Tag Archives: Flame

Side by Side: Timeline of NSA’s Communications Collection and Cyber Attacks

By:  Friday June 7, 2013 2:15 pm

In all the reporting and subsequent hubbub about the National Security Administration’s ongoing collection of communications, two things stood out as worthy of additional attention:

— Collection may have been focused on corporate metadata;

— Timing of NSA’s access to communications/software/social media firms occurred alongside major cyber assault events, particularly the release of Stuxnet, Flame, and Duqu.

Let’s compare timelines; keep in mind these are not complete.

Date

NSA/Business

Cyber Attacks

11-SEP-2007

Access to MSFT servers acquired

15-NOV-2007

Stuxnet 0.5 discovered in wild

XX-DEC-2007

File name of Flame’s main component observed

12-MAR-2008

Access to Yahoo servers acquired

All 2008 (into 2009)

Adobe applications suffer from 6+ challenges throughout the year, including attacks on Tibetan Government in Exile via Adobe products.

11-JAN-2009

Stuxnet 0.5 “ends” calls home

14-JAN-2009

Access to Google servers acquired

Mid-2009

Operation Aurora attacks begin; dozens of large corporations confirming they were targets.

03-JUN-2009

Access to Facebook servers acquired

22-JUN-2009

Date Stuxnet version 1.001 compiled

04-JUL-2009

Stuxnet 0.5 terminates infection process

07-DEC-2009

Access to PalTalk servers acquired

XX-DEC-2009

Operation Aurora attacks continue through Dec 2009

12-JAN-2010

Google discloses existence of Operation Aurora, said attacks began in mid-December 2009

13-JAN-2010

Iranian physicist killed by motorcycle bomb

XX-FEB-2010

Flame operating in wild

10-MAR-2010

Date Stuxnet version 1.100 compiled

14-APR-2010

Date Stuxnet version 1.101 compiled

15-JUL-2010

Langner first heard about Stuxnet

19-SEP-2010

DHS, INL, US congressperson informed about threat posed by “Stuxnet-inspired malware”

24-SEP-2010

Access to YouTube servers acquired

29-NOV-2010

Iranian scientist killed by car bomb

06-FEB-2011

Access to Skype servers acquired

07-FEB-2011

AOL announces agreement to buy HuffingtonPost

31-MAR-2011

Access to AOL servers acquired

01-SEP-2011

Duqu worm discovered

XX-MAY-2012

Flame identified

08-JUN-2012

Date on/about “suicide” command issued to Flame-infected machines

24-JUN-2012

Stuxnet versions 1.X terminate infection processes

XX-OCT-2012

Access to Apple servers acquired (date NA)

Again, this is not everything that could be added about Stuxnet, Flame, and Duqu, nor is it everything related to the NSA’s communications collection processes. Feel free to share in comments any observations or additional data points that might be of interest.

Please also note the two deaths in 2010; Stuxnet and its sibling applications were not the only efforts made to halt nuclear proliferation in Iran. These two events cast a different light on the surrounding cyber attacks.

Lastly, file this under “dog not barking”:

Why aren’t any large corporations making a substantive case to their customers that they are offended by the NSA’s breach of their private communications through their communications providers?


DiFi Admits She Okayed Unleashing 21st Century WMD with Inadequate Details

By:  Friday June 15, 2012 8:02 am

The reason Dianne Feinstein is so torqued about the StuxNet story, according to this SFChron piece, is because she learned things from it that she didn’t know as a Gang of Four member.

Feinstein declared, “This has to stop. When people say they don’t want to work with the United States because they can’t trust us to keep a secret, that’s serious.”

A week later, Feinstein is more than halfway through New York Times reporter David E. Sanger’s book, “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.” She told me Wednesday, “You learn more from the book than I did as chairman of the intelligence committee, and that’s very disturbing to me.”

Now, as a threshold matter, I think DiFi and others are underestimating how much our foreign partners are leaking on these stories; not only did foreign sources serve as early confirmation on UndieBomb 2.0, but the Saudis and Yemenis exposed the last infiltrator the Saudis put into AQAP.  And as for StuxNet, the Israelis are now complaining that Sanger didn’t give them enough credit.

The Israeli officials actually told me a different version. They said that it was Israeli intelligence that began, a few years earlier, a cyberspace campaign to damage and slow down Iran’s nuclear intentions. And only later they managed to convince the USA to consider a joint operation — which, at the time, was unheard of. Even friendly nations are hesitant to share their technological and intelligence resources against a common enemy.

Plus, if and when Israel bombs Iran and has to deal with the retaliation, I can assure you the Israelis will be happy to work with us.

And there’s a far bigger problem here. DiFi was not a Gang of Four member when this program started under Bush (Jay Rockefeller would have been the Democrat from the Senate Intelligence Committee). But she seems to say she got what passed for briefing on StuxNet.

Yet she’s learning new details from Sanger.

StuxNet is, both because it can be reused by non-state actors and because of the ubiquity of the PLCs they affected, the 21st Century version of a WMD. And all that’s before we learned Flame was using Microsoft’s update function.

Now from the sounds of things, DiFi never had the opportunity to authorize letting StuxNet free; the Israelis don’t have to brief the Gang of Four. But the possibility StuxNet would break free on its own always existed. One reason we have Congressional overseers is to counterbalance spooks whose enthusiasm for an op might cloud any judgment about the wisdom of pursuing that op.

The US, in partnership with Israel, released a WMD to anyone who could make use of it. And the people in charge of overseeing such activities got fewer details about the WMD than you could put in a long-form newspaper article.

And DiFi thinks there’s too little secrecy?