Thursday, July 5, 2012

Stuxnet and Flame – Gaining Time for an Attack Against Iran?


Cyber attacks target Iran’s nuclear programme.


Is the Cyber War Against Iran a Preliminary Stage to Further Military Action?


Threats by malware in the internet, such as computer viruses, worms and complex spyware are omnipresent. Each day new malware is being introduced into the Internet, with the potential to cause significant economical damage during the course of a year. Users who want to protect their computers against such attacks currently rely on anti-virus programmes, which autonomously update themselves to be able to automatically ward off even the latest threats. Unfortunately, many users take this protection technology for granted, to the extent that they no longer bother about the danger of attacks from the Web. Awareness of computer safety issues is mostly not sharpened until a virus attack occurs on the personal computer. But by then it is generally too late, and considerable damage to the computer (or, worse, an entire computer network) cannot be prevented. 

By the same token, the public is apparently not aware that even intelligence services and, ultimately, the military use self-developed spyware and malware within the framework of cyber warfare, in order to harm enemy infrastructures and achieve information dominance. Only when it becomes known that malware, such as Stuxnet and Flame (also known as Flamer or Skywiper), is being used by governmental organisations in targeted cyber attacks against another country’s IT infrastructures, does the public pricks up its ears. However, considering the fact that the Internet originally was a military invention for transmitting information and can still be used for military purposes, such use is hardly surprising. 

TARGETING IRAN’S NUCLEAR PROGRAMME

The possible scope of military actions within the internet of an IT-based infrastructure becomes apparent from the successful attack against Iran’s Natanz uranium enrichment facility. The attack, which is understood having been carried out by Israeli as well as US intelligence services involving the Stuxnet malware, affected the computer-controlled centrifuges to an extent that they become partly or entirely inoperable. Stuxnet had been specifically designed to disrupt the monitoring and control system of the centrifuges (Simatic S7), built by the German company Siemens. Stuxnet manipulated the speed of the centrifuges, which are required to sustain exactly 1064 revolutions per second to work properly. While Stuxnet prevented the centrifuges from operating at the required speed, the worm also masked this problem in the system’s software. The purpose of these sabotage operations was to significantly delay the Iranian nuclear programme to prevent the country from possibly producing a nuclear weapon. The attack was also based on the element of human uncertainty. 

The computers used at Natanz to control the centrifuges are not connected to the Internet and, therefore, could only be infected with a computer worm with some form of human intervention. After the worm had successfully infected the Natanz facility and the Bushehr nuclear power plant, serious disruption was caused in the procedures of producing enriched uranium. 

To verify the worm’s function, tests were allegedly carried out at the Israeli nuclear facility of Dimona in the Negev desert where, according to unofficial reports, Israeli nuclear weapons are being developed and built. The Dimona facility has been equipped with the same centrifuges for uranium enrichment as in Natanz. Experts assume that this is one of the reasons why the Stuxnet attack has been so effective. 

It is certain that considerable technical problems in the Iranian nuclear industry and delays in the nuclear programme have been caused. Only in November 2010 the Iranian President Mahmoud Ahmadinejad publicly announced that technical problems with the uranium enrichment centrifuges were being experienced, which could have been caused by a computer worm. According to an Iranian intelligence official, approximately 16,000 computers were infected. However, this information could not be confirmed independently, as yet. 

Nevertheless, the Stuxnet computer worm could not achieve a long-term and sustained effect, as it was discovered in June 2010 and first specified under the name of “RootkitTmphider”. Further it found its way into the Internet very quickly through unanticipated channels and, thereby, began spreading around the world. This was originally not intended, according to different computer experts. 

Former Chief of General Staff of the Israel Defense Forces and serving Vice Prime Minister and Minister of Strategic Affairs, Moshe Ya’alon, emphasised that a series of “technological obstacles and difficulties” which occurred have led to the assessment that Teheran is still three years from successfully developing a nuclear weapon. This is attributed to Stuxnet, providing the Israeli military with additional time for further considerations on how to prevent Iran from developing a nuclear weapon. 

As US- and European-led political negotiations as well as the attempts of UN representatives failed to convince the Iranian government towards abandoning its nuclear programme, the adopted path of a cyber attack was the most effective and safest one, gaining time for possible future military solutions. The Stuxnet attack was a masterpiece of technological sabotage, including the clear signal to the Iranian leadership that not only conventional military means promise success in arguing an opponent out of his plans. 

What has been feared by many IT safety companies – a cyber attack against security-critical infrastructures such as power plants, energy providers, stock markets or banks, possibly paralysing the economic system – has already happened with the Stuxnet attack. The worm has been developed as a military weapon and has been successfully used on a very limited field. There even was no collateral damage until the malware accidentally reached the Internet and, thus, the public field. Its particular programming and operating mode are almost perfectly tailored to its specific task. Its discovery had to be expected sooner or later as such a worm cannot be concealed forever. 

A NEW CYBER WEAPON OR JUST A COPY+PASTE VIRUS?

Therefore, IT and cyber war experts believe that there are other cyber weapons such as Stuxnet, which can be used in a variety of cyber attacks against private-sector companies and computer-based infrastructures. 

This was confirmed in late May, when a new cyber weapon, dubbed “Flame” was discovered and made public by a Russian anti-virus expert of the Kaspersky Lab. Prima facie, the virus appeared to be capable of doing everything that the hacker scene could wish for. Experts fear that its function and decoding will take years as the malware is very complex, powerful and, in particular, most effective. This complexity has been keeping the rumour mill buzzing about the possible involvement of intelligence services in the development of Flame, wanting to globally collect information about everything and everyone. 

The virus first emerged in Iran, Egypt, Sudan, Saudi Arabia, Israel and the Palestinian territories, as well as Syria and the Lebanon. Furthermore, there are different versions of the malware, which has apparently infected computers for quite a while. According to computer experts, the overall effects of this malware remain completely unclear. The cyber defence centres of Western industrial nation are also assuming that the virus might have been developed and launched by intelligence services. Reportedly, Flame, which is believed to have been active for about three years, contains programme elements that are similar to Stuxnet. 

While Russian IT experts excitedly speak of a very dangerous malware, German security authorities play down the problem. “Flame is no super weapon for a cyber war but, rather, a malware programme that has been pieced together from different elements,” IT expert Dirk Häger of the Federal Agency for Security in Information Technology (BSI) told the dpa news agency. The BSI is also convinced that Stuxnet is something special, while the Flame virus is not, since only few efforts have reportedly been made by the programmers to protect the virus from being decoded. In addition, the code contains debugging information that help programmers to find and remove the software errors more quickly. 

To date, 189 infected computers in Iran, 98 in Israel/Palestine, 32 in Sudan, 18 in Lebanon and 10 in Saudi Arabia have been discovered. The spreading of the virus, apparently, is still quite sparse. 

Affecting the Middle East Security Situation? 

The use of Stuxnet and Flame possibly represents government-ordered cyber attacks that currently cause quite some unrest in the Middle East. On the one hand, it is certain that the Iranian nuclear industry has become the target of cyber attacks that did not miss their effect. In addition the country’s oil industry has been subject to hacker attacks in April 2012 that achieved considerable effect and contributed to sales losses throughout the Iranian economy. A virus dubbed Wiper was used for this purpose, reportedly, involving double agents assigned by Israel’s Mossad intelligence agency. Further, agents of the People’s Mujahedin of Iran (PMOI or MEK), a militant Iranian opposition movement, are believed to have been involved to infiltrate the virus into the oil industry’s computer networks.

All of this could be part of a major plan aimed at destabilising the Iranian economy and sustainably damage or disrupt existing infrastructures. The concept of these cyber attacks has proved successful and might provide Israel with the necessary time to prepare an actual military strike against the Iranian nuclear facilities and carry it out at a later stage. Israel is being visibly supported by the United States, which shares a strong interest in the non-proliferation of nuclear weapons. 

However, the use of cyber attacks will not be enough to disable well-protected nuclear research facilities that lie up to ninety metres underneath the surface. For this purpose, an attack variant must be chosen that represents a seamless continuation of the present cyber war. This includes a number of options that may reach from an air strike to a multi-level commando operation, in order to destroy the key fortified installations. Such a military action would require long-term planning and needs to be carried out with utmost precision. All engaged targets would need to be effectively destroyed to be rendered unusable for years. The fact that the Israeli armed forces, with the help of their allies, are possibly preparing for such a military operation is reflected by the focus of the Army and Navy commando units (Deep Corps), which are trained for operations deep in enemy territory and can be deployed by air or sea. 


----
By Kai Eberhardt, Defence Analyst


Read more at: http://www.defpro.com/



No comments: