Viewing a single comment thread. View all comments

ramriot t1_j4g5wi4 wrote

I watched this documentary & although it gives a reasonable layman's guide to the events & technology around Stuxnet & other issues, due to factors perhaps beyond the makers control it give a far from comprehensive & sometimes factually incorrect account.


IDontTrustGod t1_j4gid4o wrote

Care to elaborate on any errors?


ramriot t1_j4gl0fi wrote

Not off the top of my head & I'm not rewatching & rereading my research paper collection after 20 years. Just know that no documentary can tell the whole story here.

But if you push me one aspect is, I don't believe they fully describe the original exploit in sufficient detail so a viewer can understand how it was specifically targetted for release inside an air-gapped network. Only later was it altered & indiscriminately released in a way that made it look like a broader infection.

Though had it not been misused after initial targetting we would most probably have never heard of it.


abitrolly t1_j4h796y wrote

I worked at the company that originally discovered it. Siemens SCADA software are run on Windows machines that are not connected to the Internet, and hence never patched. So any kind of malware that uses autorun exploits can get there. Knowing that, it is easy to target the machines. What is not that easy is to develop a fuzzer that once installed, will properly send disruptive commands, instead of just freezing PC.


charleswj t1_j4ht5go wrote

>not connected to the Internet, and hence never patched

These two things are not mutually exclusive and is almost criminal in a nuclear facility


80burritospersecond t1_j4imm1t wrote

It's also kinda poor design to have all your emergency stop smash buttons be nothing but PLC inputs when they should be independently cutting power to the prime movers in whatever system is being controlled.


Burdekin_Boy t1_j4jv36w wrote

Yeah Estops into PLCs should only really be for signal/logging. Stand-alone safety relays should be in use.


TheImmortalIronZak t1_j4jvgft wrote

Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons. They can never be “hacked” or the like due to that. And as for the Iranian governments uranium enrichment center the air gapped machine’s control all aspects of the enrichment process, the centrifuges, etc for the same reason.


charleswj t1_j4k0o72 wrote

>Absolutely is not. Most intelligence departments, Department of justice, homeland etc all have some departments with air gapped machines for security reasons.

This is actually not true except in some edge cases. Most of the "air gapped" networks are actually only logically separated. For example DOD's NIPR (often referred to as the "low side") is their version of what most companies have, the network most directly connected to the internet, as well as the DREN (for research and development). No classified data is allowed here.

But they also have other networks, sometimes referred to as the "high side" (i.e. SIPR, JWICS), where classified data (Secret and Top Secret, respectively) can be stored. It's a common misconception that these are air gapped, but they're actually more like a VPN on top of NIPR. Additionally, there are various "gateways" (i.e. DOTS, Cross Domain Enterprise Email Service) to allow limited communication and data transfer between low and high sides.


mrflib t1_j4hfb34 wrote



abitrolly t1_j4hk8md wrote

The program that generates bogus parameters for function calls. In that case values for Siemens controllers to set that will cause chaos in controlled hardware.


CupResponsible797 t1_j4hm680 wrote

This is really not a context in which you would normally use the term fuzzer. Stuxnet did not "fuzz" these PLCs, it performed a series of specific steps to identify its targets and cause them to break.


faux_glove t1_j4k1nxx wrote

What would a fuzzer do, then?


CupResponsible797 t1_j4l9cr6 wrote

A fuzzer is a tool which automatically feeds semi-random data to another program in order to discover anomalous behaviours.


hamburglin t1_j4jnrce wrote

Thank you. Not sure what this guy has been smoking but he's got some type of imaginary cyber security world built in his head.


muerto1964 t1_j4j1omi wrote

The thing was genius. I think it had a total of 9(?) Zero day exploits! Most malware will only have 1 if they are very very lucky.


Why_Did_Bodie_Die t1_j4jpsi7 wrote

I know almost nothing about computers. I remember in the documentary they made this seem pretty significant. Can you tell me a little about what a zero day is and why it is so significant? Are they really hard to do/make/get? Maybe EILI5.


tygghb t1_j4k3xcu wrote

Software exploits that are "brand new" (ie. that the general public did not previously know about). Once an exploit is publically known about, the companies usually work quickly to patch them. They are therefore rare and highly sought after by bad actors.

The going rate is about $100,000 each on the dark web. When a bad guy writes malware, they typically use one zero-day exploit, maybe even two.... but to have NINE or whatever Stuxnet had, is unheard of and was a tell-tale sign that the software was created by a nation-state since the average bad guy is not going to spend $900,000+ to write their malware.


so_futuristic t1_j4jrpzb wrote

software vulerabilities that are unknown but to the people exploiting then


muerto1964 t1_j4kufni wrote

A zero day exploit is an attack vector that nobody has ever seen before. No one has seen it and therefore we probably have little defense against it. 1 is rare. 9 in the same piece of malware is unheard of


hamburglin t1_j4jmx0p wrote

... autorun... exploits? (I'm going to pretend that's a term in the cyber security and forensics industry that actually makes sense to continue on here). In any context that has anything to do with being relevant about getting into air gapped networks? You sure you know what you're talking about?

You then reference the use of a fuzzer in a highly targeted attack? Wth? You think they're going in there and potentially bluescreening machines and trying "best guesses" at what they need to do to perform command and control operations? That would have already been known before deploying their malware and tools.

Safe to say even if you worked there then you still don't know what you're talking about.


ramriot t1_j4hj9kd wrote

I could be wrong but I'm guessing by the date that the development of the exploit predates the availability of modern fuzzing software.


abitrolly t1_j4hkjjs wrote

Fuzzing is a method of putting unexpected stuff into function parameters. You can write a fuzzer yourself, like `for x in random(): call(x)`.


charleswj t1_j4hsj4b wrote

That's only part of it. It's purpose is to discover vulnerabilities. That's not what was happening there


Optimistic__Elephant t1_j4nvpoj wrote

What does this fuzzing accomplish? Is the idea to find an input that returns an error of some sort?


abitrolly t1_j5b6xmw wrote

Find the value that will bypass safety checks and destabilize connected hardware. Just sending random noize might not help, so the fuzzer could try to steadily increase some values or execute another logic that is known to be harmful for typical process control mechanisms. I called it fuzzer because I assume it doesn't know what is the real mechanism on the other end. If you have source code and schematic of the plant, you don't need to guess and can directly write targeted destructive code.


CupResponsible797 t1_j4gnhkz wrote

>Though had it not been misused after initial targetting we would most probably have never heard of it.

How was Stuxnet “misused” after initial targeting? It was inert outside of the specific systems targeted.


OwlBeneficial2743 t1_j4hes8j wrote

I believe that others used one or more of the zero days in subsequent malware; Flame was one. I don’t think it’s been proven Flame wouldn’t exist without Stuxnet, but it’s likely.


CupResponsible797 t1_j4hgmur wrote

Flame was developed by people involved in developing Stuxnet, no surprise that they would share elements. There's little indication that Flame is "subsequent malware", everything we know indicates that they were developed at around the same time.

Stuxnet development started around 2005

Flame development started at least as early as 2006

In fact, there are strong indicators that the people who developed Flame provided guidance and technical assistance to the less sophisticated Stuxnet developers. It's difficult to imagine that the development of Flame would have hinged on Stuxnet in any way.

>I believe that others used one or more of the zero days in subsequent malware;

Such as?


ramriot t1_j4gpbr8 wrote

Specifically it would need to be to go unnoticed inside the Iranian facility's air-gapped network.

The supposition from evidence presented is that before it was ever seen in the wild it was introduced into possibly inadvertently via a single compromised thumb drive containing a required update to the windows Scada control programming software brought into the facility by a 3rd party engineer.

Later "public" appearances appear to be from proximal but unrelated sources & showed variations in code content that suggest a lower skilled operator had altered the original code.


CupResponsible797 t1_j4gqei2 wrote

It seems wholly unsurprising that malware targeting a specific airgapped network would also spread through other networks through whichever means are used to breach the airgap.

> Later "public" appearances appear to be from proximal but unrelated sources & showed variations in code content that suggest a lower skilled operator had altered the original code.

What modifications are you referring to? This documentary makes a vague claim that Israelis modified the spreading code to be more aggressive, but doesn’t really substantiate it.

The documentary certainly doesn’t claim that the changes made by the Israelis weren’t necessary for the operation to succeed.


MagnetsCarlsbrain t1_j4gsrx9 wrote

I haven't seen the doc but I've read Countdown to Zero Day and I'm not sure I agree (or maybe I'm misunderstanding). The worm was designed to spread as aggressively as possible, but to remain imperceptible on any system except for the target system.

While they probably planted it in close proximity to the target, they had to know that it was going to spread throughout the world. I don't think that was the result of taking it a step too far, rather it was a result of the core strategy.


duffmanhb t1_j4i5jof wrote

That's interesting. I had no idea that it was recoded and rereleased into the wild. Could it have been Israel? It definitely doesn't sound like something the US would do. Maybe Iran after discovering it tried to repurpose it?

I was always under the impression that it got out because the original attack vector was via a USB with some boss's naked wife on their, incentivizing him to bring it into the office... Then they also brought it out


CupResponsible797 t1_j4l9n0h wrote

>I had no idea that it was recoded and rereleased into the wild. Could it have been Israel? It definitely doesn't sound like something the US would do. Maybe Iran after discovering it tried to repurpose it?

This didn't actually happen. At best there was some disagreement between the responsible nations about how aggressive the spreading functionality should be.


qazedctgbujmplm t1_j4iblwj wrote

All of what you said was in the doc. The NSA even blames the Israelis for fucking it up.


Admiral_Minell t1_j4ieecf wrote

Yeah agreed, mentioned by the anonymous NSA person, the private firm guys talk about finding version history, and someone even claims to quote Biden.


MissionarysDownfall t1_j4jio4f wrote

They absolutely did describe both those things. The weird graphic woman even swore about the Israelis f-big everything up by being overly aggressive.


danderskoff t1_j4jisth wrote

I believe I heard somewhere it got into the facility from USB drives that were dropped in the parking lot near employee cars


ramriot t1_j4jkwt9 wrote

That scenario sounds pretty preposterous. Remember this was a remote secure compound. Where one key feature of their security is the air-gapped network.

Does it sound at all possible for someone to first wander onto the Natanz facility, second drop things around people's cars, & then third have those people with access to the centrifuge hall & who know how important the sanctity of the internal network is to just insert a random thumb drive?

That said it was likely a usb drive, but one designed to pass stringent inspection that came from a trusted source & was needed to update internal software.


danderskoff t1_j4kocjk wrote

Anything is possible with 3-letter USA agencies. Also, people are pretty stupid sometimes with USB drives. Sometimes they dont understand that you can compromise a system by doing that and I know theres more to the story than just dumping random USB drives. We talked about this in college but that's really the only points I remember


lariojaalta890 t1_j4gomzs wrote

Countdwon to Zero Day is a great book that takes a deep dive into the event and those that preceded and followed. Highly recommended reading if you’re interested.


persfinthrowa t1_j4gpogs wrote

Yeah let me just hop on a random documentary and say trust me bro this was factually incorrect and barely elaborate. Good stuff.


ColdPorridge t1_j4hg8uv wrote

I trust the top comment is reasonable in saying it’s impossible off a documentarian to know the full story. This is a highly classified operation of aggression from one nation state to another.

There is so much that will never be revealed, it’s naive to think someone, even the most skilled investigative journalists, could “do their research” and get the full story. There are likely still state-sponsored espionage efforts trying to fully understand how Stuxnet happened and if there exist similar capabilities or plans against other infrastructure.

If you’ve never worked with classified information it’s easy to think that everything known by the government just eventually becomes public, but SCI programs like this maybe only have a dozen people or less in the world who understand the whole picture, and a few dozen or hundred more who only know part of it.


ramriot t1_j4gwnsb wrote

It's easy to scoff from a position of ignorance, go read the rest of thread & wikipedia & all contemporary sources before you shitpost next time.


saluksic t1_j4imujk wrote

This was a virus designed to break Iranian centrifuges. The headline makes it seem like a) it wasn’t designed to be present in other systems, and b) it broke other systems. Neither of these is true. It was designed to spread indiscriminately, so as to reach the air-gapped centrifuges eventually. It did that. It was designed to only affect Iranian centrifuges. It did that, too. You either think attacking only Iranian centrifuges used for making weapons in nefarious or you don’t. If you think damaging Iran’s weapons program was bad, then you think stuxnet was bad; otherwise it was good/benign.


ramriot t1_j4j9wr8 wrote

My opinion is immaterial here, the evidence & timing thereof though suggests a very different scenario to what a surface description would suggest.

Imagine if you will that you are a pair of nation states about to pay real money to devise a way of suspiciously attaching Iran's enrichment program. One very important factor in that is that you keep your technique secret so that should it be needed again later, say with North Korea it can be deployed successfully.

Thus when what is now called Stuxnet was first developed around 2005 it was only as pernicious as needed while being very careful to leave no traces. It's introduction to the Iranian Scada control network in summer of 2007 was reported to have been via an Iranian mole working for the Dutch intelligence organisation or via another operative under that person's control.

Now fast forward to 3 years later in 2010 when code snippets start surfacing from a virus that seem to have payloads targetting Scada control systems. The source zone of this infection appears to stem from Iran and communicating networks. The theory is that it was an inadvertent spread from an Iranian engineer who against orders took a computer previously part of the air-gapped network hone & connected it to the internet.

Within a year of public identification there were many variants of this virus, perhaps reverse engineered from samples & used by others to create further Havok.

By hey, don't trust me it's all here.


tibearius1123 t1_j4jgox6 wrote

It did break other computers. That’s how it was discovered.