Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Add to Cart View detail

Fact-checking Secretary Panetta's Speech Regarding a Preemptive Strike

In an important speech on Thursday night, Defense Secretary Leon Panetta spoke about how the Department of Defense has improved capabilities to protect the U.S. against the threat of a catastrophic cyber attack; that if such an attack were imminent, the U.S. would strike first. While this statement was clearly mean't to deliver a message to Iran which featured prominently in the Secretary's remarks, the U.S. lacks the technical ability to deliver on that threat.

According to the Law of Armed Conflict, a nation state must be under imminent threat of an attack which will cause grievous harm to its populace before it can launch a pre-emptive strike in self defense. Rather than a traditional kinetic attack, Secretary Panetta specifically referred to a cyber attack by "an aggressor nation or extremist group [who] could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals". The Secretary went on to say that "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President".

The fact is however that neither the NSA nor any other agency has the ability to identify a malicious program that was custom-written to target an industrial control system before the attack occurs. It cannot "see" such a program traveling across the Internet backbone assuming that were the delivery method. More likely, as in the case of Stuxnet, Shamoon, and other malware, it would be hand-carried onto the target's premises and inserted via removable media into a networked computer which bypasses the capabilities of any NSA-run signals intelligence program to identify it.

Even if we had the ability to discern the purpose and target of malware in-transit, we'd also have to know which nation state was behind it. Although Secretary Panetta claimed that DoD has made "significant advances" in determining attribution, there's ample reason to doubt that statement - the most obvious being the Secretary's own words that "DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." Anonymity has provided much of the impetus for the increasing number of automated and targeted attacks against the U.S. and other countries. Those attacks are on the rise because anonymity remains intact.

U.S. offensive cyber warfare capabilities are second to none, but in the words of General Peter Pace, the former Chairman of the Joint Chiefs of Staff, we cannot defend against what we send out, and since what we have sent out (like Stuxnet) is being reverse-engineered, we should re-think whether our being in a weak defensive state is really the best time to be running offensive cyber operations in the first place.

Add to Cart View detail

U.S. SECDEF on Attribution - A Little Too Optimistic?

U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:

In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.

With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.

Add to Cart View detail

SC Magazine's Awful "Cyber Cold War" Article

Deb Radcliff wrote a feature article for SC magazine entitled "Cyber Cold War: Espionage and Warfare". Since SC is an IT Security publication and since international tensions are rising daily around this topic, I think it's important to confront errors and/or faulty judgments when they arise. This article is filled with them. Here are the top four that stood out to me:

SC: "But, the talk (Gen. Alexander's talk at DEFCON 2012) was also ironic, given that the NSA has been outed as the agency behind Stuxnet – which caused collateral damage on unintended targets in multiple countries, while the United States provided no intel to system operators that may have needed protection."

Wrong. Even though hundreds of thousands of computers had the Stuxnet worm present, it remained inert for all systems except those that it was specifically programmed to attack at Natanz. There was no collateral damage in multiple countries as Radcliff claimed.

SC: "As with Stuxnet, cyber war starts out ‘cold,' with the theft of information that can lead to larger-scale attacks. In that instance, information about targets (Siemens control systems at Iranian enrichment facilities) was collected in preparation for stage two and three of cold war – to disrupt and cause damage. The final stage is when attacks against the national infrastructure and military operations make it impossible for the target nation to respond to a physical assault."

Wrong on multiple counts. The use of the word "cyber war" is ridiculously provocative. Stuxnet was an act of sabotage, not war. In fact, there is no such thing as "cyber war"- not in law and not in fact. The rest of that paragraph is a hypothetical chain of events that Radcliff invented for her article. Stuxnet  was not part of any larger plan to attack Iran's "national infrastructure and military operations". Its sole purpose was to disrupt a specific number of centrifuges involved in nuclear fuel enrichment. Period.

SC: "Stuxnet is one of only a few cases of actual cyber warfare with intent to damage physical systems, says Martin Libicki, senior management scientist at the RAND Corp., a government advisory think tank."

Wrong. I know Martin Libicki and have had occasion to interact with him at closed Intelligence Community events and with all due respect to his credentials, he's frequently misinformed about issues related to cyber warfare, what defines it, who conducts it and in what ways. The only actual events which can be legally described as cyber warfare are the cyber attacks launched during the Russia Georgia war in 2008, Operation Cast Lead in 2009, and possibly the most recent Kyrgyzstan revolution in 2011. In other words, cyber warfare exists when there's kinetic conflict with a cyber component. That's it.

SC: "On the other hand, a good example of mitigation and containment through fast response time is the March 2011 exfiltration of RSA SecurID code. The attack had only been in the network for days when EMC's security team discovered the compromise and took action."

Wrong. In fact, insultingly and ridiculously wrong. RSA lost its entire seed database to that attack. That breach, in turn, led to attacks against one confirmed defense contractor (Lockheed Martin) and probably a half dozen more throughout the year including L3, Northrup Grumman, and others. Nor does RSA's so-called "fast response" timeline hold up under scrutiny.

Radcliff closed her article with the following statement: "Cyber war is upon us, and organizations need better means of protecting themselves and sharing threat information to protect the larger infrastructure."
This is a false claim, irresponsibly made by a reporter who appeared to be determined to write a one-sided article. I really hope that this isn't a sign of SC magazine becoming a FUD mouthpiece for InfoSec vendors who want to stir the pot in hopes of increasing their profits.

Add to Cart View detail

Russia's Kaspersky Labs to Develop a Secure O/S for Critical Infrastructure and Military Use

A Russian IT news service has reported that Kaspersky Labs is developing its own secure operating system for use in industrial control systems. One of Eugene Kaspersky's competitors, Renat Yusupov of Kraftway, predicts that Kaspersky is "most likely developing a process control operating system where security is vital. It will probably be used in production, aviation, transport, energy, and may be used for military purposes."

While Kaspersky Labs hasn't made an official announcement, it has advertised for a requirements analyst and a senior security system designer for SCADA automated control systems. The ad which was listed with a HeadHunter website also said that Kaspersky is developing a new secure operating system.

Kaspersky has been in the forefront of investigating the Stuxnet, DuQu, and Flame attacks against Iran so the announcement that it's developing a secure O/S for the same types of systems that Stuxnet was designed to attack makes a lot of sense. Further, the quality of their security research plus the fact that Russia produces some of the best software engineers in the world suggests to me that this product could be in high demand - especially by its Rosatom customers. However, Kaspersky's close relationship with Russia's security services should also be considered by its potential customers. Under Russian law, the FSB could ask Kaspersky to include a backdoor in its secure O/S and the company would be required to comply. In fact, I can't imagine the FSB missing out on such an opportunity for intelligence collection against potential customers among the Commonwealth of Independent States, India, China, South Africa and others.

Add to Cart View detail

Arquilla's "Cool War" is Fiction

In this article for Foreign Policy, John Arquilla poses the question "Could the age of cyberwarfare lead us to a brighter future?". Arquilla proposes that it will but his article utterly fails to make the case.

He builds his case for pure cyber war as an alternative to kinetic war by using Stuxnet as an example claiming that it achieved "a serious disruption of Tehran's nuclear enrichment capabilities -- and possibly of a secret proliferation program." The fact is that Stuxnet caused limited disruption (by design) and it failed to halt Iran's nuclear enrichment program. It's also important to note that Stuxnet was only discovered because the malware design was flawed, which underscores the fundamental problem with Arquilla's imaginings of the efficacy of a pure cyber war. The effects of malware are often unpredictable and unpredictability is the enemy of military planners.

Later, he suggests that Flame, the cyber espionage tool which apparently infected Iran's network years before the Stuxnet worm was created, demonstrates how cyber espionage can replace old school tradecraft - "The code that comprises it seems to make the point that we no longer need physical agents in place if we can now rely on artificially intelligent agents to dredge up the deepest secrets." This is as ridiculous a notion as the one that Arquilla offers about cyberwarfare replacing boots on the ground. Both Chinese and Russian intelligence services continue to recruit human assets for acts of espionage even as they utilize cyber espionage as a force multiplier. HUMINT isn't going away - ever.

Arquilla writes that "On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives..." I challenge Professor Arquilla to present even a shred of evidence that supports his fantasy that this future could ever come to pass. I don't know what John Arquilla's motivations are behind this embarrasingly weak article but I wouldn't accept this from a student let alone a professor of his standing.

Add to Cart View detail

Stuxnet, Disgraceful Conduct and the Next Growth Industry

For over a year I was one of the few people who was convinced that the U.S. wasn't behind Stuxnet. When New York Times journalists William J. Broad, John Markoff, and David Sangar wrote "Israeli Test on Worm Called Crucial in Iran Nuclear Delay", I criticized them for producing no verifiable evidence as well as mis-stating some facts. Almost 18 months later, David Sangar published an excerpt from his forthcoming book that had so many confidential details about the U.S. and Israeli operation called "Olympic Games" that there's no longer any doubt as to which nation state is responsible for the world's first cyber weapon - mine. The United States. I was wrong and I'm sick about it - but not because I had guessed it was China. I had laid out my reasons for my assessment and I made it in good faith. I don't mind being wrong about my analysis. At least I made an analysis which was more than most people did. No, what I'm sick about - horrified actually - is that so many U.S. citizens with security clearances who had sworn oaths to protect their country gave up everything about a highly classified program at the request of a journalist. It's my sincere hope that each and every one of them is caught and prosecuted to the fullest extent of the law. And - if any of you are reading this blog - your lack of honor disgusts me.

I'm also very worried about the consequences that we'll face as a country now that it's known that we once again broke the barrier of introducing a new weapons system that no one in the world had ever before used (at least that anyone knows about). We have a history of this so the consequences are easy to predict.

Nuclear weapons proliferated after our use of them against Japan. Unmanned Aerial Systems are being developed in over 130 countries after our introduction of them in Afghanistan. Now it's known that the U.S. with Israel's help has virtually attacked and caused physical damage to an industrial control system in another nation's nuclear laboratory. The blow back on this is going to be monumental and so will the pressure by the Pentagon on Congress to increase cyber-related spending because of a world-wide development race thanks to our own operation Olympic Games. If you're wondering what the next growth industry is going to be for the next 20 years, you can stop wondering. It'll be cyber munitions.

UPDATE (06JUN12): The FBI has opened an investigation into those leaks.

Add to Cart View detail

How Iran May Have Captured An RQ-170 Stealth Drone

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.
Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.
It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.
The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.
Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.
No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

RELATED:

Danger Room - Wired.Com: Iran Probably Did Capture A Secret U.S. Drone

Was Iran's Downing of an RQ-170 Related to the Malware Infection at Creech AFB?

U.S. Air Force Demonstrates How Not To Report A Malware Attack

Add to Cart View detail

Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Add to Cart View detail

Thomas Wright Falsely Claims U.S. Double Standard In Cyber Warfare

Thomas Wright is the Executive Director of Studies at the Chicago Council on Global Affairs. His OpEd in the Financial Times today "America has double standards in fighting cyberwar" attempts to make the case that the U.S. is hypocritical in its approach to building an international consensus on cybersecurity.

While Wright's academic credentials are impressive, he loses a lot of credibility with his opening sentence which claims that the CIA website was hacked, and that it, plus the IMF and Citibank attacks have pushed us to the brink of "cyberwar". Frankly, anyone who thinks that a website that suffered a Denial of Service attack has been "hacked" has no business writing about cyber-anything let alone something as emotionally charged and least understood as "cyberwar".


He immediately moves on to mis-state the White House position on optional responses to a cyber attack. There is no White House strategy that treats cyber attacks as acts of war. I encourage Mr. Wright to actually read the White House's International Strategy for Cyberspace (,pdf) rather than guessing what it contains. Here's a very brief summary taken from the report:

"International Strategy for Cyberspace", p. 12

Later, he refers to the well-publicized but non-supported theory that the Stuxnet worm was a U.S-Israeli operation. Personally, I doubt that Mr. Wright has spent any time at all evaluating what is known and unknown about the Stuxnet worm but I challenge him to present any evidence in support of that theory. He won't, of course, because there is none.

Thomas Wright has a Ph.D. in government from Georgetown University and lectures on National Security. He apparently is not a lawyer so I can forgive his liberal use of "act of war" which is a non-existent entity in the Law of Armed Conflict. But he's sufficiently educated where one of his professors at Georgetown, Cambridge or University College Dublin should have taught him some critical thinking skills. It doesn't take a Ph.D. to understand cybersecurity sufficiently to engage in discourse about the many difficult issues that need addressing. It does, however, require a commitment to spend some time understanding the facts first and making oneself familiar with the source material. Based solely upon reading Wright's OpEd, he doesn't know what a DoS attack is, he doesn't know what an act of war is, he doesn't understand the White House's strategy for cyberspace, and he assumes that the U.S. was behind Stuxnet without knowing why. This doesn't reflect well for Mr. Wright or the Chicago Council on Global Affairs that employs him. In fact, it goes contrary to the stated mission of the Chicago Council - to influence discourse. I'm assuming that the Council's board mean't "responsible" discourse.

Add to Cart View detail

Reason #6 Why China May Have Sponsored The Stuxnet Attack

In spite of the fact that I'm probably the only person who still doesn't believe that Israel or the U.S. was behind the development of the Stuxnet worm, I just discovered another reason why I believe the PRC is the most likely state-sponsor. According to this article in iStock Analyst "China Focus: Foreign Firms Seek Expansion Into China Even As Super-National Treatment Ends", Siemens has 16 R&D centers in China which employ over 2,300 engineers who are working on over 1,000 patents each year.

Assuming that Stuxnet was a Chinese operation, they didn't need access to Idaho National Labs or Dimona as the New York Times reported on January 17, 2011. In fact, everything needed was already in the PRC.

1. Windows source code :
"The review is an extension of an agreement signed in 2006 which enables China immediate access to the source code for Windows 7, Vista, XP, Server 2008 R2, Server 2003, and 2000, and the embedded software CE 6.0, 5.0, and 4.2. Also included is the source code for Microsoft Office 2003 Professional Edition and most other Microsoft products."


2. The Vacon Frequency Converter Drives targeted by Stuxnet are manufactured in Souzhou.


3. RealTek,  one of two Taiwanese companies who's digital certificates were stolen has a subsidiary office (RealSil) in Souzhou.


4. The P1 centrifuges which were sold to Iran by Pakistan's AQ Khan were originally of Chinese design.

5. Chinese anti-virus company Rising International announced an unheard of 1 million infections in China three months after the virus was discovered. No infections had been reported in China before then.  Rising International became notorious for creating and distributing software viruses, then selling the anti-virus with the help of a Chinese government official in Beijing's Public Security Bureau.

And now (6), 2300 Siemens engineers working in 16 R&D centers in China would have access to a limitless supply of inside information about Siemens software and hardware.

I'm not suggesting that this represents incontrovertible evidence that China was the state sponsor of Stuxnet, but there is more fact-based evidence supporting China than I've seen presented for any other state. And now with Iran threatening legal retaliation against Siemens and apparently convinced that it was the U.S. and Israel with no evidence to support it, I think its important to present some alternative analysis to the conventional wisdom one more time.

UPDATE (1 JUN 2012): David Sanger spilled the beans today in a lengthy NY Times article that Stuxnet was a U.S. operation which started during the Bush Administration. The world's first cyber weapon didn't come from China after all. 

Add to Cart View detail