1 2 3 5

The Curious Case of Stuxnet and North Korea: Why the News-Dumped Confession?

Map, NK's proliferation trading partners (see PBS' Frontline: Kim's Nuclear Gamble)

Map, NK’s proliferation trading partners (see PBS’ Frontline: Kim’s Nuclear Gamble)

In news dump territory — 2:59 p.m. on a Friday afternoon following this last Memorial Day, to be exact — Reuters published an EXCLUSIVE story in which anonymous sources claimed the U.S. launched a cyber attack on North Korea using a modified version of Stuxnet.

This is hardly news. It’s rather a confirmation by an anonymous source, likely a government official, of the Stuxnet program’s wider aims. This was discussed here at emptywheel in 2013.

Far too much of North Korea’s nuclear energy development program looked like Iran’s for Stuxnet not to be a viable counter-proliferation tool if North Korea had succeeded with uranium enrichment.

And far too much information had been shared in tandem between North Korea, Iran, and Syria on nuclear energy and missile development (see image), for Stuxnet not to have a broader range of targets than Iran’s Natanz facility.

Let’s assume folks are savvy enough to know the Stuxnet program had more than Iran in its sights.

Why, dear “people familiar with the covert campaign,” was the confirmation to Reuters now — meaning, years after the likely attempt, and years after Stuxnet was discovered in the wild?

And how convenient this confession, five days before Kaspersky Lab revealed the existence of Duqu 2.0? Did someone “familiar with the covert campaign” believe the admission would be lost in Duqu-related news?

With the confession, though, begins a volley of exchanges:

  • North Korea has now shut down uncensored 3G wireless service to foreigners, likely in response to this confession. While most Americans were still basking in the slow pace of the national holiday week to the exclusion of foreign policy news, North Korea was certainly paying attention.
  • But NK also has a second reason for shutting down wireless. They may be anticipating increased numbers of foreign aid workers delivering foodstuffs, given their remarkable admission that their country is suffering from the worst drought in 100 years.
  • While not absolute proof that NK has halted their nuclear development, recent satellite imagery shows signs of construction but a reactor not in full operation. The publication of such observation hints broadly to NK’s leadership that the U.S. hasn’t given up on counter-proliferation.

It’s anybody’s guess what the next lob will look like, especially after NK’s foreign minister met with China for reasons believed connected to drought aid.

You can bet there will be some effort to exchange nuclear inspection access for trade and aid, as previously negotiated during Bill Clinton’s administration.


Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email? Continue reading

Why Is the Aramco Hack Considered a Significant NSA Milestone?

Screen Shot 2015-06-06 at 10.04.57 AMI’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.

For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).

But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?

The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.

Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.

So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.

But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?


NSA’s Plans to Excuse Their Hacker Fuck-Ups: Blame Israel

Wired has a very fascinating interview with Edward Snowden. You should go read the whole thing, among other things, for the swell picture of Snowden posing with Michael Hayden at some black tie event in 2011.

But I wanted to point to this incident.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

I assume — but am not certain — this was the outage in question. If so, the response is instructive. At least 3 US-based Internet security firms reported that Syria had brought down the Internet. Were they making stuff up, unable to determine what really happened, or just repeating something US officials told them?

I’m just as interested that — just 6 months after David Sanger’s reporting on how the Israelis let StuxNet escape…

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

NSA’s hackers joked they might hide a major fuck-up by blaming Israel.

I’m sure that’s all just a coinkydink, though.

[UPDATED] Russian GPS-Alternative Satellites Went ‘Illegal/Failure’: Solar Storm Damage or Cyberwar in Space?


[Update at end of article.Rayne 6:45 pm EST]

Between 1030 and 0400 UTC last night or early morning, most of Russia’s GLONASS satellites reported “illegal” or “failure” status. As of this post, they do not appear to be back online.

GLONASS is the equivalent of GPS, an alternative global navigation satellite system (GNSS) launched and operated by Russian Aerospace Defense Forces (RADF). Apart from GPS, it is the only other GNSS with global capability.

It’s possible that the outage is related to either a new M-class solar storm — the start of which was reported about 48 hours ago — or recent X-class solar flare on March 29 at approximately 1700 UTC. The latter event caused a short-term radio blackout about one hour after the flare erupted.

But there is conjecture that GLONASS’ outage is human in origin and possibly deliberate. The absence of any reported outage news regarding GPS and other active satellite systems suggests this is quite possible, given the unlikelihood that technology used in GLONASS differs dramatically from that used in other satellite systems.

At least one observer mentioned that a monitoring system tripped at 21:00 UTC — 00:00 GLONASS system time. The odds of a natural event like a solar storm tripping at exactly top of the hour are ridiculously slim, especially since radiation ejected from the new M-class storm may not reach its peak effect on earth for another 24-48 hours.


It’s not clear whether the new GLONASS-M satellite launched March 24th may factor into this situation. There are no English language reports indicating the new satellite was anything but successful upon its release, making it unlikely its integration into the GLONASS network caused today’s outage.

If the outage is based in human activity, the problem may have been caused by:

— an accidental disabling here on earth, though RADF most likely has redundancies to prevent such a large outage;

— deliberate tampering here on earth, though with RADF as operator this seems quite unlikely; or

— deliberate tampering in space, either through scripts sent from earth, or technology installed with inherent flaws.

The last is most likely, and of either scripts sent from earth or the flawed technology scenarios, the former is more likely to cause a widespread outage.

However, if many or all the core operating systems on board the GLONASS satellites had been updated within the last four years – after the discovery of Stuxnet in the wild – it’s not impossible that both hardware and software were compromised with an infection. Nor is it impossible that the same infection was triggered into aggressive action from earth.

Which begs the question: are we in the middle of a cyberwar in space?


Sources report the GLONASS satellite network was back online noon-ish Russian time (UTC+4); the outage lasted approximately 11 hours. Unnamed source(s) said the outage was due to the upload of bad ephemeris data, the information used by the satellites to locate other satellites in space. An alleged system-wide update with bad data suggests RADF has serious problems with change management, though.

There is speculation the M-class solar storm, summarized at 1452 UTC as an “X-ray Event exceeded M5,” may have impacted GLONASS. However early feedback about radiation ejected by an M-class storm indicated the effects would not reach earth for 24-48 hours after the storm’s eruption.

Minority Report on Ukraine, or What’s Venezuela Got to Do with It?

I freely admit to being the oddest of the quadruplets in the Emptywheel sensory deprivation pool, producing the quirky minority report from time to time.

Which may explain the following graphic with regard to current geopolitical tensions.

[Source: Google Trends and Google Finance]

[Source: Google Trends and Google Finance]

 As you can see, not every trending burp in the news about either Venezuela or Ukraine produced a corresponding bump in the fossil fuel market. Some trend-inducing news may have nothing at all to do with energy. It’s quite possible I may not have captured other key businesses as some of them don’t trade publicly, or are don’t trade in a manner readily captured by Google Finance.

But there are a few interesting relationships between news and price spikes, enough to make one wonder what other values may spike with increased volatility in places like Venezuela (which has the largest oil and natural gas reserves in the western hemisphere), and Ukraine (which lies between the EU and the largest natural gas deposits in the world, and the world’s eighth largest oil reserves).

Of course there’s an additional link between these two disparate countries. Both of them have already seen similar upheavals in which the U.S. played a role — Ukraine’s 2004 Orange Revolution, and the 2002 attempted coup in Venezuela.

When someone made noise about an Afghan Muslim being a key locus of the latest unrest in Ukraine, I couldn’t help but think of the Trans-Afghanistan Pipeline for natural gas which has yet to be realized, primarily for a lack of adequate political will among nation-states with a vested interest in its success.

It also made me think of news reports from this past summer when Turkmenistan, sitting on the fourth largest natural gas reserves in the world, expressed a readiness to export gas to Europe. This would cut into Russia’s sales, but not for a few years, requiring continuation of existing relationships for the next three to five years. Note the pipelines, existing and planned on the following U.S. State Department map (date unclear, believed to be post-2006).*

Continue reading

Mirror, Mirror, on the Wall, Who’s the Hackiest of Them All?

ClapperHere are some excerpts from the Global Threats report pertaining to the cyber threat.

We assess that computer network exploitation and disruption activities such as denial-of-service attacks will continue.


… many countries are creating cyber defense institutions within their national security establishments. We estimate that several of these will likely be responsible for offensive cyber operations as well.


Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact.

It’s as if the intelligence community called up NSA and CyberCommand, asked what they had been working on, and then “assessed” that those targets presented threats going forward.

And while I expect that China commits what would be judged the largest number of hacks (in part because much of the information we steal right from the communication backbone they would have to hack to get), the inclusion of SCADA in the list of vulnerabilities is particularly rich, considering we are believed to have pioneered that kind of attack with StuxNet.

Again, I’m not denying these other entities hack (the unclassified version of the report left off Israel and France, as unclassified versions tend to do). Just that we continue to exhibit no awareness that some part of this threat amounts to our genie blowing back in our face.

Stuxnet and the Poisons that Open Your Eyes

Poison_EUstdimage-Wikipedia_200px_mod2Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.

We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).

By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?

But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.

There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.

• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.

• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
between systems.

• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)

• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.

End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.

Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.

The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.

The dispersion of cyber poison was restricted only in the most cursory fashion.

Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.

Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.

• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.

There could be more than these, waiting yet to be discovered.

In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.

Poison everything, everywhere.

But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do. Continue reading

You Were Warned: Cybersecurity Expert Edition — Now with Space Stations

Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.

The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:

[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.

[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.

Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.

[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”

He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.

But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.

The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.

In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case. Continue reading

Under Keith Alexander’s Guard, America Can Be Plundered Like a Colony

Admittedly, Keith Alexander made things very easy on himself in this article on “Defending America in Cyberspace” by not mentioning the way DOD (or our ally, Israel) let StuxNet go free, not only exposing the attack on Iran, but also providing a map and code that others can use on us.

That reckless mistake and its potential consequences remains unmentioned, however, in the piece in which Alexander claims that his team has found and is implementing the magic formula for defending the country in cyberspace.

We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats.

We know how to defend the country, Alexander says. It involves creating security holes, then using them to find out who will attack us, all while living on the network and watching what private citizens are also doing.

But then Alexander utterly contradicts the claim that his team has found the successful formula by describing the sheer scale of successful attacks against the US, suggesting it rivals the plunder of the Mongols and the colonies (though curiously, not slavery).

Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.

This repeats a claim he and others have made repeatedly, though after having been proven wrong about past claims about the scale of financial wealth transfer, he seems to have shifted to measuring the plunder that has occurred on his watch in terabytes, not dollars. Our country — which he has served in a key defense role for 8 years — has been plundered like a colony (I don’t buy this, mind you — I find the analogy downright offensive. But it is the argument he’s making).

In much of the rest of his paper, Alexander explains his future plans, which we should follow, he tells us, because he has been so successful that our country has been plundered like a colony.

I wonder. Might the most sane response to this paper be to, at a minimum, question what success looks like? At a minimum, might we discuss publicly some alternatives? And if being plundered like a colony is not our goal, perhaps we should consider whether what Alexander presents as the “only viable response” really is?

1 2 3 5
Emptywheel Twitterverse
It seems that widget parameters haven't been configured properly. Please make sure that you are using a valid twitter username or query, and that you have inserted the correct authentication keys. Detailed instructions are written on the widget settings page.
May 2016
« Apr