Tag Archives: Soviet Union

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

The Phisher Commuter

My colleague Lee Gomes writes in WSJ.com in his  Portals column (a few days old, this, sorry; but it is free) about phishers, and what they’re really like, quoting a guy called Christopher Abad, a researcher for Cloudmark:

Mr. Abad himself is just 23 years old, but he has spent much of the past 10 years hanging out in IRC chat rooms, encountering all manner of hackers and other colorful characters. One thing that’s different about phishers, he says, is how little they like to gab.

“Real hackers will engage in conversation,” he says. “With phishers, it’s a job.”

Readers may remember my piece a year or so back (sorry I can’t find the URL for this, and it would be subscription anyway) based on interviews with several people from East European and former Soviet Union countries who worked in various stages of the phishing train, from trojan writers to mule hunters (folk who try to recruit foreignes to move money from stolen accounts to overseas havens).

I found something slightly different to Abad: For sure these guys think it’s just a job, but they also were quite keen to justify what they did, either saying it was the only work around, or else talking in terms of redistributing a little wealth. One guy in some obscure former Soviet bloc town said he trudged several miles each day to an Internet cafe, where he worked sometimes 20 hours a day trying to recruit mules on ICQ and IRC, before walking back to his apartment where his wife and baby waited. She thought he was a stockbroker, he said.

A good piece by Lee; too little light is shed on this submerged industry. But I wonder whether, as phishing gets more popular and focused, it hasn’t moved west?

A Glimpse Of A Tentacle From The Phishing Monster

Gradually the tentacles of the Russian gangs behind phishing are appearing. But we still have no idea how it really works, and how big the beast is.

The Boston Herald reports today on the arraignment of a “suspected Russian mobster” on multiple counts of identity fraud, having allegedly obtained personal information from more than 100 victims by phishing emails.

Andrew Schwarmkoff, 28, was ordered held on $100,000 cash bail after being arraigned in Brighton District Court on multiple counts of credit card fraud, identity fraud, larceny and receiving stolen property. He is also wanted in Georgia on similar charges, and is being investigated in New Jersey.

What’s interesting is that clearly phishing is tied in, as if we didn’t know, with broader financial fraud. Schwarmkoff — if that is his real name, since investigators are unsure if they have even positively identified him — was found with “$200,000 worth of stolen merchandise, high-tech computer and credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash,” the Herald says.

That would at least indicate that phishing is not just an isolated occupation, and that the data obtained is not necessarily just used to empty bank accounts, but to make counterfeit cards, ID cards and all sorts of stuff. What’s also clear is that the Russians (or maybe we should say folk from the former Soviet Union states) are doing this big time. The Herald quotes sources as saying “Schwarmkoff is a member of the Russian mob and has admitted entering the country illegally. “We know some things that we don’t want to comment about,” a source said, “but he’s big time.”

Schwarmkoff, needless to say, isn’t talking. “‘Would you?’ the Herald quotes the source as saying. “Schwarmkoff,” the Herald quotes him as saying, “is more content to sit in jail than risk the consequences of ratting out the Russian mob.” That probably tells us all we need to know.

Did A Computer Virus Bring Down The Soviet Union?

Did software, deliberately programmed by the CIA to fail, hasten the end of the Soviet Union?

The Washington Post reports (registration required) that “President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline.”

It quotes a new memoir by Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time (At the Abyss: An Insider’s History of the Cold War, to be published next month by Ballantine Books) as saying the pipeline explosion was just one example of “cold-eyed economic warfare” that made the Soviet Union eventually “understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.”

Aspects of this operation have been revealed before, but it’s still a pretty extraordinary tale, and makes one realise the power that software holds over us. And given that all this happened in 1982 or even earlier, does that make the CIA the first successful virus writers? The record is presently held by Fred Cohen, who created his first virus when studying for a PhD at the University of Southern California and presented his results to a security seminar on 10 November, 1983, according to the BBC website.

A Way To Filter Spam In Outlook (And Who The Hell Are Behind It?)

There’s a lot of software out there, but who is really behind it?

Reading a piping fresh press release from a company that may or may not be called FlowRuler, which has just released a product called, er, FlowRuler, I tried to find out a bit more about who was behind it (FlowRuler, by the way, looks like an interesting tool if you use Microsoft Outlook email. It is an add-in that enables you to “filter SPAM and organize your inbox” using “graphically designed rules”. There are two versions available: a free shareware version and the full version ($22.95). More here.

Now, back to who is behind this. I’ve noticed a growing number of press releases that appear without any details on company name, location, or whatever. Many of them turn out to be in Eastern Europe, or the former Soviet Union. That’s OK with me, but why go to such trouble to hide where you’re from?

The folk behind FlowRuler are a mystery. The website was registered in Cordoba, Argentina by an outfit called Ginkgosoft, but they don’t seem to exist as far as I can see (although I did find out that Ginkgo is a tree, the world’s oldest living species, and has been used in traditional Chinese medicine for over 4,000 years. Ginkgo soft capsules are apparently effective in improving memory, alleviating symptoms of Alzheimer’s disease, working as an anti-depressant, improving circulation, thin blood, cardiovascular health, antioxidant etc.)

Fascinating, but it doesn’t get me any closer to finding out who these guys are. More when I do.