2012年6月8日金曜日

Stuxnet,Duga,Flameは官製か

Olympic Gamesが報道された。
 イラン中部ナタンツのウラン濃縮施設を襲ったコンピューターウイルス
「スタックスネット」を米国とイスラエルが共同開発し、ブッシュ前政権
から計画を継承したオバマ大統領がサイバー攻撃を了承、遠心分離器の
一部を使用不能に追い込んでいたと伝えた。

Stuxnet
・2006年 Olympic Gamesの暗号名で始まる。
・イスラエルのイラン核施設攻撃への対策として、米NSAとイスラエル
 Unit8200との共同でStuxnet開発を選択。
・イランの原発で使われているジーメンス社製PLCのプログラムを変更し、
 P-1遠心分離機の速度を変えるように設計。自己複製機能有。
・2008年 攻撃の範囲は小規模。
 遠心分離器が制御不能、P-1遠心分離器164機を廃棄。
 イランは原因を究明できぬまま職員を解雇等混乱。
・2010年 ナタンツの技術者が感染したパソコンを施設外に持ち出し、
 Stuxnetが外部に流出し、存在が発覚。
 Stuxnetには、「原発施設外で機能を停止」と言う仕様(?)があったが、
 仕様通りに動作しない不具合があったため、流出したとのこと。
 後日不具合を修正。
 オバマ大統領はバイデン副大統領、パネッタ長官(当時)らと計画中止を
 検討したが、最終的に攻撃継続。
・大規模攻撃
 米情報局とイスラエルが協力し、感染を広げた。
 遠心分離器5000基のうち、1000基を一時的に使用不能に追い込むことに
 成功。
 政権高官は1年半-2年のウラン濃縮計画の遅延に成功したと分析。
・2011年1月 イスラエル ネジブ砂漠にあるディモナ核施設で米国と
 イスラエルによって 共同開発示唆の報道。
・2011年4月 イランの原発にイスラエルの工作員が、USBメモリを使い、
 Stuxnetを感染させたと報道。

Duqu
・トロイの木馬型コンピュータウィルス Duqu
・Stuxnetと一部共通のソースコードを持つ

Flame
・Olympic Gamesとは無関係。
・2012年5月 中東を中心に発生
 イラン、イスラエル、スーダン、シリア、レバノン、サウジアラビア、
 エジプト等で報告
・ネットワークトラフィックの傍受、スクリーンショットの保存、
 音声通話の記録、キー入力の不正送信、周辺のBluetooth情報の保存
 等20の機能を有す。
・Kaspersky Labは、Flameのコードサイズが大きく、非常に高度である
 ため、サイバー犯罪集団でなく、政府が背後の可能性。
・Laboratory of Cryptography and System Security(CrySyS Lab)も
 Flameを政府主導のマルウエアと推察。
・2010年8月 Flameの最初の事例を確認 Kaspersky Lab
 2007年   Flame登場 CrySyS Lab
・USBメモリー等の外付けデバイスを介して感染。
 侵入するとマルウエア制御(C&C)サーバーと交信し、モジュールを
 追加可。
・一部コードが通常はゲームに使用されるLUAで記述。

Flameの開発可能な国家は、中国、露、米国、英国、独、仏、イスラエル、
台湾等があげられた。

米NSAとイスラエルUnit8200のウィルス開発合同チームは、闇市場で
アブドル・カーンが核燃料精製装置として販売し、イランが購入した
P-1遠心分離機の複製品を作ることから始めたが、カダフィの核兵器開発
断念により、数台の遠心分離機を米国は手に入れた。
工作員により、感染後、IAEAの報告で破壊行動を確認。
ブッシュは、小規模攻撃を許可、オバマは大規模攻撃を許可。

Stuxnetはイランにのみ攻撃したのか、北朝鮮や中国、シリア、
アルカイダ等への攻撃をしなかったのかに対して、CIA関係者は
「オバマによる指示で武器を使いすぎるな」と言われたようだ。

「強さ」を希望する米国で、イランへの対策が「弱腰」と批判される
オバマが、Olympic Gameにより、イランへの攻撃に効果があったこと、
兵役による殉職者低減等を証明したようだ。
次期大統領選挙の年だから、現役の強み(?)で、情報を小出しにして、
選挙を有利に操作した可能性もある。
報道を見ても官製コンピュータウィルス製作と感染拡大への批判は少ない。
ジョージ・ブッシュ夫妻肖像画の除幕式と時期が重なるのは偶然か。

北核関連施設窓口 南川江貿易
核の闇市場解明 かく乱は米政府
イラン、北朝鮮 小型核兵器の設計図入手か
核拡散関与者制裁へ
中パ関係
核兵器開発状況報告
MHI 軍事情報流出か
核闇市場関与の父子起訴
パ北の闇市場
I will transmit this information
Election2012 Negative Campaign Start


---Stuxnetは米政府が開発、大統領が攻撃命令――New York Times報道---
2012年06月02日 21時49分 更新
http://www.itmedia.co.jp/enterprise/articles/1206/02/news016.html

 産業インフラに感染するマルウェア「Stuxnet」は、イランによる核兵器開発の進展を遅らせる目的で米国とイスラエルの政府が開発したものだったとNew York Timesが伝えた。
[鈴木聖子,ITmedia]
 米紙New York Timesは6月1日、イランの核施設の制御システムに感染した極めて高度なマルウェア「Stuxnet」は米国とイスラエルの政府が開発したものだったと伝えた。
 同紙の報道は、計画にかかわった米国やイスラエルの当局者および外部の専門家への取材に基づいている。それによると、米政府はイランによる核兵器開発の進展を遅らせる目的で、ブッシュ政権時代にコードネーム「Olympic Games」と呼ばれる計画に着手。この計画はオバマ政権に引き継がれ、オバマ大統領が就任後間もなく、イランの核開発施設運用に使われているコンピュータに対する攻撃を命じたという。
 ところがプログラミングエラーを原因とする手違いのため、2010年にStuxnetがイランの核施設から流出し、インターネットを通じて世界に出回ってしまったという。
 Stuxnetの流出を受けて、オバマ大統領や米中央情報局(CIA)のパネッタ長官(当時)が対応を協議し、作戦の続行を決定。その後数週間でイランの核施設にStuxnetの更新版が次々と送り込まれ、当時ウラン濃縮のために稼働していた遠心分離機1000~5000台を一時的にダウンさせた。
 米政府は最近になってサイバー兵器の開発に当たっていることを確認したが、実際に利用したことは認めていなかった。米国が他国のインフラに対する本格的なサイバー攻撃を仕掛けて成果を出したのはこれが初めてだったとみられるとNew York Times紙は伝えている。
 一方、最近になって存在が確認されたマルウェア「Flame」について米当局者は、Olympic Games作戦とは無関係だとしながらも、米政府が関与しているかどうかについては言及を避けたという。
 この記事を執筆した同紙のデービッド・サンガー記者の著書「Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power」は6月5日に米国で発売される。


---イラン核施設へのサイバー攻撃は米とイスラエル ウイルス共同開発---
2012.6.2 10:37
http://sankei.jp.msn.com/world/news/120602/amr12060210370000-n1.htm

 【ワシントン=犬塚陽介】米紙ニューヨーク・タイムズは1日付で、イラン中部ナタンツのウラン濃縮施設を襲ったコンピューターウイルス「スタックスネット」を米国とイスラエルが共同開発し、ブッシュ前政権から計画を継承したオバマ大統領がサイバー攻撃を了承、遠心分離器の一部を使用不能に追い込んでいたと伝えた。
 同紙によると、サイバー攻撃は2006年、「オリンピック・ゲーム」の暗号名で始まった。当時からイスラエルはイランの核施設攻撃を検討しており、実行を思いとどまらせるためにも、米国はウイルスの共同開発を選択したという。
 初めて実施した08年の攻撃は小規模だったが、遠心分離器が制御不能となり、イラン側は原因を究明できぬまま職員を解雇するなどの混乱に陥った。
 だが、10年夏、ナタンツの技術者が感染したパソコンを施設外に持ち出し、ウイルスが外部に流出して存在が発覚。オバマ大統領はバイデン副大統領、中央情報局(CIA)のパネッタ長官(当時)らと計画中止を検討したが、イランの核開発やイスラエルによる施設への空爆を阻止する有効な手段が他になく、最終的に攻撃継続を決定した。
 直後の大規模攻撃では、遠心分離器5000基のうち、1000基を一時的に使用不能に追い込むことに成功。政権高官は1年半から2年にわたってイランのウラン濃縮計画の遅延に成功したと分析しているという。
 同紙によると、オバマ政権はサイバー攻撃を1940年代の核兵器、50年代の大陸間弾道ミサイル、2000年代の無人機と並んで「米国を新たな領域」に進める兵器と認識していたと伝えた。アーネスト大統領副報道官は1日、報道内容について「コメントできない」と述べた。


---お帰りなさいブッシュ前大統領 オバマ氏が歓迎---
2012.6.1 14:51
http://sankei.jp.msn.com/world/news/120601/amr12060114540004-n1.htm

 米ホワイトハウスで5月31日、ジョージ・ブッシュ前大統領夫妻を描いた肖像画の除幕式が行われた。前大統領夫妻を招待したオバマ大統領は「8年間、わが家と呼んできた家にお帰りなさい」と歓迎した。
 ブッシュ氏は2009年1月の退任後、地元テキサス州に戻っており、ホワイトハウスに足を踏み入れることはほとんどない。
 ブッシュ氏は「難しい決断で苦しんだら、この肖像画を見つめて『ジョージならどうしただろう』と尋ねられるぞ」とオバマ氏に語り掛け、出席者の笑いを誘った。
 前大統領とローラ夫人をそれぞれ描いた2枚の肖像画は、ホワイトハウス内部に飾られる。(共同)


--Stuxnet級の高度なマルウェア出現、サイバー兵器に使用か---
2012年05月29日 07時20分 更新
http://www.itmedia.co.jp/enterprise/articles/1205/29/news019.html

国家の施設を標的とする極めて高度なマルウェア「Flame」が見つかった。Kaspersky Labでは、DuquやStuxnetと同じ「スーパーサイバー兵器」の部類に属すると分析している。
[鈴木聖子,ITmedia]

 ロシアのセキュリティ企業Kaspersky Labは5月28日、StuxnetやDuquと同じ部類に属する極めて高度なマルウェアが、国家の施設を攻撃するためのサイバー兵器として出回っているのを見つけたと発表した。イランのセキュリティ対策機関も同日、ほぼ同じ内容の発表を行っている。
 このマルウェアは「Flame」と呼ばれ、国際電気通信連合(ITU)とKasperskyが別の破壊的なマルウェアを調べている過程で見つかったという。主にサイバースパイの機能を持ち、コンピュータ画面のスクリーンショット、標的とするシステムについての情報、保存されたファイル、連絡先情報、音声録音記録などの情報を盗み出してマルウェア制御用サーバのネットワークに送信。Stuxnetが悪用したのと同じプリンタの脆弱性やUSB経由の感染手段を使い、ローカルネットワークを介して増殖するワームの性質を持つ。
 Kasperskyの専門家は同マルウェアについて「これまでに発見された中で最も高度で完成された攻撃ツールの1つ」と評し、DuquやStuxnetと同じ「スーパーサイバー兵器」の部類に属すると分析している。
 出現したのは2010年3月ごろとみられるが、その複雑さと攻撃の性質が原因となって、これまでセキュリティソフトによる検出を免れてきたという。攻撃は現在も進行中で、ITUは142カ国で構成するネットワークのITU-IMPACTを通じ、各国の政府に警戒を呼びかける方針だという。
 これに関連してイランの国家コンピュータセキュリティ対策機関MAHERも同日、StuxnetとDuquに続く新手のマルウェア攻撃に関する調査結果を発表した。同国はこの攻撃をコードネーム「Flamer」と命名。攻撃に使われているマルウェアは、ウイルス対策ソフト43製品を使ったテストではいずれも検出できず、MAHERで検出と削除のためのツールを開発したとしている。
 同マルウェアの特徴としては、リムーバブルメディアやローカルネットワークを使った感染経路、パスワードやスクリーンショットなどの情報を盗んだり、感染システムのマイクを使って周辺の音声を録画するといった機能などを挙げており、Kasperskyの分析とほぼ一致する。OSはWindows XP、Vista、7に感染するという。
 MAHERはさらに、イラン国内で大量のデータが消失した事件は、このマルウェアが原因だった可能性があると指摘している。


---高度なターゲット型マルウエア「Flame」、政府主導の攻撃か---
2012/05/29
鈴木 英子=ニューズフロント
http://itpro.nikkeibp.co.jp/article/NEWS/20120529/399281/

 極めて高度なマルウエア「Flame」を利用したサイバー攻撃が中東を中心に発生していると、複数の米英メディア(BBC、Wall Street Journal、Forbes、CNET News.com)が現地時間2012年5月28日に報じた。ロシアKaspersky Labの報告によると、「Flameはこれまで検出した中で最も複雑なマルウエアの1つ」という。
 Kaspersky Labは、国連の電気通信専門機関(ITU)とともに別のマルウエアについて調査している段階でFlameによる攻撃を確認した。Flameはネットワークトラフィックの傍受、スクリーンショットの保存、音声通話の記録、キー入力の不正送信といった複数の機能を備える。
 これまで攻撃を受けた件数は個人、企業、大学、政府機関のシステムなど600件を超え、イラン、イスラエル、スーダン、シリア、レバノン、サウジアラビア、エジプトなどの国で影響が報告されている。
 Flame自体のサイズは20Mバイトで、産業制御システムを狙ったマルウエアとして有名な「Stuxnet」の20倍もあり、すべて分析するには数年かかる見通し。Kaspersky LabではStuxnetの分析に半年かかった。
 Kaspersky Labは、Flameのサイズが大きいこと、非常に高度であることから、独立したサイバー犯罪集団の仕業ではなく、政府が背後にある可能性が高いと見ている。しかし攻撃発生源は特定できていない。
 ハンガリーのセキュリティ研究機関Laboratory of Cryptography and System Security(CrySyS Lab)もKaspersky Labと同様に、Flameを政府主導のマルウエアだと考えている。
 Kaspersky Labは2010年8月にFlameの最初の事例を確認しているが、CrySyS Labの見解ではFlame登場は2007年にさかのぼる。
 Kaspersky Labによれば、Flameは主にUSBメモリーなどの外付けデバイスを介して感染する。システムに侵入するとマルウエア制御(C&C)サーバーと交信し、必要に応じて追加モジュールをダウンロードする。また同社は、Flameの一部コードが通常はゲームに使用される言語、LUAで記述されている点も特徴として挙げた。


---「Duqu」が狙った脆弱性、別の複数プログラムから見つかる - MSが月例パッチで修正---
Security NEXT - 2012/05/09
http://www.security-next.com/030341

 日本マイクロソフトは、マルウェア「Duqu」が過去にゼロデイ攻撃した脆弱性と同じ問題が潜在する複数プログラムについて、5月の月例パッチで修正を行った。悪用は確認されていないが、同社は優先的にパッチを適用するよう呼びかけている。
 修正を行った「MS12-034」は、「Windows」「Office」「.NET Framework」「Silverlight」などに存在する脆弱性へ対応したプログラム。公開済みの脆弱性3件と未公開の脆弱性7件を修正した。
 不正な文書を開いたり、細工されたフォントを含むウェブサイトを開くなど攻撃を受けた場合に、リモートでコードを実行される可能性がある。悪用可能性指標は、3段階中もっとも高い「1」にレーティングされており、30日以内と早期に悪用コードが出回るおそれがある。
 過去に「Stuxnet」と一部共通のソースコードを持つトロイの木馬「Duqu」が、「Win32.sys」に存在する脆弱性に対してゼロデイ攻撃を行い、同社が「MS11-087」にて修正した経緯があるが、クローンコードディレクションシステムを用いて同社が製品を調査したところ、同じ脆弱性を含むコードが複数のアプリケーションに含まれていることが判明。今回修正を実施した。
 対象となるソフトウェアが多岐にわたったことについて、セキュリティレスポンスチームのチーフセキュリティアドバイザーである高橋正和氏は、「TrueTypeのハンドリングに関する脆弱性について、相互依存性に配慮しながら、対策もれが発生しないよう対応したところ、広範囲にわたる修正になった」と説明。同氏は、カーネルモードでのコード実行が行える脆弱性であると指摘し、至急プログラムを適用するよう呼びかけている。


---Flame: A glimpse into the future of war---
by Elinor Mills
June 3, 2012 4:00 AM PDT
http://news.cnet.com/8301-1009_3-57445975-83/flame-a-glimpse-into-the-future-of-war/

Claims of cyberwar are overblown, but things are definitely heating up in regard to international conflicts where malware is replacing drone strikes.

If you roll your eyes at the term "Digital Pearl Harbor," you have my sympathy. We've been warned about the specter of an enemy attack via bits and bytes for several decades, with no real evidence that this is a realistic possibility and not mere hype.

Still, a new worm that's been spying on infected computers in the Middle East has been called a "cyberweapon," and while we're not talking outright combat, it's clear that malware is increasingly playing a part in geopolitical diplomacy and conflict.

This week brought news of not the first, nor the second, but the third known piece of advanced malware that appears to be government or nation-state sponsored. We have Stuxnet, its simpler cousin Duqu, and now we have "Flame." These three pieces of malware are hard evidence of cyberspying and, in the case of Stuxnet, sabotage of Iran's nuclear program with malware to preempt a military strike, according to a New York Times article based on reporter David Sanger's new book.

The article, which relies on information from unnamed U.S. government sources, confirms long-held speculation that Stuxnet (and likely Duqu) was developed by the U.S., probably in collaboration with Israel. (Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either. Meanwhile, the U.S. Cyber Emergency Response Team says there's no evidence that Flame is related to Stuxnet or Duqu or that it targets industrial control systems. (PDF) And the Department of Homeland Security declined to answer questions about Flame beyond providing this statement: "DHS was notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.")

How ironic but not at all surprising that Americans have been the ones most vocal in raising the alarms about cyberwar and yet the U.S. may have launched the first cyberstrikes. The U.S. may be a leader in cyber-geopolitical affairs, but it's also a huge target. The U.S. government and private companies have been under attack in the form of electronic espionage, primarily from China, experts and victims say. Source code and other sensitive data has been pilfered in stealth cybermaneuvers conducted against Google, RSA, defense contractors, critical infrastructure operators, and others based on company statements, research in recent government reports, and info from security firms like Symantec and McAfee.

It will take months if not years for researchers to fully dissect Flame, which has been called "the most sophisticated cyberweapon yet unleashed." Infections have been concentrated in Iran and other Middle Eastern countries, and it seems designed mostly for spying. It leaves a backdoor on computers and can be instructed to spread itself via USB thumb drive, network shares, or a shared printer spool vulnerability. It uses various methods of encryption and data compression and has at least 20 different components that are used to command it to do things like sniff network traffic, take screenshots, record audio conversations, log keystrokes, and gather information from nearby Bluetooth devices. Experts believe more modules are in the wild. There are more than 80 command-and-control servers being used to send instructions to infected computers.

The malware isn't an entirely new beast really, and the individual functions aren't uncommon. But the size of the program, the fact that it has so many different functions, and its modularity make it fairly unique. An attacker can mix and match components at will. Flame may have remained hidden for as long as five years. And it could be only the tip of the iceberg; there's no reason to think there haven't been other pieces of malware that have thus far escaped detection, or that have been detected but kept under wraps. Flame's emergence isn't game changing necessarily, but it does give an indication of how far geopolitically motivated malware has come and who might be ahead in that "arms race," as well as give a glimpse of what the future holds.

"Everybody has known for 10 years in government circles that cyberespionage is profitable and that it is happening at an enormous pace. This is confirmation for the public that very sophisticated attacks are prevalent," said Stewart Baker, former assistant secretary of policy at the Department of Homeland Security and now a partner practicing cyberlaw in the Washington, D.C., office of Steptoe & Johnson.

"For most intelligence agencies and governments what is interesting is the specifics of the techniques that are being used. I'm sure there are agencies that are learning a lot from them," Baker warned. "This is bad for sophisticated countries that have secrets to protect, like the U.S. and Western Europe, and for the Chinese and Russians too. And it's probably good for countries like North Korea and Iran that are going to go to school with this tool."

"Stuxnet, Conficker, and Duqu and now with Flame added to that, it suggests we're in a new era here," agreed Scott Borg, director of the nonprofit research institute U.S. Cyber Consequences Unit. "I'm not at all surprised by Flame."

Borg has been following this stuff for a long time. Even before Stuxnet hit the news two years ago, Borg made prescient remarks to the effect that Israel's weapon of choice would be malware that would give the country the ability to interfere with Iran's nuclear program without launching a massive military strike, he identified the uranium enrichment centrifuges as the most likely target and suggested that a contaminated USB stick would be a likely vehicle for sneaking the program into a building, among other predictions that came true with Stuxnet.

According to the New York Times article, the Bush administration turned to malware as an alternative to launching a military strike against Iran and the Obama administration continued with the operation, which was code-named Olympic Games. However, while malware might save lives in the short term, it doesn't mean it's necessarily the safer and smarter choice in the long run, Borg and other experts say.

"Cyber can be a much better alternative," Borg said, noting that the Russian cybercampaign against Georgia in 2008 targeted communication and media sites with Distributed Denial of Service attacks and spared them from air strikes. "That's an example where a cyberstrike was less destructive and a more humane way to carry out a mission," he said.

But there's nothing to stop an aggressor from using both online and offline attacks. "If you are planning drone strikes, what better intelligence could you ask for than a tool that will turn on a camera and microphone of a machine in your enemy's possession to let you know who is there and what is going on?" Borg said.

One big problem with Flame is that the malware authors didn't use code obfuscation, which means it can easily be dissected and re-used by any organization with some advanced programming skills and experience, which would include a large number of nation-states and terrorist groups, according to Borg. Stuxnet can be (and likely has been) reverse engineered, but its limited functions make it less of a danger. "That's a terrible mistake" on the part of the creators, Borg said. "This is a general purpose tool. It has a lot of modules that will do a lot of things... This is not a good thing to have released into the world in a form that is decipherable."

Even though Flame doesn't initially appear to be designed for sabotage, there may be components in the wild that would give it that function. "If it's that sophisticated, it can probably have physical manifestations as well," said Greg Garcia, principal of the Garcia Cyber Partners consulting firm and a former assistant secretary of cybersecurity at the Department of Homeland Security. "It could have consequences that are even broader and potentially more deadly than a drone strike if you think about infiltrating and corrupting control systems that are managing critical operations, whether it's electrical grids, water purification, or transportation systems."

Garcia speculated that Flame could have been meant to send a message, a sort of muscle flexing exercise. "It might be probes for the purpose of reducing confidence in the information systems of certain networks," he said. "We're watching you and you're not safe." But Borg doesn't buy the psychological ops theory. "It doesn't fit the way it was deployed, the thoroughness of the way it was erased (from machines to cover its tracks), the limited number of machines" it infected, he said.

Borg declined to speculate which country is behind Flame but said he suspects it was created by "friendly forces." "The countries capable of writing these kinds of tools, the short list is: China, Russia, U.S., Britain, Germany, Israel, and probably Taiwan," he said. The code, which at 20 megabytes is huge compared with Stuxnet and other malware, most likely required hundreds of people to be working on it for many months, he said.

The very elements that make cyberattacks launched by groups like Anonymous and other hackers problematic as forms of political protest -- the inability to prove who did it and for anyone to take credit for it -- make these cyberactions by governments problematic too. These stealth cyberattacks not only may result in unintended consequences and victims but they also may fail to serve as a deterrent or as bargaining sticks.

"Do the same rules (of war) apply in cyberspace?" Columbia University computer science professor Steven Bellovin wonders in a blog post. "One crucial difference is the difficulty of attribution: It's very hard to tell who launched a particular effort. That in turn means that deterrence doesn't work every well."

Each new cyberthreat or incident launched by a purported government or nation-state will set the course for this debate. The Internet is redefining our lives and actions in unexpected ways -- e-commerce has put storefronts out of business, e-mail has made fax machines obsolete, smartphones have changed the face of photography and personal communications, and Facebook has evolved the notion of a "friend." New digital capabilities can also help people do more harm to each other in times of conflict or avoid physical suffering.

"We have been talking in the government and the Department of Defense about what constitutes cyberoffense in the 21st century and what are the boundaries," said Garcia of Garcia Cyber Partners. "I think those boundaries are going to be slowly defined by default and in practice, and maybe this is going to be one of those indicators."

Don't expect the Stuxnet-Duqu-Flame triumvirate to scare anyone straight though. The perception of threat or possibility for danger in cybersecurity hasn't been enough in the past to merit much action on the part of responsible parties, be they electricity providers or the untold corporate networks that are hacked daily. "There is no shortage of information that says we have a problem," said Herb Lin, chief scientist at the Computer Science and Telecom Board at The National Academies. "People like me have been complaining about the fact that Stuxnet was possible for 20 years and nobody listened. Is this enough of a wakeup call? Maybe. But there have been a lot of other wakeup calls and people just put the snooze button back on."

No doubt, more theories about Flame will be coming out in the future as additional technical information is unveiled. Kaspersky Labs has scheduled an online news conference for 6 a.m. PT on Monday to reveal new forensics it has done on the malware's command-and-control infrastructure used for communication between the attackers and the infected computers. Stay tuned.


---Government role in Stuxnet could increase attacks against U.S. firms---
U.S. painted a target on its back, analysts say in wake of report
By Jaikumar Vijayan
June 2, 2012 05:36 PM ET
http://www.computerworld.com/s/article/9227696/Government_role_in_Stuxnet_could_increase_attacks_against_U.S._firms?taxonomyId=17

Computerworld - A New York Times report on Friday about the U.S government's extensive involvement in the Stuxnet attacks against Iran is sure to trigger a sharp increase in state sponsored cyber attacks against American businesses and critical infrastructure targets, security experts warn.

The dramatic report in The Times described how President Obama, and his predecessor President Bush, had overseen the development of a secret and highly sophisticated U.S cyber campaign to disrupt and degrade Iranian nuclear capabilities.

The story, which quotes several unnamed sources, describes how Stuxnet was designed by security experts in Israel and the United States to disable centrifuges used to purify uranium at Iran's Natanz nuclear facility.

It talks about how Obama decided to accelerate the cyber attacks -- codenamed "Olympic Games" by the Bush Administration -- even after being informed that Stuxnet code had accidentally become public in the summer of 2010 and had begun attacking industrial control systems in other countries as well.

The Stuxnet attacks temporarily took out nearly one-fifth of the 5,000 centrifuges that Iran had operating at Natanz in 2010 and caused considerable delay to the program.

The attacks marked the first time that a computer worm was used to cause physical damage to property, prompting many to call Stuxnet the most sophisticated piece of malware that had ever been crafted.

The Times' story confirms what many security experts have been openly hinting at for several months now about U.S. involvement in Stuxnet. Alan Paller, director of research at the SANS Institute, said the revelation dramatically alters the cybersecurity landscape.

The public airing of the U.S. involvement in Stuxnet is going to make others bolder about launching similar attacks against the country using the same kind of tactics and cyber weapons, he said. "We are now going to be the target of massive attacks," Paller said.

"For a long time everything has been under the radar," he said. "No one was really sure that the U.S. was practicing this kind of activity. The U.S. has acted like it was an innocent victim" of state sponsored attacks by other countries, he said.

"But behavior will change when there's no longer an argument" about the U.S sponsoring cyber attacks on other nations, he said.

The one positive fallout from Friday's news is that it will force U.S businesses and critical infrastructure operators to pay more attention to securing their defenses. It is not longer a question of if, but when other nations are going to come after U.S. cyber assets, Paller said.

"We now as a nation have painted a huge target on our back," said Mike Lloyd, chief technology officer at security vendor RedSeal Networks. By choosing to develop and use cyber weapons such as Stuxnet, the U.S. has basically exposed its own companies and networks to the same kind of threats, Lloyd said.

"One of the clear lessons from history is that people in conflict tend to use what their opponents have used," he said. Friday's disclosure should drive home to everybody how cyber weapons are in fact being used to settle political conflicts around the globe, Lloyd said.

"You got to realize this kind of fight is going on and that it will be coming to you soon," he said. What's worrisome is that unlike Iran, where the targets of such attacks were state-owned, most critical infrastructure in the U.S. is privately owned and defended, he added.

Ironically, the ability of hostile entities to attack U.S. targets may only have been bolstered by Stuxnet.
For one thing, the worm has attracted broad attention to vulnerabilities in the supervisory control and data acquisition (SCADA) systems that are used to control equipment at critical infrastructure facilities such as power utilities, water treatment facilities and nuclear power plants.

Such systems are considered to be an especially weak link in the U.S. critical infrastructure and successful attacks against them could have serious consequences.

In fact, U.S. concern over SCADA vulnerabilities are so great after Stuxnet that two researchers were persuaded to abandon a talk they were scheduled to make on the subject at a security conference last year.

The researches were scheduled to talk about how they had written malware capable of exploiting flaws in a Siemens Programmable Logic Controller (PLC) system of the sort targeted by Stuxnet, but decided to pull the talk after the U.S. Department of Homeland Security (DHS) expressed concern.

Stuxnet's success in damaging Iran's nuclear centrifuges has also inspired others to try and emulate the worm. One example is Duqu, a Stuxnet-like piece of malware targeted at industrial control systems.

Unlike Stuxnet, Duqu was designed to only steal information from SCADA systems that could then presumably be used to craft an attack against such systems at a later date. The malware, christened "Son of Stuxnet" by the security firm Symantec, is believed to be the work of a group with state support and deep pockets.

Another piece of malware with apparent connections to Stuxnet is the recently discovered Flame, an information stealing malware.

News about the American role in Stuxnet is likely to take some of the air out of U.S. complaints about China launching cyberattacks against U.S. businesses, as well as government and military networks. Over the past few years, senior U.S. officials have routinely blamed China for attempting to steal government and military secrets, as well as intellectual property, from U.S. networks.

"It basically points out that the U.S. does not occupy higher ground than China, as far as state-sponsored malware [goes]," said John Pescatore, an analyst with Gartner.

The main point, though, is not to get hung up on who is doing the attacks but on how they are being carried out, he said.

"I have no inside information whether the Times piece is accurate or not but I'm sure the U.S., U.K., China, Israel, and at least France if not other countries have offensive malware capabilities that they have used, prior to Stuxnet," Pescatore said.

"[But] what Stuxnet and now Flame point out is that such malware takes advantage of glaring weaknesses in IT security," he said. "There are no unstoppable objects in cyberattacks."

Media attention has tended to focus on the authors of such malware, Pescatore said. What enterprises need to be focusing on are the vulnerabilities in enterprise systems processes and people that such attacks seek to exploit.

"Security managers must focus on avoiding or reducing the damage from advanced targeted threats by eliminating or mitigating the vulnerabilities that they exploit," Pescatore noted.


---Barack Obama 'ordered Stuxnet cyber attack on Iran'---
By Christopher Williams
2:10PM BST 01 Jun 2012
http://www.telegraph.co.uk/technology/news/9305704/Barack-Obama-ordered-Stuxnet-cyber-attack-on-Iran.html

President Barack Obama ordered the Stuxnet attack on Iran as part of a wave of cyber sabotage and espionage against the would-be nuclear power, according to a new book citing senior Washington sources.

The computer virus, aimed at the Natanz uranium enrichment facility, was designed to damage centrifuges by making covert adjustments to the machines controlling them.

It formed part of a "wave" of digital attacks on Iran codenamed "Olympic Games" and was created with the assistance of a secret Israeli intelligence unit, The New York Times said in a report based on a book chronicling secret wars under the Obama administration

The report confirms the suspicions of computer security experts who detected and forensically examined Stuxnet in 2010. They reasoned that the technical expertise and human intelligence sources needed to create and deliver what was described as the "world's first cyberweapon" pointed to a joint operation by American and Israeli agencies.

Such third parties reportedly discovered Stuxnet as the result of a "programming error" that meant it spread beyond the computer network at Natanz. According to the account, President Obama asked his national security advisers whether the attack should be halted at a White House Situation Room meeting convened days after the virus "escaped", but decided to intensify it instead.

It's estimated that Stuxnet crippled around 1,000 of 5,000 Natanz centrifuges by spinning them at damagingly high speeds.

“This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” said Michael Hayden a former director of the CIA and NSA, who did not reveal his own knowledge of "Olympic Games".

Commentators suggested that confirmation of American involvement in Stuxnet had been released by others to neutralise any Republican election claims that President Obama has been soft on Iran.

"Obama wanted to get credit for Stuxnet, as that makes him look tough against Iran," said Mikko Hypponen, chief research officer at F-Secure, one of the security firms that have investigated Stuxnet.

The first stage of the attack, a "beacon" designed to report back details of systems at Natanz to the National Security Agency, America's electronic intelligence agency, was however mounted speculatively under the Bush administration, according to unnamed officials.

Confirmation of American involvement in Stuxnet comes as computer security experts begin to unpick an even more complicated virus, Flame, which was detected last month and also appears to target Iran. It is written for espionage rather than sabotage, but like Stuxnet is passed from computer to computer by USB thumb drives, a design feature apparently meant to limit its spread and so reduce its risk of detection.

Getting Stuxnet into Natanz therefore required a worker at the plant to carry it in on a USB thumb drive.

"That was our holy grail," one of the architects of the plan told David E Sanger, the author of the new book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.

"It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand."

The same officials declined to say whether the United States was involved in the Flame attack, which appears to have begun five years ago, although they did say it was not part of the "Olympic Games" programme.


---Stuxnet Worm Crafted by U.S., Israel to Thwart Iran's Nuclear Program---
Chloe Albanesius By Chloe Albanesius
June 1, 2012 01:12pm EST
http://www.pcmag.com/article2/0,2817,2405191,00.asp

The Stuxnet virus that emerged in 2010 was a cyber weapon jointly developed by U.S. and Israeli officials in an effort to shut down the development of Iran's nuclear program, according to a report from the New York Times.

Stuxnet, an effort known as Olympic Games among U.S. intelligence officials, started in the Bush administration and continued after President Obama took office. It was intended to only affect the Natanz plant in Iran, but was mistakenly unleashed on the global Web.

"It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country's infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives," according to the Times.

Olympic Games dates back to 2006 when the Iranians re-started their uranium enrichment program at Natanz. According to the Times, the Bush administration considered military action, until General James E. Cartwright and other intelligence officials suggested cyber attacks. After a months-long effort to infiltrate the Natanz computer systems, U.S. officials teamed up with a secret Israeli unit to release the Stuxnet worm, the Times said.

The actual deployment was carried out by "spies and unwitting accomplices," who physically carried thumb drives loaded with the virus into the facility.

By the time President Bush left office, no major damage had been accomplished, but the Times said he encouraged President Obama to continue the program, and he agreed.

By 2010, however, Stuxnet had been released in the wild after an engineer hooked up his laptop to the Natanz centrifuge and then hooked it up to the Web from home. "It began replicating itself all around the world," the Times said.

News of Stuxnet made its way into the press, with speculation focused on the Israelis and the Americans. In Jan. 2011, the Times first corroborated some of those reports, suggesting Stuxnet was jointly developed by the U.S. and Israel at the Dimona complex in the Negev desert. In April, a report from ISS Source said that a secret agent working for Israel planted the Stuxnet computer worm into Iran's nuclear power plant through a USB stick.

The recently discovered Flame malware is not part of Olympic Games, U.S. officials told the Times, but they declined to say whether the U.S. played any role in Flame. For more, see Flamer Isn't a Stuxnet Spinoff.

Sophos analyst Graham Cluley said in a blog post that the Times story is fascinating, but argued that "Stuxnet is old news. Even the recently discovered (and much hyped) Flame malware isn't an effective weapon today," he wrote. "There seems little doubt that state-sponsored cyberweapons (if that is indeed what Stuxnet was) continue to be developed - and chances are that it's not just the USA and Israel who are developing them but other developed countries."

"Question: To whom may the antivirus industry and its affected customers send the bill for the collateral damage done?" quipped security firm F-Secure in its own blog post.

Today's Times report is adapted from Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, a book from Times correspondent David E. Sanger that will be published on Tuesday.

Update: During today's White House press briefing, Deputy Press Secretary Josh Earnest said he was "not able to comment on any of the specifics or details that are included in that story," though he did say that leaking classified data "would pose a significant threat to national security." Earnest instead focused on President Obama's approach to Iran, which holds the country "accountable for living up to their international obligations."


---Stuxnet cyberweapon created by U.S., Israel to attack Iran, reports NYT---
Andrew Couts June 1, 2012 By Andrew Couts
http://www.digitaltrends.com/computing/stuxnet-cyberweapon-created-by-us-israel-to-attack-iran-reports-nyt/
he United States and Israel created the notorious Stuxnext worm to attack Iran's nuclear facilities, reports The New York Times.

The mysterious origin of Stuxnet, long considered one of the world’s most dangerous computer worms, is a mystery no more. In a bombshell piece published today, The New York Times reports that Stuxnet was developed by the United States and Israel, and used by both the Bush and Obama administrations to wreak havoc on Iran’s nuclear facilities. Then it accidentally “escaped” into the wild.

Many have long suspected that the U.S. and Israel developed Stuxnet, which successfully (though only temporarily) shut down 1,000 of the 5,000 centrifuges Iran was using to enrich uranium at the Natanz nuclear facility, according to the report. But until now, such assertions remained unconfirmed, as the many cybersecurity experts who analyzed Stuxnet said its code contained little evidence of who developed the worm. In September of 2010, antivirus firm Kapersky Labs concluded that the Stuxnet attack on Natanz “could only be conducted with nation-state support and backing.” But that was as far as anyone got in discovering Stuxnet’s origins.

Today’s fascinating report was written by Times journalist David E. Sanger, and adapted from his upcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power. Sanger’s findings are based on interviews with “American, Israeli, and European officials,” all of whom asked to remain anonymous due to the classified nature of the information, as well as “a range of outside sources.”

Sanger reports that the Bush administration, fearful of Iran developing nuclear weapons, launched an operation codenamed “Olympic Games.” Rather than launch a military strike against Iran’s nuclear facilities, as Vice President Dick Cheney and other hawks in the Bush administration urged, the National Security Agency (NSA) and Israeli computer experts developed Stuxnet, which was specifically designed to change the speed of Iran’s centrifuges, and thus cause massive damage to the delicate machinery.

After tests confirmed that Stuxnet worked as planned, spies and “unwitting accomplices,” including engineers and maintenance workers at Natanz, uploaded the worm onto the computer system at the nuclear facility using USB thumb drives and even their own computers. “That was our holy grail,” said one of the people in charge of the plan. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.” Once Stuxnet had infected the system, the centrifuges began to break. The Iranians did not realize that it was their own computer system causing the damage; Stuxnet had been designed to tell the system’s operators that everything was operating normally.

When Bush left office, he successfully convinced Obama to continue both the Olympic Games program, as well as drone strike in Pakistan. According to Sanger, not only did Obama push forward with both programs, but ramped up the U.S.’s use of cyberwarfare, reportedly expanding operations to include the infection of Al Qaeda computers, and other such activities.

Then, in the summer of 2010, something went wrong. Stuxnet had been crafted to not spread to outside computer systems. But it did, likely through a Natanz engineer, who’s infected laptop was connected to the Internet, resulting in Stuxnet escaping the confines of the operation, and out into the public.

The unintended spread of Stuxnet was originally believed to be an “error” in its code. Some in the Obama White House suspected that the Israeli’s had modified it. From the report:

    ‘We think there was a modification done by the Israelis,’ one of the briefers told the president, ‘and we don’t know if we were part of that activity.’

    Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. ‘It’s got to be the Israelis,’ he said. ‘They went too far.’

Sanger’s report comes just days after reports of a new cyberweapon, called “Flame,” which many have compared to Stuxnet, but which has been found to be far less nefarious. Despite this, it is clear that cyberwarfare is here to stay - and will surely become more common, and more dangerous.


---Obama Order Sped Up Wave of Cyberattacks Against Iran---
By DAVID E. SANGER
Published: June 1, 2012
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

WASHINGTON - From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks - begun in the Bush administration and code-named Olympic Games - even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

A Bush Initiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor - whose fuel comes from Russia - to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.

Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems - even tinkering with imported power supplies so that they would blow up - but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet - called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.

The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds. The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.

Eventually the beacon would have to “phone home” - literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant. Expectations for the plan were low; one participant said the goal was simply to “throw a little sand in the gears” and buy some time. Mr. Bush was skeptical, but lacking other options, he authorized the effort.

Breakthrough, Aided by Israel

It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.

Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.

The unusually tight collaboration with Israel was driven by two imperatives. Israel’s Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called “the bug.” But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iran’s P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.

When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed “destructive testing,” essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Department’s national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant.

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data.

“Somebody crossed the Rubicon,” he said.

Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others - both spies and unwitting accomplices - with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.

The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.

The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.

“The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

Imagery recovered by nuclear inspectors from cameras at Natanz - which the nuclear agency uses to keep track of what happens between visits - showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.

But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice.

The Stuxnet Surprise

Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a major study on how to improve America’s defenses and announced it with great fanfare in the East Room.

What he did not say then was that he was also learning the arts of cyberwar. The architects of Olympic Games would meet him in the Situation Room, often with what they called the “horse blanket,” a giant foldout schematic diagram of Iran’s nuclear production facilities. Mr. Obama authorized the attacks to continue, and every few weeks - certainly after a major attack - he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.

“From his first days in office, he was deep into every step in slowing the Iranian program - the diplomacy, the sanctions, every major decision,” a senior administration official said. “And it’s safe to say that whatever other activity might have been under way was no exception to that rule.”

But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage. It fell to Mr. Panetta and two other crucial players in Olympic Games - General Cartwright, the vice chairman of the Joint Chiefs of Staff, and Michael J. Morell, the deputy director of the C.I.A. - to break the news to Mr. Obama and Mr. Biden.

An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”

In fact, both the Israelis and the Americans had been aiming for a particular part of the centrifuge plant, a critical area whose loss, they had concluded, would set the Iranians back considerably. It is unclear who introduced the programming error.

The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a variant of the bug was replicating itself “in the wild,” where computer security experts can dissect it and figure out its purpose.

“I don’t think we have enough information,” Mr. Obama told the group that day, according to the officials. But in the meantime, he ordered that the cyberattacks continue. They were his best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.

Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games was still on.

A Weapon’s Uncertain Future

American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, “has been overwhelmingly on one country.” There is no reason to believe that will remain the case for long. Some officials question why the same techniques have not been used more aggressively against North Korea. Others see chances to disrupt Chinese military plans, forces in Syria on the way to suppress the uprising there, and Qaeda operations around the world. “We’ve considered a lot more attacks than we have gone ahead with,” one former intelligence official said.

Mr. Obama has repeatedly told his aides that there are risks to using - and particularly to overusing - the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

0 コメント: