Haggai Carmon: Attorney and Author

A Cyberwar Against Iran: Whodunit? Op Ed by Haggai Carmon published in the Huffington Post

The Huffington Post Op Ed 10 12 2010

The Iranians are frantically looking for those responsible for infecting their nuclear and industrial facilities with Stuxnet, an extremely sophisticated and dangerous viral computer malworm.

The Iranians should also worry what could come next in this cyber war. Their country’s electrical system may fail. Valves and spigots of a sewage treatment facility could be turned open, flooding Tehran’s streets with human waste. Can that happen? Most probably, if these facilities are managed by SCADA – Supervisory Control and Data Acquisition systems, such as the computers that were just infected.

Who were the attackers that knew how to penetrate through five zero-day “security holes,” and plant the malworm that not only attacked Iran, but infected computers in other countries as well? Since the malworm was so sophisticated, there is a consensus among experts that it was the product of a state, rather than a ploy of a hacker playing for fun.

The Iranian security services and computer experts are scrambling to rid their computers of the malworm that was “mutating and wreaking havoc on computerized industrial equipment in Iran,” according to IRNA, Iran’s government news agency. Hamid Alipour, the director of Iran Information Technology Company, a government agency added, “The attack is still ongoing and new versions of this virus are spreading.” Alipour warned, “personal computers were also being targeted by the malware although the main objective of the Stuxnet virus is to destroy industrial systems, its threat to home computer users is serious.” General Hossein Salami, Lieutenant Commander of IRGC the Iranian Revolutionary Guard Corps said that, “The IRGC and Army have designed defense systems for all points of the country, [and] an assuring defensive plan has also been devised for the Bushehr nuclear power plant.”

Russian technicians with unlimited access to all systems at the Bushehr nuclear reactor were questioned, while others hurried to leave Iran with their families. The Iranian Intelligence Minister Heidar Moslehi has announced last week that several “nuclear spies” had been arrested, but failed to identify them or their nationality.

These official statements are unusual because thus far Iran has been reluctant to admit military or security vulnerabilities. So why do it now?

The answer probably lies in the bigger picture. Iran seems to be seeking revenge against the U.S and its allies for imposing painful sanctions. Since the Iranians cannot retaliate directly against the U.S., without risking severe consequences, then why not accuse Israel of waging the cyber war, rightly or wrongly? That could give the Iranians a pretext, albeit transparent, to retaliate by directing their conflict-hungry satellite terrorist organization Hezbollah to shell Israeli civilian centers from Southern Lebanon. Is that the reason president Ahmadinejad is coming to Lebanon?

Common wisdom says that cyber wars are bloodless, smokeless and leave buildings and infrastructure intact. Or are they?

The Stuxnet attack on Iran first focused on SCADA industrial control systems that are broadly used by energy, nuclear, electrical, water, sewage treatment, telephone, and chemical companies. The damage from a cyber attack on a SCADA system could be substantial. From a temporary loss of service to a total failure with catastrophic dimensions cascading to multiple locations for an extended period. Attackers may use any of the multiple penetration options to get into the system: planting a malworm during production or installation of the SCADA device, wireless transmission of the malworm, hacking into the control system computers and linking to the modems used for the control systems’ maintenance, or physically attaching a pinky-finger-size flash drive into a computer that later would unwittingly log into a central system and contaminate it. Ali Akbar Salehi, the head of Iran’s Atomic Energy Organization confirmed last week in a speech at the International Atomic Energy Agency that Iran has been fighting espionage at its nuclear facilities, and that people working at Iran’s nuclear facilities were lured by promises of better pay to pass secrets to the West. Salehi did not provide additional details, but the timing of his statement might hint how the Stuxnet malworm penetrated into Iran’s nuclear facility computers.

Once a SCADA system is accessed, the attacker can infect it with a computer malworm that could manipulate the data used for operational decisions to cause damage, or modify programs that control critical equipment to shut down or send the system haywire. The malworm can hide the changes it made and even allows remote upgrades of the malworm if countermeasures are employed by the infected target. A sophisticated malworm such as Stuxnet could potentially include code that would cause uranium enriching centrifuges to explode under high pressure, or at a certain date. Did it actually do it? There were reports that Iran’s uranium enrichment plant at the Natanz facility was attacked by Stuxnet and sustained damage. An earlier report suggested that in 2009 that site suffered a serious nuclear accident that reduced the number of uranium enriching centrifuges by at least 25%. Was Stuxnet the reason?

Therefore, can the Iranians now be confident that no additional, more serious attacks will be forthcoming? Can they be sure that no foreign intelligence agents managed to “treat” the Iranian bound SCADA systems and plant a dormant Trojan horse or a viral computer malworm that would be awakened and cause havoc on a certain date or upon a single transmitted command? To make things worse for the Iranians, many industrial control systems are linked to the location’s central computer system, thereby exposing these external computers to the contagious viral effect of the malworm. That could explain the contamination of many personal computers owned by Iranian officials who logged into their agencies’ central computer systems.

Control systems with proprietary command menus such as SCADA systems are difficult to operate by an outsider, and wrong commands would be harmless and could attract attention to the attempted break-in. That explains why thus far there were only very few intentional attacks on critical infrastructure industrial control systems that caused any damage, even when the intruders were able to break their way into the system.

However, top professionals, such as the attackers who designed Stuxnet, showed that they were able to overcome these hurdles and cause significant damage. In fact, there were probably two versions of Stuxnet. Apparently, the first version did not perform its destructive mission well, and was replaced by a viler malworm. The assumption that foreign agents were involved is supported by the fact that the attackers were able to identify the exact type of the SCADA system used by the Iranians, thereby allowing computer experts to write new code that finally did the destructive job.

The SCADA control systems include supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers. These systems are primarily used for remote monitoring and for sending commands to valves and switches. That capability should cause serious concerns to the Iranians. Although Iranians officials express their concern regarding Stuxnet’s effect on their nuclear reactor systems, they should also worry what could potentially happen to civilian facilities.

What if, for example, a sewage treatment facility’s SCADA is taken over by attackers who would send a command to open all valves and spigots of the Tehran sewage treatment facility and flood the capital city with raw sewage? Other than the disgust and the smell, there are serious health risks: spread of disease and the contamination of fresh water supply.

A fantasy? Not really.

In 2000 in Maroochy Shire, Queensland Australia, Vitek Boden, a disgruntled former employee remotely accessed the controls of a sewage plant and discharged 800,000 liters of raw sewage into local parks and rivers, as well as the grounds of a Hyatt Regency hotel. “Marine life died, the creek water turned black and the stench was unbearable for residents,” said a representative of the Australian Environmental Protection Agency.

So, whodunit to the Iranians? Information, or maybe disinformation was spread to suggest that the infection had first come from computer notebooks used by Russian engineers working at the site of Bushehr power plant. Other reports suggested that the United States has sought to devastate Iran’s nuclear program by attacking Iranian computer systems. The New York Times hinted it was Israeli Intelligence. Others were also suggesting that Israel was behind the attack because one of the Stuxnet internal computer codes included the name “myrtus”. The attack was announced during Sukkoth, a Jewish holiday that is celebrated with “the four species”, one of which is boughs with leaves from the myrtle tree. On the other hand, the “myrtus” reference could in fact be a reference to one of SCADA’s components known as RTUs (Remote Terminal Units) and that this reference is simply “My RTUs” – a tool within SCADA.

I found yet another reason that may allow conspiracy theorists to insist that Israel was the culprit; typing Stux in the Hebrew mode on a dual-language Hebrew-English keyboard, would bring the word “דאוס” God in Latin. Are the alleged attackers hinting to the wrath of God that could follow unless the Iranians stop their development of nuclear capabilities and repeated threats to destroy Israel?

Trackbacks / Pingbacks