. And to be precise, these fake logins are actually pre-registered by Stuxnet. So it's like the Hollywood movies, where during the robbery the camera monitoring is powered by pre-recorded video. Pretty good, huh?
7: 35 The idea here is obviously not just to trick the control center operators. It is actually much more dangerous and aggressive. The idea is to bypass a secure digital system. We need digital security systems where the human operator can not react quickly enough. For example, in a power plant, when the huge steam turbine gets too high, the expansion valves must open in milliseconds. Obviously, this can not be done by a human operator. Here's where we need digital security systems. And when these are violated, then many bad things can happen. The plant can explode. And neither the operators nor the security system will understand anything. This is scary.
8: 20 But it gets even worse. And what I'm going to say is very important. Think about this: The attack is general. It does nothing specific with centrifuges, enriching uranium. Thus, it will be able to operate, for example, in an energy production plant or in a car industry. It is very general. And you do not need, as an attacker, you do not have to import the "charge" of the virus through a USB storage device, as we have seen in Stuxnet's case. You could also use conventional "worm" technology to propagate. Simply spreading it as much as possible. And if you do that, you end up in a cyber-weapon of mass destruction. This is the consequence that we have to deal with. So, unfortunately, the largest number of targets for such attacks is not in the Middle East. It's in the US, Europe and Japan. So, all green areas are potential targets. We have to deal with the consequences and we should be prepared by now.
9: 41 Thank you.
9: 43 (Applause)
9: 49 Chris Anderson: I have a question. Ralph, it has been widely reported that people believe that Mossad is the main entity behind it. Is that your view?
10: 02 Ralph Langner: Well, do you really want to hear that? Yes. Okay. My point is that Mossad is involved in Stuxnet, but the leading force is not Israel. The driving force behind this is the cyber-power superpower. This is only one and it is the USA - luckily, fortunately. Why else, our problems would be even bigger.
10: 28 Chris Anderson: Thank you for killing us. Thank you Ralph.
10: 32 (Applause)
