Hm. Stuxnet feels less like a normal software project, and more like a NASA mission.
Something like a botnet can run updates and patches, and you have a much easier time to iterate, optimize and also to fail in less than catastrophic ways. Sure, you lose some nodes, but you infect some nodes, so be it.
Something like Stuxnet is more like the mars rover. You eventually fire it off, and then it has to work correctly autonomously. Once the boosters are going, you cannot fix it anymore. Once Stuxnet is in that facility, there are no more patches. It has to work. And if it's discovered, you've probably blown your only chance.
In such a setup, simplicity and options with known and explored failure modes are good.
I liken the Stuxnet ops to be like if targetting Osama bin Laden with a sophisticated custom-made virus transmitted through his children. It delivers its payload once, and does very little collateral damage to others.
The virus itself was sophisticated in the way obfuscation was incorporated, using 4 zero-days.
They did in fact target Osama bin Laden with mandated vaccines for boys for some very very important ailment to which there could be no religious objections...to get DNA material they could track down to him. That's how I heard it.
Also these techniques can be a double edged sword. Like the author mentions techniques known to Bulgarian hackers in the 90's. Well that's the problem, everyone knows about it already so you should assume there's a good chance the enterprise security software you're up against knows about it too. Plus I'm sure if this was created by US intel they already had a pretty good idea what the Iranians would have been running on their networks and tested Stuxnet against it before it was launched.
No, it is amazing, and the author is missing out on understanding why - it does not need to have passed an architectural and design review if it manages to accomplish its goal(s).
Ironically, the author focuses on 'hiding the payload' as the thing that makes it embarrassing, as though that is self evident.
It's yet another case of "I know/do X in my context, therefore anyone who doesn't know/do X even in another context is an idiot". (And yet, somehow, X is also an amazingly hard-to-acquire skill that should bring immense rewards to those like the speaker/writer who claim to have mastered it.) Such fare is neither curious nor newsworthy, but seems common.
Hiding and obfuscating the payload is pointless in this case. The author doesn’t seem to understand the reasons why a group would go through the trouble of obfuscation or other similar techniques.
Stuxnet was a one-time operation with a very limited opportunity window. Target systems were airgapped. A large part of the success of the operation relied on a human penetrating that air gap. A successful operation would be attributed to either Israel or USA immediately. What is the benefit of obfuscation?
Yeah, the author definitely doesn't really have a clue what the requirements are for various forms of intelligence operation.
It should be noted, however, that there apparently was a significant amount of animosity from the NSA towards unit 8200 for "turning up the volume" on the payload. Usually NSA really really really doesn't like catching attribution for stuff, and Mossad is more known for trying to send a message with obvious attributions (motorcycle assassinations etc). It was supposedly delivered from TAO to 8200 as a very covert weapon, and 8200 stripped off a bunch of the limitations in order to increase the odds of successfully completing the mission.
Stuxnet was assembled from a standard implant framework that is shared across "Five Eyes" countries. Everyone writes modules of various types that implement a standard API and share them across teams. For example, if the Australians need to compromise a diplomatic machine in Singapore, the UK may have a module already written a keylogger that hooks Pinyin (software for typing in Mandarin).
When the Israeli's pushed it to 11 they brought down a ton of scrutiny on the framework as a whole. Which is why people started discovering links to other sophisticated malware families - like Kaspersky's discovery that Stuxnet and Flame used the same LNK vulnerability which was not known to the public at the time. The "QWERTY" keylogger in the Snowden leaks was identified as part of the Regin malware family.
They effectively gave every nation on the planet a trail of breadcrumbs to either find western espionage tools, or strongly attribute tools they had previously found.
This also refutes most of the articles points, they _could_ have done all these things but SOP is to do the least amount of shady shit to get the job done. Being extra cool guy just makes it more likely to trigger an anti-virus system that detects a specific trick.
That's a smart thought. Ive always wondered why they called it that.
Snowden mentioned that they have some kind of a random operation name generator that they have to use, but people keep using it over and over to find a suitable name. I don't recall the specifics but it was in his book.
Yes I know, but people take pride in their work and they want a cool name for their project.
Like I said Snowden did mention that NSA mandated the use of this code name generator in his book, and it was indeed random for this reason. But he also describes people used to game the system for a cool code name by simply running the generator over and over until they got one they liked :)
I would imagine that a cool name would also make it easier to sell a proposal to the brass. Prudence or not, people are easily influenced this way. It's why marketing works.
Considering that Iran went on to develop uranium enrichment capabilities it hardly seems like Stuxnet was a final win, though it certainly delayed them.
In World War 2 the British developed "exploding rats." The idea was to pack rats with explosives and leave them near boilers. The person shoveling fuel would eventually find the rat and shovel it in to the furnace to dispose of it - where a relatively small explosion would cause the pressure vessel to rupture and take out an entire train or industrial facility.
A single shipment of 100 explosive rats was sent across the border and was intercepted. What resulted was a massive amount of German energy spent on trying to detect rat shipments and having to consider exploding rats in their threat model for every further operation.
Stuxnet not only delayed the the Iranian nuclear efforts, it made everything a hundred times more complex going forward because they realized not even air gapped computers were safe. Not to mention they no longer trust any of their monitoring or instrumentation, which Stuxnet made a point of faking... imagine trying to debug even the smallest issue when you don't trust a single piece of data.
Long term effects of Stuxnet are unclear. In the short term, it was a huge win in delaying the programme and sending a message that even air gapped systems are at risk. In the long term, Stuxnet put the programme and every adversary on notice that they should increase focus on security practices.
The list of countries America tells other countries to treat poorly is getting kinda long.
So I could actually rattle them off the top of my head once:
Myanmar
Sudan
Iran
North Korea
Cuba
That last one is a funny one, the original pariah. But like you can't go to these countries for contests, or accept prize money there, so for instance the Rubik's Cube championship can't be in Cuba, because Americans who are damned good at it can't win.
And it wasn't a very large amount of land. Sudan yeah, that was the biggest country in Africa before it split. But it was remote from where I was in Chile, much more than half the world away. Never met a Sudanese, nothing.
Now it's like Belarus, Russia, China soon, North Korea, Cuba always always, South Sudan, uh, Yemen, there's more...Libya for a while, like EVERYONE EVERYONE IS SANCTIONED.
When everybody's sanctioned, nobody's sanctioned. America is sanctioned.
This is a pretty ironic view. What you're regretting losing only ever existed during the unipolar moment anyway. The era preceding it was literally called the Cold War. Emphasis on War. Now that the unipolar moment is ending you're blaming America for sticking to its guns and refusing to do business with countries that agitate for its downfall or destruction?
And yet we leave our own infrastructure connected to the internet. It’s like we want our power grid to fail, our dams to release a flood, our water supply to be over-floridated.
Didn't we just talk about how Stuxnet showed that even airgaps aren't 100% secure?
The benefits of being connected to the Internet are the same as before; but the benefits of the airgap are smaller than we expected them to be. Hence we would expect our preferred trade-off to swing in favour of more connections?
I live in Chile. In practice you would lock up (and even set up your lights with an endemic light timer so it looks like you're home) and the alternative is homelessness. Actual homelessness, not eviction. You still pay rent, only there's no roof over your head. You'd be homeless, not evicted. The ruins of your former house are a better home than the street. Shit in the corner, rebuild, that sort of thing. In practice you would not leave for vacations and for sure exercise right to bear arms, that's what's up. The police will ALWAYS tell you you're in safe hands with them don't get a gun in urban areas. They'll say it'll be used against you. I guess it could if you're a wimp. Yeah I'm such a wimp, the thug will walk right up while I do nothing but hold the gun, suck the bullets out of the barrel with his powerful lungs, and spit them out back at me!
Delaying has always been the point, whether it's Stuxnet or technology export bans or assassinating 4 scientists in the streets working on the program.
The damage goes way beyond delaying them one time, it also makes it way harder to use COTS hardware in the future. It's going to be a lot harder to get work done when you can't just buy a computer off Amazon.
They already had enrichment capabilities. What stuxnet targeted was and I believe is an active enrichment plant.
I don't think it did more than delay production and destroy some really expensive centrifuges but it could have been a message like "we'll get you no matter what" in order to bring them to the table or something.
Exactly. Nothing wrong with going for a bunch of low hanging fruit in an attack. If the simple stuff doesn’t work you need to do obfuscation and have good OPSEC
Exactly. The cost of failure was deemed greater than the cost of success with attribution. It's just the way covert ops works.
If you asked the leaders of this op, in retrospect, if they were starting off from scratch, would they accept the result we saw where Irans nuclear enrichment capabilities were delayed long enough for more information about their secret work to be known with more certainty. . .all of them would take it in a heartbeat.
I'm not in the field, so it is definitely possible that my way of looking at it is just completely wrong-headed, but -- what about repeating the attack? If the program had remained hidden, maybe they could re-use some parts? Also, is it possible that other parties (badguys) gained some capability by analyzing the program?
How could it remain hidden? The programme heads would think it was an accident? This was a devastating setback to the entire programme. There would surely be an investigation to ensure a repeat could not happen.
My impression at the time was that the code was developed by separate teams who did not necessarily know what they were working on, and then integrated by someone cleared for at least part of the real operation. I speculated that the people repsonsible for deploying it would have been in the tactical area of humint agency that was more indexed on direct outcomes than using techniques any more sophisticated than were strictly necessary to accomplish their specific objective, as why risk or waste the advantage of shipping something with additional tradecraft baked into it?
I remember thinking they could have at least used hashes of registry entries to detect the modules they were looking for if they wanted to protect the identity of target, but then again, the processor load of the hashing operations would have been a significant IoC. Stuxnet was a straight tactical hack to solve a specific problem, which was to delay that nuclear program. It was not just a threat or demonstration of capability to serve as a deterrent.
An example of a demonstration of capability was the silk road arrest, where the FBI mainly used it as a signal to create uncertainty about the absolute security of Tor hidden services, so that people understood they did not have impunity. They didn't break tor, but they showed tor wouldn't protect you if they wanted you. Stuxnet wasn't about demonstrating that they could get at you, it was to delay the nuclear program to give time to negotiations and potential outcomes other than iran achieving a weapons program.
What we call 'cyber' now is in support of variously tactical and strategic objectives, and while the criticisms of the code are valid, it's worth evaluating the tools in that higher level more abstract context as well.
As far as I recall from Kim Zetter’s book Countdown to Zero Day, the development work was indeed likely split into several individual sections: the actual payload targeting specific models of programmable controllers was made with extreme care and attention, and the worm portion didn’t need to be.
So to offer an imperfect analogy, the author of this article is addressing how lame Google’s UI is, discounting the algorithm underpinning the search engine.
(I actually wouldn’t recommend Zetter’s book. It’s fairly dull, with several chapters enumerating every software failure of U.S. critical infrastructure she found during research. For once, the movie was better.)
That part of the book stuck with me because she said the NSA (and friends?) gave the most important tasks to the A team and the rest to the B team just like a software company would. Ever since I’ve been conscious about what “team” I am assigned to at my own private sector job.
I didn’t know there was a movie, but I found the book mostly boring too. She dived deep(ish) technically in three areas: malware, nuclear centrifuges, and policy.
Who exactly is that for? I enjoyed the long description of the program itself but I doubt most non-tech people would. The scientific background on centrifuges was painfully dry to me. By far the best part of the book was the human interest stories about the security researchers who found and reverse-engineered Stuxnet.
"Who exactly is that for?" is the fitting question separating an average from a good writer.
Average writers often deliver "look how much work i did", resulting in a lot of unnecessary fillers and boredom. Good writers contemplated who they are writing for and edit accordingly. As a reader i appreciate it when my time is respected. Of course YMMV, so not an easy problem to solve as a writer.
The charitable interpretation is that she wanted to write “The Book” on Stuxnet. But it seems like a weird thing for a journalist to attempt. It’s like if Carreyrou spent 100 pages describing micro-fluid physics in Bad Blood.
Yeah, the A-team/B-team split is how I remember it, and it definitely made sense for this particular project (and other projects most of us are involved with on a daily basis).
Alex Gibney did the adaptation, and while it’s necessarily far more superficial than the book, it’s much more engaging. It’s also nice to put faces to some of the names.
This is a whole thread of people taking a blog post from a decade ago out of context. Nate Lawson's blog had two major beats, cryptography and content protection (Lawson, an old-school vuln researcher, co-created the Blu-Ray BD+ content protection system at Cryptography Research).
It's probably hard for people today to remember this, but in the heyday of "the blogosphere", blogs bounced stories back and forth between them the way you would Twitter threads today. Stuxnet was a topic like that. Lawson was just tying it to the stuff he wrote about.
We've all read Kim Zetter's book by now. Instead of bouncing thoughts she's already written about off the post --- thoughts the author probably by now agrees with? --- you'd do better to actually follow the links in the post back to Lawson's earlier posts about obfuscation, reversing, and content protection. They're still extremely interesting.
Regardless: saying that you have a better take on Stuxnet in 2022 than Nate Lawson did in 2011 is kind of an embarrassing flex.
This article seems like a lot of "Stuxnet didn't do enough to hide", but the author misses the fact that it didn't need to hide, judging from the fact that it worked.
If it's stupid but it works, it's not stupid. The author is missing the point by lambasting Stuxnet for not having a feature it didn't need.
It's not official but it's irrelevant - no one is going to take the US to court over it, which means the only thing that matters is that everyone knows who did it, and they do.
Stuxnet was a reckless operation concocted by a small group of American and Israel spies and hackers who thought the whole thing would remain secret forever. The recklessness involved setting a precedent by targeting industrial control systems for physical destruction, and also the release of the package to spread over the internet with no external controls. See (May 2021):
> "This second Stuxnet variant likely did not propagate from an initial infection on a susceptible PLC or controller, but rather gained access to one commodity Windows system through the use of zero-day exploits. From that one infected commodity Windows host, the malware moved laterally from one Windows box to another across the unsegmented network."
Once it had been done once, similar attacks followed by other nation-states:
> "From a historical perspective, the Stuxnet worm signaled that well-equipped, nation-state-sponsored actors possessed advanced capabilities that would set the stage for more serious cyber-physical attacks such as those in Ukraine, Estonia, and Saudi Arabia."
I suppose one positive effect has been the upgrading of security for everything relying on industrial controls systems and PLCs, from nuclear reactors to railways to water supply systems.
I don't think it's likely that they believed it would remain secret forever. Reckless perhaps, but nation states tend to understand that the window of covert action is relatively brief and that lots of external parties are interested in investigating the aftermath.
(That's also why the "there was no special obfuscation" commentary is silly -- they just don't care. Obfuscation is pointless window dressing in these scenarios.)
I’m surprised this article is still making its rounds. Two points have always stood out to me:
1) you never empty the barn on a nation state attack. If you know the systems you’re targeting are primitive, you don’t go in with the F-35 of initial compromise schemas. Aim for +10 over the enemies ability to counter, not +1000.
2) the level of overestimation of federal cyber weapons is too damn high. Is it impressive? Absolutely. Is it the best? No. Check in with your private Israeli intel firms for that kind of James Bond stuff. What sets nation states apart are their ability to acquire and perform highly redundant and critically targeted attacks. The NSA would be hamstrung without the cooperation of the CIA and so on. It’s not technical prowess, it’s money and coordination.
It comes up regularly in part because there's a lot of pop-sci reading for people to do on Stuxnet, and so people in 2022 generally feel like they know a lot about it, which makes it easy and fun to dunk on a 2011 take. What's embarrassing about the whole scene is that actual analysis of Stuxnet is almost besides the point of this blog post; it's pretty clear that some of the most strident takes on this thread are from people that haven't read any of it before.
The idea of “secure triggers” seems like it wouldn’t work here. Your options are:
- have a large enough set of input parameters that it’s infeasible to guess-attack them, but risk even just a single parameter not being correct in your target system and therefore your payload never executed (completely undermining the entire operation)
- your key space has enough variability input to prevent the above, making it easy to guess or brute-force, and revealing the payload trivially.
Also, it would either way be easy for your target to reverse because they have full access to the target parameters.
It is not just that it was unnecessary to do more, it would have been harmful. Stuxnet was always going to be disected after the attack; why give away all you best techeques.
So imagine the scenario if iran made stuxnrt against Israeli nuclear facilities let alone american ones.
Imagine the outrage "how dare you" and "attack on the constitution and national integrity of the country" and "causus belli" among other things but its being made as an achievement. Isn't this american propaganda?
No. Everyone attacks everyone else. Its jut when america /Israel does this, its seen as an achievement while if someone else attacks these two, its seen as an act of war and all hell breaks loose.
Of course. From a point of view sympathetic to Iran's self-defense and militarization interests, stuxnet is an attack on national sovereignty.
That having been said, if Iranian agents were able to conduct a similar operation in the US on a US weapons-grade enrichment program, my personal opinion, as somebody categorically in favor of nuclear non-proliferation and long-term disarmament, would be "Well done, point to your team."
opened that link......... how is a response the same?
"imminent" threat after the killing of a senior Islamic Revolutionary Guards Corps (IRGC) officer attributed to Israel's national intelligence agency, Mossad.
It still got a job done. Embarrassing that people found out by the Israeli side screwed up. But this is how cyber attacks will be... They make some impact. Then everyone learns the tech used. Then everyone secures the vector they used. Rinse and repeat. Used too often, and all attack vectors will be closed.
> It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.
Being just like hundreds of other malware seems to be a pretty good idea. Blending in is a big part of spy tradecraft.
If Stuxnet was made to stop Iran from getting nuclear weapons, here's a headline from today (which may btw be the reason why articles on Stuxnet are reappearing now):
"Iran is closer than ever to a nuclear weapon as Biden runs out of options".
> It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.
Okay? … simplicity is a virtue.
They also addressed that, to where we don’t know what most of their malware even does:
>> The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol.
> The longer they remained undetected, the more systems that could be attacked and the longer Stuxnet could continue evolving as a deployment platform for follow-on worms.
Stuxnet wasn’t meant as a long term penetration: they hit a specific target with a one-time cyber weapon.
For reference, when their tools leaked in 2016, exploits from 2013 were still zero-days.
>> In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had stolen malware code from the Equation Group. […] The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group.
Unfortunately this sounds like fairly typical armchair commentary from someone who doesn't understand the decisions around building and deploying something like this at this scale...
Sometimes, yeah, you need to rush things because your window of opportunity is now or never.
The blog author Nate Lawson [0] runs a small cybersecurity consulting company [1].
It’s not surprising that a small independent consultant would bikeshed over trivial imperfections in something like Stuxnet while ignoring the much bigger picture of the operation. I bet the vast majority of security holes he finds in his line of work are relatively minor exploits (e.g. poor key handling, unpatched software, etc.) that would be devastating to his small business client if exploited but totally irrelevant to an operation like Stuxnet. It is akin to a custom gunsmith criticizing an ICBM for its ugly paint job.
As Pauli would say, Lawson’s argument is not only not right, it is not even wrong.
It is also a concern when developing these "weapons" that after using them, they could potentially be reverse engineered. In that context a successful payload that appears poorly constructed could be intentional.
Either way, for the mission goals it was a success.
When you're on the defense side (I am) you often read a lot of research and watch conference talks about cutting edge stuff. It makes you wonder - why don't attackers do these things?
I actually asked a criminal I was in contact with once why he didn't attempt to perform an attack a certain way that I thought would be very lucrative and significant. His answer was that there was no point, he made thousands of dollars a month with very little effort, and he was more interested in refining his existing work through improved C2 communications as opposed to what I had been suggesting (academically, I never supported that work).
The title's a bit clickbaity too of course. The end is more reasoned:
> However, I think the final explanation is most likely. Whoever developed the code was probably in a hurry and decided using more advanced hiding techniques wasn’t worth the development/testing cost.
Yes, naturally that is exactly what happened. There is no question at all that the NSA has people capable of doing more advanced work, they just really don't have to.
Rob Joyce gives a great talk about his work on TAO. The short version is that TAO doesn't have to do anything crazy, they just have to know who their target is and spend the time figuring out the environment they'll be working in - then they meet the bar that's beyond what that environment is capable of handling.
Homomorphic encryption is gonna be pretty overkill. Then again, the NSA also leveraged the first publicly known attack that used an MD5 collision, which probably cost quite a bit of money, so they can flex when they decide it's worth it.
Well, I thought it was pretty impressive. Maybe I’m just a rube though.
Also, with this encryption based approach, at some point the code needs to run on the systems it targets. So if someone is affected by your payload, by definition they can observe a key that unlocks the payload.
Something like a botnet can run updates and patches, and you have a much easier time to iterate, optimize and also to fail in less than catastrophic ways. Sure, you lose some nodes, but you infect some nodes, so be it.
Something like Stuxnet is more like the mars rover. You eventually fire it off, and then it has to work correctly autonomously. Once the boosters are going, you cannot fix it anymore. Once Stuxnet is in that facility, there are no more patches. It has to work. And if it's discovered, you've probably blown your only chance.
In such a setup, simplicity and options with known and explored failure modes are good.