The book was published by Keter; "The real-world implications of Stuxnet are beyond any threat we've encountered in the past. Despite the exciting challenge of analyzing the worm and uncovering its targets, Stuxnet is the kind of threat we hope we never see again." They say in Symantec
"The first rule of computer security: Don't buy a computer. The second law: if you bought a computer, don't turn it on."
(The words of the "Dark Avenger", one of the most sophisticated virus writers in history)
A battle of minds
The Malicious History of Computer Viruses
Ran Levy
Editing: Rami Rothholz; Cover illustration and design: Elad Argaman/David and Yosef Studio; 381 pages; NIS 98; crown
It turns out that the history of computer viruses is almost as old as computers themselves. In just thirty years, computer viruses have transformed from harmless entertainment to powerful malware, which pose a tangible threat to the safety of Internet users, business organizations, and entire countries.
Battle of the Minds, written in easy language and based on countless interviews the author has with the protagonists of the world's most fascinating virus cases, tells, among other things, about a young student who shut down the entire Internet network for two days, about a 13-year-old boy who defeated a world-renowned security expert, about the "Trojan horse" case in Israel and on the fascinating clues hidden inside "Stuxnet", the worm that attacked the Iranian reactor.
Ran Levy, author of "Perpetum leads(Maariv Library) andThe Little University of Science” (Gordon) and the owner of the Internet program “Making history", takes readers on an entertaining, fascinating and disturbing journey through the global history of malware.
Chapter 9: Online War
"The real-world implications of Stuxnet are beyond any threat we've encountered in the past. Despite the exciting challenge of analyzing the worm and uncovering its targets, Stuxnet is the kind of threat we hope we never see again."
From a report published by Symantec on Stuxnet
The rise to greatness of computer communication networks affected many areas of our lives, including - as can be expected - wars and armies.
As we have seen, the Internet had its roots in developments made for the US military. This is an accepted route for many technologies: theoretical work in academia, initial adoption for military uses, and finally spillover and spread to the civilian world. But as far as communication networks are concerned, the influence of the Internet on our culture and our ways of life was so profound and so fast that most of the armies in the world discovered to their surprise that they were being dragged against their will into the new world of viruses, spies, Trojan horses and other electronic pests - without them really being ready for it.
One of the most pressing and difficult problems that heads of state and generals all over the world are currently struggling with is the question of protecting essential national infrastructures from attack via the Internet - "Cyberwarfare". In a broad definition, national infrastructure is the physical or organizational structures necessary to manage normal life in the country. The water supply network is an example of physical infrastructure. The banking system is an example of an organizational infrastructure. It is hard to imagine modern life in a country without drinking water or valid means of payment and commerce.
Until a few decades ago, the only way to disrupt a rival country's water supply was to actually invade it or bomb its water facilities from the air. Today, when the control of the water supply systems in most advanced countries is done remotely, through sophisticated computer networks, a new reality has emerged: by malicious means such as those we learned about in the previous chapters, these systems can be taken over from anywhere on earth, and control also means the ability to close the taps (in the case of water supply), delete critical databases or bring down the power supply network.
Computer security experts have raised these concerns for a long time, but the first to feel the threat inherent in cyberwarfare were actually the citizens of a pastoral district in eastern Australia. More precisely, they smelled it.
The sewage is in our hands
Maroochy Shire is one of Australia's most coveted areas - a beautiful rural area and a center of attraction for nature-loving tourists. The local sewage system handles 35 million liters of sewage every day: 142 sewage pumps are scattered throughout the area, and they are controlled by a control system that collects data from all the pumps and monitors their activity. Such a system is known in the industrial world as SCADA, which stands for Supervisory Control and Data Acquisition.
Vitek Boden was supervising the pumps on behalf of Hunter Watertech, the company that installed the control system. Vitek, a man in his 40s, was employed by the company for two years until he resigned at the end of 1999 following some conflict with his managers. After leaving his job, he turned to the district council, which is responsible for the sewage system, and offered them his services as an inspector. The council refused.
Immediately after that, the sewage system of Flech Marochi began to suffer from a series of mysterious and senseless malfunctions. Perfectly working sewage pumps stopped working. Alarms that were supposed to warn of malfunctions went silent. The sewage overflowed, and about 800,000 liters of sewage flooded large areas. Nature reserves were destroyed, streams turned black and all the fish in them were wiped out, and the residents suffered terrible odors for weeks.
Hunter Watertech company personnel were called to investigate the matter, and were unable to find the source of the malfunctions. Again and again they came to pumps that failed, and found there a new and working equipment that simply stopped working by itself. All the locks on the communication equipment cabinets in the pumps were in place, and no one broke into the cabinets.
The mysterious failures repeated themselves about 20 times, before the Hunter people began to suspect that someone was "playing" their system. Monitoring the network traffic showed them that the malicious commands came, so to speak, from pumping station #14 - a pumping station that did not exist in reality.
Suspicion naturally fell on Vitek Boden. His conflict with Hunter and subsequent rejection by the local council provided an adequate motive for revenge, and his intimate knowledge of the intricacies of the SCADA system that monitored the sewage pumps gave him a suitable ability to do so. The police began tracking his movements, and soon the investigators noticed a regular pattern: every time Boden stopped his car on the side of the road near a pumping station, bad things happened in the sewage system. On April 23, 2000, a police officer approached Bowden while he was sitting in his car and arrested him. A laptop computer with a pirated copy of the control software and a two-way radio transmitter were found in the vehicle. In a deeper investigation, it was discovered that Boden penetrated the SCADA system through the wireless network that connected the various pumping stations.
Vitek Boden was sentenced to two years in prison, and the crime he committed became the focus of interest for many computer security experts around the world, who meticulously analyzed his actions. The sequence of events in the Bowden case confirmed their predictions about the difficulty of dealing with an attack targeting industrial facilities. Many weeks passed before the people of the Hunter company began to suspect that it was not a technical fault but a malicious operation, and many more weeks until they discovered its origin. In such a long period of time, the attacker has countless opportunities to cause massive damage. Moreover, the control system for the sewage pumps was designed, like almost all control systems in the world, to deal with engineering needs only. Security and hacking protection were not top of mind for the designers, if they were thought about at all. This combination of poor security and a window of opportunity is a hostile attacker's wet dream.
Cases like the one that happened in Australia and others following it helped the authorities in many countries understand how vulnerable the control systems that control their most vital infrastructures - water, electricity, etc. These systems were originally designed with the assumption that they are "closed", that is, no one who is not authorized to have access to them. But the reality of using computer networks out of convenience and economic considerations has turned this assumption upside down. The increasing use of civilian and commercial technologies, such as the "Windows" operating system for example, in sensitive industrial systems, has weakened the security of the systems. Now, the same troubles and problems that plagued the civilian computer world, plagued them as well.
Many countries around the world began taking steps to protect their sensitive infrastructure, and Israel was one of the first to do so back in the late 2012s. The body responsible for the security of the critical information infrastructures in Israel is the National Authority for Information Security (RAM) of the Naval Security Service, together with Tahila (responsible for the security of government systems) and the IDF ICT and intelligence divisions that are responsible for the security and military information infrastructures. In 2010, a National Cyber Headquarters was established, directly subordinate to the Prime Minister, whose role is to recommend to the government policies and activities in the cyber warfare field of the State of Israel. Also in the United States, a "Cyber Command", or USCYBERCOM, was established, and in XNUMX several senators submitted a legislative proposal that would give the American president extensive powers over Internet entities and companies during such an attack on essential national infrastructures.
These frantic and energetic actions raise the obvious question: how serious is the threat to the sensitive infrastructures? In other words, what are the chances that the scary scenarios of collapsing electricity infrastructure, plummeting economic markets and exploding nuclear reactors will actually come true? Is all the financial and organizational investment in protecting against attacks through the network really necessary, or maybe it is just a fear that has no real basis in reality?
surgical worm
Many anti-virus companies publish on their websites the latest news about interesting viruses discovered in their laboratories, fresh spam scams and the like. On July 10, 2010, Belarus-based VirusBlokAda released such a routine update.
"Warning about malware exploiting a new vulnerability to spread:
[…] VirusBlokAda experts discovered it on June 17, 2010 […] and upon testing it turned out that the virus is transmitted via USB storage devices. […] This malware is extremely dangerous because it is capable of infecting many computers and creating a new epidemic.”
Updates and Products, www.virusblokada.ru, July 10, 2010
Despite the threatening tone, such messages are commonplace in the antivirus industry, and malware delivered via portable USB sticks (or "disk-on-keys") is nothing new.
The only interesting detail in the message was the report on the new "weakness" (software fault) discovered in "Windows", which allowed a virus to take over the computer. Every weakness that is discovered in the software is like a new door through which future viruses can infiltrate the computer, and since Windows is installed on billions of computers around the world, these are many doors... Security companies around the world began analyzing the new threat, and for several weeks the main attention was directed to the new weakness, while the virus He was pushed into a corner. As is usually the case in such cases, other virus writers were quick to take advantage of the weakness in their malware, while Microsoft hastily issued an emergency update to "Windows" to close the hole.
When the commotion around the new weakness died down, the researchers returned to focus on the virus itself - in fact, a worm, to be precise - which was named "Stuxnet". The more the experts "dug" into his code, the more they realized that this was not "another virus". Stuxnet was one of the most sophisticated viruses in history - a "virtual guided missile", which was designed with incredible care and professionalism.
The German company Siemens is one of the leading manufacturers of SCADA systems for controlling industrial processes. At the heart of many of its products is a PLC type component, or "Programmable Logic Controller".
Without going into the technical details, a programmable logic controller is a chip that is responsible for the proper operation of the systems it controls. It is able to receive data from external sensors and act accordingly. For example, if the water pressure measured in a certain pipe exceeds the permissible limit, the controller orders an external motor to close or open taps.
The greatness of the PLC is in its great flexibility: it can be programmed easily and quickly and adapted to countless different industrial processes, from heat control in baking ovens to pressure regulation inside pipes that flow oil and gas. All that needs to be done is to connect the controller to the computer using a short cable, write a few uncomplicated lines of code using a program called Step 7 (also provided by Siemens) and load the new code into the PLC. From then on the controller does its job without any human intervention.
Stuxnet was designed to penetrate and disrupt the operation of such a PLC controller, installed in a very specific industrial system.
When Stuxnet accesses a new computer, it checks if the Step 7 software is installed on it. If so, it monitors its activity over time and tries to identify communication between it and a PLC of a certain model: S7-300, also manufactured by the German Siemens.
If Stuxnet has detected such communication, it takes advantage of the opportunity and jumps through the communication cable to the PLC chip itself. Now, he is examining the identity of the components to which the chip is connected, and in particular is looking for components made by two specific companies: "Vacon" (Vacon) from Finland, and "Fararo Paya" (Fararo Paya) from Iran. These components control the rotation speed of motors. Finally, Stuxnet measures the rotational speed of the motors themselves. It looks for engines that rotate at a rate higher than 1,210 revolutions per second, or lower than 807 revolutions per second.
It is worth re-reading the previous paragraph to understand how specific and "surgical" Stuxnet's action is. Its whole purpose is to look for a computer with specific software on it, connected to a specific control system, containing a chip of a certain type, produced by specified manufacturers and rotating a motor at a certain speed range.
This highly deliberate precision surprised the researchers who examined the worm, and aroused their suspicion. Virus writers never make such considerable efforts to reduce the activity of their viruses - on the contrary. Their interest is to influence as many computers as possible: attach them to their botnet, steal as many usernames and passwords for bank accounts as possible, etc. There is no logic in the design of such complex and complicated malicious software, if there are only a few hundred computers in the entire world - if any - that meet all the above requirements. The logic behind Stuxnet became clear as day a few days later, when the identity of those hundreds of computers became clear: the computers controlling the centrifuges for uranium enrichment of the Iranian nuclear program, in the city of Natanz.
"Enrichment" is an essential process on the way to creating nuclear fuel: it allows the radioactive uranium to support a chain reaction that releases a lot of energy. If the enrichment level is low, the nuclear fuel is suitable for reactors to produce electricity. If the enrichment level is high, it can also be used in atomic bombs.
One of the common methods of enrichment is through a gas centrifuge ("centrifuge" in Hebrew). In this method, the uranium is heated until it turns into a gas, then injected into a narrow container that spins rapidly (the centrifuge). When the uranium leaves the tank, it is slightly more "enriched" than it entered, and in order to reach a high degree of enrichment, the gas must be passed through a long series (or "cascade") of identical centrifuges. Centrifuges are very sensitive to changes in their rotation speeds: even a small change in rotation speed may damage the enrichment process, and a large change may even destroy the centrifuge itself.
And that was precisely the purpose of Stuxnet. After a certain waiting period - a few hours to a few months, depending on certain conditions - the worm began to change the spin speed of the centrifuges. At first she increased them to 1,410 revolutions per second, then slowed down to two revolutions per second, and finally back to 1,064 revolutions per second. These speed changes were repeated over and over over time.
Stuxnet managed to do its harmful action for many months before it was discovered, thanks to a sophisticated and first-of-its-kind camouflage mechanism. Stuxnet inserted itself between the Step 7 software and the PLC chip, so that every time the user tried to read the existing code on the chip or write new code to it, the worm would intercept the attempt and present the user with a semblance of "business as usual", like the orchestra playing on The deck of the Titanic to calm the guests, while the ship slowly sank into the depths... The cloaking technique is called RootKit, and is quite common in the malware world, but this was the first time it was used in conjunction with industrial PLC chips.
Did Stuxnet harm Iran's nuclear efforts? It's hard to know. According to various reports, the Iranian nuclear program suffered from many delays in 2010, although it is unclear whether they were caused by the worm or for other reasons. Apparently, about a thousand centrifuges were replaced during that year following serious malfunctions. Leaked documents contained a reference to a possible nuclear accident that occurred in the first half of 2010. The president of Iran, Mahmoud Ahmadinejad, admitted that the worm caused "limited damage" to the centrifuges, although it is likely that the natural tendency of the authorities in Tehran in such a case would be to paint a picture that minimizes the damage caused.
The psychological effect of the injury must also be added to the physical damages. Dealing with an invisible enemy is particularly difficult, also on the mental level, as it undermines confidence in technology and may cause mild paranoia. I can also testify to this from my personal experience. As part of the work on this book, I had to visit "dubious" websites and download many files from them that might also contain malware. My sensitivity to computer problems skyrocketed: suddenly every routine computer malfunction became a possible sign of a malicious attack... It is interesting to imagine how the self-confidence of the Iranian engineers was affected by the trauma of the attack.
***
When security researchers realized how sophisticated Stuxnet was and the identity of its victims, the burning question became, of course, who created it.
The general consensus among experts was that this was not the work of a teenage boy in a room with rock star posters on the walls, nor of a brilliant programmer who wrote the worm for the underworld for money. Stuxnet was designed and written by professionals: the evidence for this is circumstantial, but powerful nonetheless.
For example, in order to infiltrate a computer and take over it, Stuxnet took advantage of four security weaknesses in Windows, which until then were not known to anyone. "Knowledge is power", as the saying goes, and in the underworld of virus writers there is a vigilant trade in such weaknesses: the value of each of the four weaknesses exploited by Stuxnet ranges from tens to hundreds of thousands of dollars. No sane virus writer would exploit four unknown weaknesses at once in one worm. There is no logic in this: after all, one weakness is enough to do the job! Obviously from an economic point of view, it is better for him to keep the other three weaknesses a secret and exploit them in the future, or sell them on the black market. Stuxnet contained four unknown vulnerabilities because it was probably very important to someone to make sure it did its job, and it also estimated that it would only have one good chance to attack - after Stuxnet, the Iranians (or the other victims, if there are any) would have learned their lesson and be careful much more. From the nature of the attack, therefore, it can be concluded that its success, and not the financial gain, was the decisive consideration in this case. The mere fact that someone made such great efforts to attack a target that has no real economic value is a good enough reason to assess that this is not a criminal activity, but cyber warfare.
In a detailed report on Stuxnet published by the security company Symantec, it was suggested that the worm was written by a group of five to ten experienced programmers. The reason for this assessment is the rare combination of worm-related technologies, each of which requires a different type of expertise, such as experience programming PLC components. Different parts of the code, for example, were written in different programming languages, and at least some of the staff members (or their advisors) had to be intimately familiar with industrial production processes that a normal programmer would not normally have access to. This group of people could, in principle, be an organized crime gang, but in practice the signs indicate that they are probably part of a much wider intelligence and executive system.
For example, Stuxnet disguises itself as software files originating from two Taiwanese companies: Realtek and JMicron. These files contain a "digital signature", a sequence of encrypted digits, which indicate that the source of the files is indeed in the aforementioned companies, similar to a handwritten signature on a bank check that confirms that the check is valid and legitimate. The sequence of encrypted digits of the digital signature is highly confidential and sensitive information, and is (or should be) stored securely. Someone broke into the offices of Realtek and JMicron, stole the sequence of digits, and then used it to disguise Stuxnet as legitimate software. If this is indeed an accurate picture of the events, then this is another possible testimony to the operation of an intelligence organization with long international arms.
You don't need to be an expert in international relations to identify the immediate suspects in the attack on the Iranian centrifuge plant: the US and Israel have the motive and ability to design a sophisticated worm like Stuxnet. Both would have been happy to see the Iranian nuclear program delayed, and perhaps they are also responsible for the mysterious assassinations that took place at the same time of senior Iranian nuclear scientists.
But suspicions are one thing, solid evidence is another. No detail in Stuxnet's software code or its operation directly and clearly points to the involvement of the two countries. The worm's mysterious operators made sure to cover their tracks well. For example, one of the actions of the worm was to send data about the computers it infected to two websites:
www.mypremierfutbol.com
www.todaysfutbol.com
Both sites are stored in Denmark and Malaysia, but this does not shed any light on the affair. Anyone can set up a website in almost any country they choose, and both websites were set up anonymously and without any identifying information about their owners.
Security researchers rummaging through the worm's code found some intriguing clues left there, perhaps by the programmers accidentally or on purpose. For example, the following line:
b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb
Myrtus is the foreign name of the myrtle, a plant from the myrtle family. Guava is the guava fruit, which belongs to the Hadassi family. Hadassah is also the second name of Queen Esther, the wife of Ahasuerus who was... the king of Persia, is today's Iran.
Elsewhere in the code there is a reference to the number 19790509. If you look at this number as representing a date, it can be interpreted as May 9, 1979. On this day, Habib Elganian, an Iranian Jew, was executed by firing squad, and this move led to the immigration of tens of thousands of Jews from Iran to Israel. Were these clues left on purpose by the programmers? Security experts have become botanists and amateur historians trying to decipher these bits of code.
But this poking around in the code, which is the geek equivalent of listening to Led Zeppelin records played backwards and finding clues to satanic cults, misses the point entirely. Even if Stuxnet had played "Let's go" through the announcement system of the centrifuge plant while he was destroying vital systems, this still does not convict anyone of the act. Anyone can easily integrate into the code they write clues that will point the finger of blame at one or another factor.
In investigative articles in leading newspapers, such as the New York Times, it is claimed that Stuxnet is the result of Israeli-American cooperation, which began during the term of office of George Bush Jr. and continued even more strongly during the era of Barack Obama, as part of a military operation whose code name was "Olympic Games". Siemens, the Times claimed, cooperated with the US Department of Energy to identify vulnerabilities in its systems that would allow potential attackers to damage infrastructure - the same vulnerabilities that were apparently exploited by Stuxnet. It is also claimed that the worm was developed by the 8200 unit of Amn, and was tested on real centrifuges in the Dimona reactor. That is, if there is one. None of the countries agreed to confirm the press reports, of course.
You should get used to the idea that until someone stands up and admits to the act, we will probably never know who is behind the worm. There is no point in eagerly waiting for such an admission in the near future: a country that confirms its involvement in the act exposes itself to lawsuits from countless parties all over the world. Although Stuxnet was designed to harm only computers with very clear and precise characteristics, it infected hundreds of thousands of computers around the world, from the United States to Indonesia. In almost all of them he remains completely dormant, but the mere penetration of someone else's computer is, as we have already seen in the previous chapters, a criminal act. In addition, from the moment the worm was revealed, its code also became available to elements in the underworld, who can change and adapt it relatively easily to damage civilian industrial plants for blackmail purposes. No country would want to take responsibility for such and such future consequences.
Stuxnet and her sisters
Spyware is nothing new. Criminal organizations routinely use such software to steal credit card information, passwords, and similar information. Computer espionage between countries has also existed for a long time. For example, in 2003 dozens of computer networks of the United States government, the military, defense companies and the space agency were hacked, in a series of coordinated attacks that were nicknamed "Titan Rain". An American investigation revealed that the source of the attack was in China. In March 2009, it was discovered that spyware had been planted in computers in dozens of embassies and foreign ministries of many countries all over the world, as well as in the headquarters of the Tibetan Dalai Lama. The control of the spy network, which was called GhostNet, was done from computers on the island of Hainan - where facilities of the Chinese intelligence are also located. Later that year, a series of hacks into the computers of important American software companies such as Google, Adobe and others was revealed, and in this case too, virtual fingerprints of the Chinese were discovered.
The disclosure of Stuxnet made waves in the world of information security and made headlines in all media. In the months and years that followed, attention continued to be directed to the Middle East region, and security researchers paid particular attention to malware discovered there. It soon became clear that Stuxnet was only the tip of the iceberg of a wider and more sophisticated cyber espionage operation than had been discovered until then.
On September 1, 2011, one year and three months after the initial discovery of Stuxnet, malicious software was discovered in Hungary capable of collecting a variety of information from the computer on which it is installed: screenshots, passwords, documents of various types, and more. The new spyware was named "Duqu" because the filenames it created on the infected computer always ended with ~DQ.
A few weeks later, when the experts analyzed the software in detail, they realized that it was written by the same people who created Stuxnet. The evidence was irrefutable: Dooku and Stuxnet shared almost identical code. In fact, when the computers of the security company F-Secure scanned Doku's files, they mistakenly reported that it was a copy of Stuxnet, because of the great similarity between them.
The difference between the two programs was in their final purpose. Stuxnet and Dooku were like two identical missiles, with different warheads installed in their noses: Stuxnet's "payload" (in professional terminology) was a code that allowed it to infiltrate the PLC chip and destroy the centrifuges, while Dooku's "warhead" contained the appropriate code for spying and information gathering. If Doku's operators were interested, they could easily add to Doku the ability to damage industrial control systems, delete files, or cause similar damage.
As with Stuxnet, Doku's operators have gone to great lengths to protect their spies and disguise their identities. The victims, for example, were carefully chosen: Doku was only discovered on about 50 computers around the world, most of them - not surprisingly - in Iran. It is likely that Doco infected a much higher number of computers, but it is difficult to know for sure: Doco deletes itself from the infected computer independently after 36 days, leaving no traces.
The information collected by Doku was encrypted and sent over the Internet to various computers around the world, from India to Germany. Each copy of Dooku had its own collection computer. The collection computers did not belong to the operators, but innocent computers that were hacked ahead of time, and were only used as relay stations. The information that reached them was passed on, for an unknown purpose.
On October 20, 2011, a little over a month after Doku was discovered, the operators of the malware sent a "self-destruct" command to the collection computers. All the information that was on them and that might indicate the identity of the people who hacked them and activated the relay stations, was thoroughly deleted. From the little information that could be extracted from the collection computers anyway, it seems that Doku has been active since at least the end of 2009.
Six months later, in May 2012, a new link was discovered in the chain of malicious programs that were used against Iran as part of the cyber war against it.
In April, several media outlets reported that the authority responsible for operating Iran's oil pumps decided to disconnect all of its computers from the Internet, following the discovery of malicious software that had infiltrated them. The identity of the malware was not revealed, but the name given to it was "Wiper", apparently because it destroyed information on infected computers. Iran requested the help of the Russian security company Kaspersky as well as experts from the Budapest University of Technology and Economics, in Hungary. Kaspersky and the university staff investigated the affair and brought up a big fish in their wake: spyware so complex and sophisticated that the report submitted by the University of Budapest reads:
“…This is probably the most sophisticated malware we've come across. This may be the most sophisticated malware ever discovered.”
Technical Report, CrySys Lab, version 1.05, 31 May 2012
The new malware was named "Flame" (Flame), as this word appeared several times in its code. It is difficult to determine with certainty whether Flame is also "Viper", the malicious software that damaged the computers of the Iranian Oil Authority, although it is likely that there is a connection between them.
The connection between Flame and its two predecessors, Stuxnet and Dooku, was also not clear and self-evident. Flame, unlike Doku, did not share the same code with Stuxnet, and in fact differed from it in almost every detail: only a painstaking analysis of the code revealed some minor identities between Flame and Stuxnet. The only way to explain these identities is to hypothesize that the people who created Flame had a close working relationship with the people who wrote Stuxnet, and shared some common information between them - perhaps two teams in the same department, each working on their own project.
Flame, like Dooku, was created to steal confidential information from the computers he infected, but his abilities were more advanced and sophisticated. For example, Flame was able to identify devices in its environment that support wireless communication of the BlueTooth type, such as that present in almost all smart phones today. If he discovered such a smart phone, he tried to "pull out" from it the list of names and phone numbers that were stored on it. Flame was also able to evade any major commercial antivirus software that was on the market at the time. According to the testimony of the Iranians themselves, Flame was not detected by any of the 43 antivirus programs with which they tried to detect it. Various experts estimate that it will take years to fully analyze Flame and reveal all its capabilities.
Copies of Flame were discovered on a thousand computers throughout the Middle East: the vast majority in Iran, but some also in Israel, the Palestinian Authority, Lebanon, Syria and more. Unlike Stuxnet, whose operators allowed it to spread without interruption to any possible computer in an attempt to penetrate the uranium enrichment plant (which is also why copies of Stuxnet were discovered on computers in other countries), the infection of Flame was very selective. Flame infected a new computer only after removing itself from a previous computer, thus keeping the total number of infected computers constant, more or less. It is also evident that the targets chosen for infection were not random: Flame is found not only on work computers of various organizations, but also on the laptops and home computers of various individuals.
As in Doku, the operators of Flame also decided to eliminate any possible evidence after their actions were exposed. On June 8, 2012, about two weeks after Flame was discovered, a self-destruct command was sent that caused all active copies of the malware to delete themselves from the computers on which they were installed.
***
At the beginning of the episode I raised the question, is the fear of cyber warfare and the threat to essential infrastructure justified, or does it have no realistic basis? Stuxent, Doku and Flame provide us with the answer: the fear is justified. The sophistication and complexity of these malicious programs demonstrate to us the fact that when governments and militaries decide to invest money and trained personnel in the development of such cyber weapons, the protection provided by commercial antivirus software is not adequate at all. A nuclear power plant or a central bank that protects its computer networks with anti-virus software available on the market, may be able to deal with the malware of the criminal organizations (and even then, as we have seen, with partial success) - but they are completely vulnerable to a military attack.
It can be estimated that many more countries will join the current trend and develop their own cyber warfare capabilities. The inherent ambiguity in cyber warfare, and the fact that it is possible to harm the vital interests of another country without officially declaring war on it, are a distinct advantage, especially for relatively small and weak countries. If 30 years ago the only way to destroy a nuclear reactor was through a daring and complex bombing raid that exposed the attacking country to a counter-military response - malware like Stuxnet makes it possible to achieve a similar effect with minimal risk. In the same way, operating an intelligence network in an enemy country was always a sensitive matter, and the danger of death hung over the spies. "Agent Dooku" and "Agent Flame" can be "killed" at any moment, and no one will complain...
War or peace? First chapter from the book "The Price of Altruism" by Oren Herman
3 תגובות
I haven't enjoyed reading here like this in a long time
exciting!