When 2010 was first discovered, the Stuxnet worm was a puzzle. Beyond the sophistication of the other, one more worrying mystery: its purpose.
Ralph Langner and team helped break it code of Stuxnet revealed what his ultimate goal was. In an exciting glance inside cyber-crime, which explains and guesses (as it seems to do quite rightly) the origin of the Stuxnet.
The speech was presented at TED
Watch the video, below are the translated subtitles.
The idea behind the Stuxnet worm is basically very simple. We do not want Iran to acquire the Bomb. Their main unit for the development of nuclear weapons is the uranium enrichment plant in Natanz. The gray boxes you see are real time control systems. Now, if we can access these speed and valve control systems, we can actually cause many problems with the centrifuge. The giant boxes do not "run" Windows - it's a totally different technology. But if we manage to place a good Windows virus on a laptop used by a maintenance engineer to set this gray box, something is done. This is the design behind Stuxnet.
1: 08 So we start with a "dropper" for Windows. "Stuxnet" is inserted into the gray box, it damages the centrifuge and the Iranian nuclear program is delayed - mission was performed. Easy, eh? I want to tell you how we discovered this. When 6 months ago we started our research on Stuxnet, μας ήταν εντελώς άγνωστος ο σκοπός του. Το μόνο που ήταν γνωστό ήταν το πάρα πολύ πολύπλοκο κομμάτι των Windows, το κομμάτι του “dropper” (ιού) χρησιμοποίησε πολλαπλά τρωτά σημεία για επίθεση τύπου “μηδενικής ημέρας”. Και φαινόταν ότι προσπαθούσε να κάνει κάτι με αυτά τα γκρίζα κουτιά, τα συστήματα ελέγχου πραγματικού χρόνο. Έτσι, αυτό κέντρισε την προσοχή μας και ξεκινήσαμε ένα εργαστηριακό πρόγραμμα, όπου μολύναμε το network μας με το Stuxnet και αρχίσαμε να το παρακολουθούμε. Και τότε συνέβησαν μερικά πολύ περίεργα πράγματα. To Stuxnet συμπεριφερόταν σαν το ποντίκι του εργαστηρίου που δεν του άρεσε το τυρί μας — το μύριζε, αλλά δεν ήθελε να το φάει. Δεν μπορούσα να το καταλάβω. Και αφού πειραματιστήκαμε με διάφορες γεύσεις τυριών, συνειδητοποίησα, ότι έκανε μια κατευθυνόμενη επίθεση. Είναι πλήρως κατευθυνόμενο. Ο “dropper” (ιος) καραδοκεί ενεργά στο γκρίζο κουτί εάν βρεθεί μια συγκεκριμένη ρύθμιση, ακόμα και αν το ίδιο το πρόγραμμα που προσπαθεί να μολύνει τρέχει στον ίδιο το στόχο. Εάν όχι, το Stuxnet δεν κάνει τίποτα.
2:34 That really piqued my curiosity and we started working on it almost around the clock because, I thought, we don't know what the target is. It could be, for example, a unit partreatmentelectrical energy στις ΗΠΑ ή ένα εργοστάσιο χημικών στη Γερμανία. Γι' αυτό θα ήταν καλύτερο να βρούμε σύντομα ποιος είναι ο στόχος. Έτσι, εξάγαμε και απομεταγλωττίσαμε τον κώδικα της επίθεσης και ανακαλύψαμε ότι είναι δομημένος σε δύο ψηφιακές βόμβες — μια μικρότερη και μια μεγαλύτερη. Επίσης, είδαμε ότι είναι επαγγελματικά σχεδιασμένες από ανθρώπους που προφανώς είχαν πληροφορίες εκ των έσω. Γνώριζαν όλα τα δεδομένα στα οποία έπρεπε να επιτεθούν. Πιθανότατα να γνωρίζουν και το νούμερο του παπουτσιού του χειριστή. Γνωρίζουν λοιπόν τα πάντα.
3: 19 And if you've heard that its "dropper" Stuxnet it's complicated and high-tech, let me just tell you this: its "cargo" is a natural rocket. It is far superior to anything we have ever seen. Here is a sample of the actual code. We are talking about about 15.000 code lines. It looks very much like the old style of assembly language code. And I want to tell you how we managed to understand this code. So what we were looking for was all the system call functions because we know what they are doing.
3: 53 And then we were looking for timers and data structures and we were trying to relate them to the real world, with potentially real world targets. So we need objective theories that we can prove or not. To develop target theories, we keep in mind that it is definitely a serious sabotage, that it must be a high-priority target, and is most likely to be in Iran, because most infections were reported there. There are not thousands of targets in this area. Basically, we end up with the Bushir nuclear power plant and the Nazanz fuel plant.
4:31 So I said to my assistant, "I want a list of all the power plant and centrifuge experts from our database." And I called them and asked for their input in an effort to combine their experience with what we found in the code and in the data. And that worked pretty well. So we were able to associate the little digital bomb with the rotor control. The impeller is the moving part inside the centrifuge, the black object you see. And if you can handle it speed of the impeller, you can actually break it and even cause the centrifuge to explode. What we also saw was that the attack was intended to be done slowly and stealthily — obviously an effort that would drive maintenance engineers crazy, because they wouldn't be able to quickly figure out what was going on.
5: 20 The big digital bomb - we were lucky to look at it very carefully with their data and structures. So, for example, the 164 number really stands out in the code - you can not overlook it. I started researching the scientific literature on how these centrifuges are manufactured in Natanz and found that they are structured in what they call a stack layout and each such device has 164 centrifuges. So that made sense, we had a match.
5: 49 And it got even better. These centrifuges in Iran are subdivided into 15, as they call them, stages. And guess what we found in the attack code? An almost identical structure. So again, this was a very good match. And that gave us a lot of confidence about what we were looking for. Now, do not misunderstand me, it does not go that way. These results were obtained after many weeks of really hard work. And we often reached a dead end and we had to start from the beginning.
6: 21 Nevertheless, we found that both digital bombs were actually aimed at a single goal, but different approaches. The small bomb occupies a stack layout, and increases or decreases the rotation speed of the rotors and the large bomb communicates with six stackets and handles the valves. So, we are very confident that we have actually identified what the goal is. It is Natanz and only Natanz. So, we do not have to worry that other targets can be hit by Stuxnet.
6: 54 Here are some very interesting things we have seen, really made me stand up from my place. Down there is the gray box and above you see the centrifuges. Now, what it does is to monitor input values from sensors - for example, from pressure sensors and vibration sensors - and provides reliable code, which runs even during the attack, with false input data. And for the sake of fact, these false inputs are actually pre-recorded by Stuxnet. So it's like the Hollywood movies, where during the robbery the surveillance camera is powered by a pre-recorded video. Very good, eh?
7: 35 The idea here is obviously not just to trick the control center operators. It is actually much more dangerous and aggressive. The idea is to bypass a secure digital system. We need digital security systems where the human operator can not react quickly enough. For example, in a power plant, when the huge steam turbine gets too high, the expansion valves must open in milliseconds. Obviously, this can not be done by a human operator. Here's where we need digital security systems. And when these are violated, then many bad things can happen. The plant can explode. And neither the operators nor the security system will understand anything. This is scary.
8: 20 But it gets even worse. And what I'm going to say is very important. Think about this: The attack is general. It does nothing specific with centrifuges, enriching uranium. Thus, it will be able to operate, for example, in an energy production plant or in a car industry. It is very general. And you do not need, as an attacker, you do not have to import the "charge" of the virus through a USB storage device, as we have seen in Stuxnet's case. You could also use conventional "worm" technology to propagate. Simply spreading it as much as possible. And if you do that, you end up in a cyber-weapon of mass destruction. This is the consequence that we have to deal with. So, unfortunately, the largest number of targets for such attacks is not in the Middle East. It's in the US, Europe and Japan. So, all green areas are potential targets. We have to deal with the consequences and we should be prepared by now.
9: 41 Thank you.
9: 43 (Applause)
9: 49 Chris Anderson: I have a question. Ralph, it has been widely reported that people believe that Mossad is the main entity behind it. Is that your view?
10: 02 Ralph Langner: Well, do you really want to hear that? Yes. Okay. My point is that Mossad is involved in Stuxnet, but the leading force is not Israel. The driving force behind this is the cyber-power superpower. This is only one and it is the USA - luckily, fortunately. Why else, our problems would be even bigger.
10: 28 Chris Anderson: Thank you for killing us. Thank you Ralph.
10: 32 (Applause)
