[FoRK] SANS NewsBites Vol. 14 Num. 44 : FLASH: President Obama (and predecessor) ordered Stuxnet and campaign of cyber attacks against Iran's nuclear program
Stephen D. Williams
sdw at lig.net
Fri Jun 1 13:13:39 PDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
FLASH: The New York Times reported this morning that President Obama
(and his predecessor) ordered a sophisticated campaign of cyberattacks
against Iran's nuclear program, and has either attacked or considered
attacking networks in China, Syria, and North Korea as well. Because
the publication of this story is likely to herald substantive and
far-ranging changes in the way cybersecurity is managed in the US and
in many other countries, we have included an analysis by Gautham Nagesh.
Under normal circumstances, his thoughtful, in-depth analyses are
available only to paid subscribers to CQ Roll Call "Executive Briefing
on Technology." This is an abnormal circumstance. There is great value
in the security community understanding that the game has changed, and
what it means.
PS Another very valuable piece of cybersecurity reporting will appear
on the front page of the Washington Post on Sunday or Monday and then
be discussed on National Public Radio (the Diane Rehm show) on Monday
TOP OF THE NEWS
--President Obama Ordered Stuxnet and More Attacks on Iran
(June 1, 2012)
(By Gautham Nagesh, CQ Executive Briefing on Technology)
The New York Times has a bombshell this morning: President Obama began
ordering cyberattacks on Iran within days of taking office. The story,
which is a must-read, finally confirms what many cybersecurity experts
have suspected: the Stuxnet worm, which disabled industrial equipment
in Iran and Europe, was originally designed by Israel and the U.S. to
slow down Iran's nuclear enrichment plant. The virus' escape from Iran's
Natanz plant and subsequent discovery in Germany in 2010 was a mistake
that U.S. authorities blamed on Israel. Former CIA chief Michael Hayden
also acknowledged to the Times that Stuxnet is the first major
cyberattack intended to cause physical destruction (to Iranian
centrifuges). "Somebody crossed the Rubicon," he said.
The article includes a history of the classified cyberweapons program,
dubbed "Olympic Games," which began under President Bush, and includes
details of how President Obama decided that digital attacks were
preferable to a potential military conflict between Iran and Israel. But
the bottom line is that President Obama (and his predecessor) ordered a
sophisticated campaign of cyberattacks against Iran's nuclear program,
and has either attacked or considered attacking networks in China,
Syria, and North Korea as well. The Obama administration previously
acknowledged that it might respond to cyberattacks with physical force,
but the report makes it clear that even as the U.S. was making those
threats, it was perpetrating cyberattacks on the very nations it accuses
of targeting its networks.
In doing so, the White House has seemingly opened a Pandora's box.
Administration officials have placed a greater emphasis on cybersecurity
and the threat to our nation's networks that any previous
administration, doubtless because they had first-hand knowledge of just
how much damage sophisticated cyberattacks are capable of causing. Those
officials might have also feared reprisals from nations that were
targeted by Stuxnet and other digital attacks from the U.S. The
revelation also sheds some light on the Pentagon's reluctance to outline
its cyberwarfare policies in detail, since doing so might have involved
disclosing to Congress that the U.S. already was fully engaged in online
Having taken such an aggressive stance on deploying Stuxnet, it will be
very difficult for the U.S. to keep casting itself as the innocent
victim of unprovoked attacks by countries looking to steal our economic
and military secrets. Today's report makes it clear that the White House
long ago decided to embrace digital warfare, and puts the onus squarely
back on the administration to clearly explain its rules of engagement
online. But the greatest impact may be internationally, where hostile
nations now have confirmation the U.S. could be targeting their
networks. If hackers in those countries weren't already attempting to
take down U.S. critical infrastructure, they probably are now.
> Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing
> the enormously complex computer worm that would become the attacker from within.
> The unusually tight collaboration with Israel was driven by two imperatives. Israel’s Unit 8200, a part of its military, had
> technical expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz that would be
> vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out
> their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the
> new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply
> involved in every aspect of the program.
> Soon the two countries had developed a complex worm that the Americans called “the bug.” But the bug needed to be tested. So,
> under enormous secrecy, the United States began building replicas of Iran’s P-1 centrifuges, an aging, unreliable design that Iran
> purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market.
> Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.
> When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani
> nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials
> overseeing Olympic Games borrowed some for what they termed “destructive testing,” essentially building a virtual replica of
> Natanz, but spreading the test over several of the Energy Department’s national laboratories to keep even the most trusted nuclear
> workers from figuring out what was afoot.
> Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before
> sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds,
> self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was
> spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared
> ready to test against the real target: Iran’s underground enrichment plant.
> “Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining
> to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a
> cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data.
> “Somebody crossed the Rubicon,” he said.
> Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers,
> maintenance workers and others — both spies and unwitting accomplices — with physical access to the plant. “That was our holy
> grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the
> thumb drive in their hand.”
> But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House
> days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in
> Pakistan. Mr. Obama took Mr. Bush’s advice.
> *The Stuxnet Surprise*
> Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats
> to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a
> major study on how to improve America’s defenses and announced it with great fanfare in the East Room.
> What he did not say then was that he was also learning the arts of cyberwar
> <http://topics.nytimes.com/top/reference/timestopics/subjects/c/cyberwarfare/index.html?inline=nyt-classifier>. The architects of
> Olympic Games would meet him in the Situation Room, often with what they called the “horse blanket,” a giant foldout schematic
> diagram of Iran’s nuclear production facilities. Mr. Obama authorized the attacks to continue, and every few weeks — certainly
> after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what
> had been tried previously.
> “From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every
> major decision,” a senior administration official said. “And it’s safe to say that whatever other activity might have been under
> way was no exception to that rule.”
--Pentagon's Plan X Aims to Develop Robust Cyberwarfare Capabilities
(May 30, 2012)
The Pentagon's Defense Advanced Research Projects Agency (DARPA) is
launching a five-year, US $110 million research program dubbed Plan X.
DARPA is seeking input from private sector organizations, universities,
and computer game companies in its effort to develop improved
cyberwarfare capabilities. Goals include creating a comprehensive map
of cyberspace that is updated continuously, developing an operating
system strong enough to launch cyber attacks and withstand
counterattacks, and creating systems that allow commanders to launch
--US Legislators Poised to Reauthorize FISA Amendments Act
(May 31, 2012)
US legislators appear to be ready to reauthorize the FISA Amendments
Act, which grants the government authority to conduct warrantless
surveillance on American citizens. The law allows the government to
eavesdrop on phone calls and email correspondence of Americans as long
as one of the parties in the conversation is outside the US. The FISA
Amendments Act requires the Foreign Intelligence Surveillance Act Court
to give blanket approval to electronic surveillance requests. The target
of the surveillance does not have to be identified, and the surveillance
can begin up to a week before the request is made. The FISA Court
rulings are not public. Some US legislators did say that intelligence
agencies need to be more accountable for how they are using the
--Backdoor in Privacy Tool Sparks Concern Over Cyber Surveillance in Iran
(May 30, 2012)
Versions of a privacy tool called Simurgh that contain backdoor
components have been detected on filesharing sites in Iran, leading to
speculation that the government could be using the software to spy on
its citizens. Simurgh, a proxy tool, is widely used in Iran to evade
censorship technology that the government has put in place. Simurgh in
its original form is standalone software that can be run from a USB
stick. The version with the backdoor must be installed on PCs. It has
the capacity to log users' keystrokes and gather information about which
sites they visit. The harvested data are sent to US-based servers that
are registered to a Saudi Arabian organization. Because both versions
of the software connect with a page that confirms the use of a proxy,
the developers are using the opportunity to warn users whose versions
appear to be infected.
[Editor's Note (Ullrich): Hashes are good. Even better to have the
software digitally signed. If you are publishing software, and you are
not offering signatures, you are putting your customers (and with that
your reputation) at risk.]
--White House Anti-Botnet Effort
(May 29 & 30, 2012)
The US government is planning to take a number of steps in an effort to
fight botnets. The coordinated efforts will be undertaken by the
Departments of Commerce and Homeland Security, the White House
Cybersecurity Office, and the Industry Botnet group, a coalition of
private organizations. Plans include increased sharing of information
about botnets among government agencies and private organizations and a
campaign to educate consumers about botnets.
[Editor's Note (Ullrich): The US Govt. might consider just declaring
Wednesday "Botnet Day". Appears these efforts spring up about once a
--Pentagon to Issue New Social Media Policy for DoD Employees
(May 25 & 29, 2012)
A new policy to be used by the Pentagon will require troops to hide
certain identifying information on social media sites. There have been
reports that hackers could gather sensitive information, including
military unit location, from some social media posts. The new policy
comes in the wake of an attack on a dating site that compromised the
personal information of military users. The new policy will require that
DoD employees "use non-mission related contact information ... to
establish personal accounts."
[Editor's Note (Murray): We call this "operational security," OPSEC for
short. OPSEC policy must be implemented with training.
More information about the FoRK