Iranian nuclear plant has been Thunderstruck

[TithonusSyndrome]

http://www.torontosun.com/2012/07/26/ac ... uke-plants

An Internet security company says it received a report nuclear plants in Iran were hit by a virus that makes their computers play music by the rock band AC/DC.

In a blog post earlier this week, F-Secure Labs, which monitors spyware, phishing and other cyber threats, said a scientist working at the Atomic Energy Organization of Iran (AEOI) sent “a series of e-mails” saying computer systems at the Natanz and Fordo nuclear facilities had been infected by a computer worm.

The sender said hackers shut down their automation network and Siemens hardware.

“I only know very little about these cyber issues as I am scientist not a computer expert,” read one excerpt, as translated by F-Secure.

“There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing Thunderstruck by AC/DC.”

Mikko Hypponen, lead researcher at the Finnish company, confirmed the nuclear scientist was sending and receiving e-mails from within the AEOI but could not verify any of the other details.

“I have no idea of his motivations and can’t confirm any of the things he wrote about,” he said in a tweet Thursday, adding he had not heard from the man since.

Iran’s nuclear facilities have recently been infected by viruses called Flame and Stuxnet, which Hypponen told the International Business Times were part of a joint U.S.-Israel cyber espionage operation.

At least they didn't put TNT on the site. :p

[Crown]

Why don't they make these things on dedicated/stand alone computers/networks/servers that are not in anyway shape or form connected to the wider interwebs? Seems bizarre to me.

[weemadando]

Because STUXnet, FLAME, this one and others are USB riding as well, so all it takes is one person amongst hundreds, even thousands to use a USB on both the external and internal network and it's game over.

[Crown]

Because STUXnet, FLAME, this one and others are USB riding as well, so all it takes is one person amongst hundreds, even thousands to use a USB on both the external and internal network and it's game over.

Yeah, I get that, but that would imply a dedicated saboteur (or a stool pigeon being set up), otherwise you're basically infecting how many people in order to get 'lucky'?

[D.Turtle]

There's no extra cost to infect tens of millions of machines. It's not like you're targeting someone for recruitment in a traditional manner. You're taking the spam approach - that there'll be one moron in your target demographic among the millions that you infect.

[Grumman]

Yeah, that's how STUXnet did it. It was a program that did three things: spread to new computers, check if the computer fit the target criteria, and delete itself on a certain date. Only if the computer fit the criteria would it try to kill the attached centrifuges.

[Irbis]

“There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing Thunderstruck by AC/DC.”

A) How would Iranian scientist recognize obscure (by his standards) western song and B) why would scientific research workstation be fitted with speakers/headphones?

Sort of smells fake to me, but we'll see.

[Kane Starkiller]

We really don't know what his music standards are and I don't see why some of the computers wouldn't be equipped with speaker systems.
That said it does sound suspicious just not for the reasons you state: why would the attacker increase the size of the virus by attaching an audio file to it and why announce the computers are infected by playing a song?
Unless it was a non state actor attacking "just for fun".

[Sarevok]

“There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing Thunderstruck by AC/DC.”

A) How would Iranian scientist recognize obscure (by his standards) western song and B) why would scientific research workstation be fitted with speakers/headphones?

Sort of smells fake to me, but we'll see.

Iranians are pretty westernized from what I seen and bands like AC/DC is pretty well known all over the world, I could play Thunderstruck in some provincial town here in Bangladesh where electricity don't work half the time and a good percentage of people will recognize the tune. The power of a global culture can not be understated.

As for computers...well around a decade back some Canadian nuclear plant made news when it's employees were found playing multiplayer Quake on work computers. Like any factory or office a nuclear plant is bound to have it's share of mundane ordinary computers,laptops,printers,fax machines etc. Even if they did not use COTS hardware for any critical tasks technically virus got into computers at a nuclear facility and that's all you need for a sensational headline.

[weemadando]

Because even the boggest of bog standard systems that we use in the public service still have integrated speakers (not pc speakers, just a cheap and nasty things that's throw in there).

Most systems that you'd buy in bulk tend to have these djfd

[Sarevok]

And given all the embargoes and sanctions they are under I had hazard a guess that the Iranians have problem importing industrial control systems (especially ones known to be used in nuclear industry) and have to make do with less than optimal solutions.

[Skgoa]

It's still hilariously idiotic to believe that someone would waste a working virus (and thus the vulnerabilities) to pull a childish prank. The only way I could rationalize this is to assume that it was some prfoessional malware agent/firm, who wanted to prove his/their abilities. Though that doesn't make much sense outside Hollywood, either.

[weemadando]

It's an advertisement.

"I have built this bit of software that has gotten into X and done Y, commence bidding for usage rights to the botnet/whatever."

[Skgoa]

The problem with that is twofold: a) you can't proof that it was you (it's actually very propable that nobody outside Iran will ever know) and b) you wouldn't need to pull such a stupid stunt in the first place.

[weemadando]

It can also just be an advertisement of capability from the same nation states that did the last rounds. Saying "nope, your security still sucks."

[Dalton]

Perhaps it's a decoy for further (or simultaneous) subterfuge.

[Skgoa]

It can also just be an advertisement of capability from the same nation states that did the last rounds. Saying "nope, your security still sucks."

But that would be INCREDIBLY, RIDICULOUSLY, ENORMOUSLY idiotic. These operations take years to pull of with teams of dozens or hundreds of skilled malware engineers and they use up vulnerabilities. No sane military/intelligence operation would do that in order to play rock music.

[weemadando]

Why? It's by no means any more idiotic than paying locals to suicide bomb the regime's scientists.

And hell, if it's a matter of going: "well fuck, they haven't replaced the ENORMOUSLY EXPENSIVE INFRASTRUCTURE we destroyed with the last attack and they still haven't patched this vulnerability and we've got all these infected PCs..."

[General Zod]

It can also just be an advertisement of capability from the same nation states that did the last rounds. Saying "nope, your security still sucks."

But that would be INCREDIBLY, RIDICULOUSLY, ENORMOUSLY idiotic. These operations take years to pull of with teams of dozens or hundreds of skilled malware engineers and they use up vulnerabilities. No sane military/intelligence operation would do that in order to play rock music.

Where are you getting the "dozens or hundreds" number from? I think you're overestimating the difficulty involved.

[Melchior]

Where are you getting the "dozens or hundreds" number from? I think you're overestimating the difficulty involved.

The hash collision used in Flame probably required enormous amount of work to be discovered (well, all those supercomputers at NSA must be doing something).

[Sarevok]

Why? It's by no means any more idiotic than paying locals to suicide bomb the regime's scientists.

And hell, if it's a matter of going: "well fuck, they haven't replaced the ENORMOUSLY EXPENSIVE INFRASTRUCTURE we destroyed with the last attack and they still haven't patched this vulnerability and we've got all these infected PCs..."

Discovered exploits are a precious secret. Once you use them you can't use them again. Discovering new exploits is matter of time,resources and most of all...a lot of luck. Skgoa is right in that this is not something a nation-state would not squander on a pure "trolling" effort.

[General Zod]

Why? It's by no means any more idiotic than paying locals to suicide bomb the regime's scientists.

And hell, if it's a matter of going: "well fuck, they haven't replaced the ENORMOUSLY EXPENSIVE INFRASTRUCTURE we destroyed with the last attack and they still haven't patched this vulnerability and we've got all these infected PCs..."

Discovered exploits are a precious secret. Once you use them you can't use them again. Discovering new exploits is matter of time,resources and most of all...a lot of luck. Skgoa is right in that this is not something a nation-state would not squander on a pure "trolling" effort.

Why not? This is probably going a bit into conspiracy theorist territory, but couldn't a government use this as a sort of false flag attack?

[Sarevok]

Because hacking is not an exact repeatable science. It relies on discovering mistakes of others designing a system and exploiting them. Even for agencies with vast resources there is a limit to what they can do, if they figure out a backdoor and reveal it causes it to be closed chances are they may never find another one again. In the civilian sector 0 day exploits (so far unpatched vulnerabilities) are usually a well kept secret among malware witters who discover them even though they normally share and collaborate a lot with their peers.

[General Zod]

In the civilian sector 0 day exploits (so far unpatched vulnerabilities) are usually a well kept secret among malware witters who discover them even though they normally share and collaborate a lot with their peers.

If it takes one teenager a week and a half to crack Google's security vulnerabilities I doubt it's as hard as you're making it out to be for a skilled hacker. Emphasis on skilled.

[Sarevok]

In the civilian sector 0 day exploits (so far unpatched vulnerabilities) are usually a well kept secret among malware witters who discover them even though they normally share and collaborate a lot with their peers.

If it takes one teenager a week and a half to crack Google's security vulnerabilities I doubt it's as hard as you're making it out to be for a skilled hacker. Emphasis on skilled.

Luck plays a large role in discovering exploits. Sure there are some standardized approaches such as testing for classic vulnerabilities such as buffer overflows etc. But at end this is not an engineering problem where you could just throw money and expect results. And type of vulnerabilities vary wildly, critical ones like remote code execution are extremely rare to come across and often jealously guarded by those who first discover them.