A Finnish-Chinese Connection For Stuxnet? 113
Lingenfelter writes "I recently wrote a white paper entitled 'Dragons, Tigers, Pearls, and Yellowcake' in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the US targeting Iran's Bushehr or Natanz facilities."
Overthinking it (Score:5, Insightful)
Israel is (by far) the most nervous about Iran's nuclear program, and already had one pre-emptive attack on a nuclear plant under it's belt that (in their worldview) was a resounding success and is a point of national pride.
So one of the drives targeted by stuxnet is manufactured in China...I hate to state the obvious, but what isn't?
Re:If Lingenfelter is right (Score:3, Insightful)
Re:It's about oil and coal (Score:5, Insightful)
Now that is a tempting hypothesis.
But I'm going with Occam's razor on this one.
Who has the most to lose should Iran get nukes? Israel. Who has the most interest in the region? Israel. Who has the cash and the tech know-how? Who has a close relationship with a more powerful country with a _big_ interest in stopping Iran? Israel
Re:Rather basic question (Score:3, Insightful)
Stuxnet is quite the nasty piece of malware. There isnt anything simple about it.
This is Symantec's summary:
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability a llowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.
Copies and executes itself on remote computers running a WinCC database server.
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.
Updates itself through a peer-to-peer mechanism within a LAN.
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities
for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including updated
versions.
Contains a Windows rootkit that hide its binaries.
Attempts to bypass security products.
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage
the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.
The full Stuxnet dossier for interesting reading:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf [symantec.com]
The FSM did it. (Score:3, Insightful)
You leave a dog alone with a steak. When you later come back, the steak is eaten.
Who ate the steak? It could of course be anyone or anything. It could even be the FSM.
In all recent stuxnet-stories I've read on slashdot I've found a lot of comments (modded +5) beginning like this:
I don't know why everyone is so quick to assume it's {USA,Israel} behind this. It could be {Random country, the Yeti}...
Which is of course true. If you don't know who did it, you don't know who did it. BUT! That doesn't mean every possibility has the same probability.