Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Add to Cart View detail

Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Add to Cart View detail