T

E x ecu t i v e C yber P r o t ect i v e S er v i ces

DRAGONS, TIGERS, PEARLS, AND YELLOWCAKE:

FOUR STUXNET TARGETING SCENARIOS

By Jeffrey Carr 16 November 2010

copyright 2010 jeffrey carr all rights reserved https://taiaglobal.com 360 301-1716

Dragons, Tigers, Pearls, & Yellowcake: Four Stuxnet Targeting Scenarios

In the rush to examine a criminals behavior, it is not difficult to become distracted by the dangling carrot of that criminals potential characteristics and forget about the value of understanding his victims. - Brent Turvey When a person commits a crime something is left behind at the scene of the crime that was not present when the person arrived. - Locards Principle of Exchange

Introduction1
The discovery of the Stuxnet worm has initiated a major shift in thinking by everyone from Information Security engineers to government officials about how offensive cyber operations are being conducted by State and Non-State actors. Theres been extensive technical analysis23 45 done on the malwares code and several anti-virus companies have released their sometimes conflicting data on infection statistics6, however a lot of unknowns remain including the worms purpose, its target or targets, and who designed it. In other words, weve found the weapon used to commit a crime but we dont know who the attackers are, nor the intended victims, nor the purpose of the attack. The goal of this white paper is to demonstrate how investigating the victims of a cyber attack may yield clues as to its purpose as well as the identity of those responsible. While this paper
1

This white paper was written before it became clear that Irans fuel enrichment plant at Natanz and possibly other

Iranian installations were the target.

2 3 4

Siemens Stuxnet Malware ofcial communication presented by Thomas Brandstetter at CIP Seminar 02 Nov 2010 Symantec W32.Stuxnet Dossier by N. Falliere, L OMurchu, E Chien, Sep 2010 VirusBlokAda, Trojan Spy 0485 and Malware Cryptor Win32 Inject.gen2 Review by K. Oleg, U. Sergey, June 17,

2010
5 6

ESET Stuxnet Under The Microscope by A. Matrosov, E. Radionov, D. Harley, J. Malcho, Sept 2010 Myrtus and Guava: the Epidemic, the Trends, and the Numbers

http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers
! 1

focuses upon the Stuxnet worm, the concept and different modalities of alternative analysis7 may be applied to other cyber attacks as well. Symantec, Kaspersky, and Microsoft have released infection rates numbering in the thousands across dozens of countries however they were not all victims of the Stuxnet worm. According to Liam O Murchu, Manager of Operations, Symantec Security Response, only a small percentage of those infected hosts had the software configuration that matched Stuxnets attack code 8. Siemens AG has publicly stated9 that its aware of only 15 victims of the Stuxnet worm, five of which are in Germany with others in the U.S., the E.U., and Asia. Symantecs W32.Stuxnet dossier featured one graph (see figure 1 below) of infected hosts that had Siemens Step 7 software installed, however, the fact that S7 software is present doesnt mean that that the Stuxnet worm is active. According to Symantecs latest update 10, the worm targets a specific industrial process involving frequency convertor drives (aka variable frequency drives) which are manufactured by Vacon PLC of Finland and Fararo Paya of Iran. Those drives are then issued commands to operate in ways that will gradually cause the system to malfunction and ultimately break down. According to Vacons website, the uses for these drives are quite varied but include mining and mineral solutions. 11

7 8 9

Richards J. Heuer, The Future of Alternative Analysis, presentation from ODNI conference Jan 9-10, 2007: Told to the author in a phone conversation on Nov 15, 2010 Cyber worm found at German industrial plants (http://www.thelocal.de/national/20101002-30225.html) Stuxnet: A Breakthrough: http://www.symantec.com/connect/blogs/stuxnet-breakthrough Vacon company website (Industrial Segments page): http://www.vacon.com/Default.aspx?id=469223
2

10 11

While its important to understand that there are only a small number of actual victims among the 100,000 or more hosts infected by the Stuxnet worm, no one has an accurate count nor does anyone know precisely when this attack began. Regardless of whose statistics you look at (Symantec, Microsoft, or Kaspersky), the majority of states impacted by Stuxnet are in Asia and Central Asia with outliers in Africa, South America and North America. If you think of these states as multiple victims of the same unknown threat actor, then clues as to who the actor is may be extrapolated from what the victims have in common. For example, China, Russia, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, India, Pakistan, Iran, and Mongolia are all members of the Shanghai Cooperation Organization (SCO), which is a Central Asia collective working in areas related to commerce and security. Many of the affected states are also members of the Group of 15 (G15), which is the developing nations answer to the better known Group of 8 (G8). There are, of course, many relationships that exist between nations but the most important relationship to be considered is what makes them a potential target for the creators of the Stuxnet worm. After studying this attack for more than 3 months, Ive identified four possible targeting scenarios:

Rare-Earth Metals Producing States Uranium-producing States Corporate Sabotage To Discredit Siemens AG Protecting the Malacca Straits (String of Pearls)

! 3

Attack Scenario #1: Rare-Earth Minerals Producing States

Peoples Republic of China Malaysia Canada

India

Brazil

Australia South Africa

United States Kazakhstan

Table 1: Rare earth producing States with Stuxnet infections highlighted

The top producing countries of rare earth minerals are China, India, Brazil, and Malaysia 12. The Peoples Republic of China provides 95% of the worlds demand for rare earths while holding 35% of the worlds supply. 13 As a result, other nations are stepping up their own mining production; the top 3 of which are India, Brazil, and Malaysia, and all of whom are on the Stuxnet list of affected nation states. Other rare earth producingstates are Canada, Australia, United States., Kazakhstan, and South Africa; the last 3 of which have reported Stuxnet infections. Opportunity: As of November 2010, there are 251 individual active rare-earth projects in different stages of development, run by 165 companies in 24 different countries outside of China 14. Motive: sabotage competitors mining operations to further consolidate control over the global supply of essential rare-earth metals. Means: Target the most promising mining operations for attack. Here are a few possibilities taken from the top 13 picks in the TMR Advanced Rare-Earth Projects Index 15: Bear Lodge (Bull Hill Zone) - Wyoming, USA : operated by Rare Element Resources Ltd. (TSX.V:RES, AMEX:REE);

12 13

Global InfoMine Website: http://www.infomine.com/commodities/rareearth.asp Yale Global Online: Chinas Chokehold on Rare Earth Metals Raises Concerns

http://yaleglobal.yale.edu/content/chinas-rare-earth-minerals
14

Value Metrics for 13 Advanced Rare Earth Projects:

http://www.resourceinvestor.com/News/2010/11/Pages/Comparative-Value-Metrics-for-13-Advanced-RareEarthProjects.aspx
15

Ibid
4

Kutessay II Chui, Kyrgyzstan : operated by Stans Energy Corp. (TSX.V:RUU); Mountain Pass California, USA : operated by Molycorp Inc. (NYSE:MCP); Nechalacho (Thor Lake Basal Zone) Northwest Territories, Canada : operated by Avalon Rare Metals Inc. (TSX:AVL; OTCQX:AVARF); Steenkampskraal Western Cape, South Africa : operated by Great Western Minerals Group Ltd. (TSX.V:GWG, OTCBB:GWMGF) in association with Rare Earth Extraction Co. ; Strange Lake (B Zone) Quebec, Canada : operated by Quest Rare Minerals Ltd. (TSX.V:QRM); Zandkopsdrift Northern Cape, South Africa : operated by Frontier Rare Earths Ltd. (TSX:FRO from 11/17/10 onwards); Zeus (Kipawa) Quebec, Canada : operated by Matamec Explorations Inc. (TSC.V:MAT, PK:MTCEF).

Assessment
Although rare-earths are a probable candidate for future cyber attacks modeled after the Stuxnet worm, it is highly unlikely to be the current target. Production by states other than China is still in a very early stage and it may be 4 years or longer before new projects go online.

! 5

Attack Scenario #2: Uranium Producing States (Asia)

The list of states in Asia who are engaged in mining Uranium as well Uranium enrichment and fuel fabrication closely aligns with the list of states reporting Stuxnet infections (highlighted) :

Peoples Republic of China Republic of Korea

India Democratic Peoples Republic of Korea

Kazakhstan Kyrgyzstan

Mongolia Saudi Arabia Iran

Pakistan Tajikistan Uzbekistan

Russian Federation Turkey Vietnam

Table 2: Uranium mining and fuel enrichment data source: (http://www.wise-uranium.org)

Irans Natanz nuclear reactor has been mentioned in the press as a potential target however according to the IAEA, 2008 was the year that the Fuel Enrichment Plant at Natanz suffered a significant drop in performance. The cause for that drop is not known but there is a lot of speculation ranging from incompetence to sabotage16. Whatever the reason, it happened before the earliest Stuxnet sample was discovered (June, 2009).

Figure 2: Timeline from Symantecs W32.Stuxnet dossier

Stuxnet has frequently been classified as a state or state-sponsored attack however starting in 2009 theres been a marked increase of anti-nuclear power protests in Germany, Russia, Finland, and France by activist organizations like Ecodefense, ECOperestroika, Greenpeace, the Green League, and Ydinverkosto, a movement in northern Finland which opposes uranium mining and nuclear power. Finland is of particular interest since one of the two frequency convertor drives that Stuxnet issues commands to is made by a Finnish company, Vacon PLC. Some of the above-mentioned groups self-

16

ISIS Report Irans Gas Centrifuge Program: Taking Stock:

http://isis-online.org/isis-reports/detail/irans-gas-centrifuge-program-taking-stock/#9
! 6

identify as anarchists and are on various law enforcement watchlists for engaging in acts of ecoterorism 17 Whether members of these groups have the requisite technical skill or the funds to create Stuxnet or similar malware is a matter for the respective state agencies to investigate. Opportunity: Greenpeace is well-funded and has frequently conducted actions against nuclear facilities of the type that Stuxnet may be targeting. It is not known whether any members of Ydinverkosto are employed by Vacon or have contacts there. Motive: Nuclear power plants, uranium mines, and Fuel Enrichment facilities are popular targets for environmental activists as well as eco-terrorists. The use of a virus like Stuxnet provides these groups with the ability to disrupt operations at targeted facilities with little to no risk to their members. Means: Whether any of these groups have the resources or skill sets to develop, test, and launch this level of malware is unknown to the author at this time however Greenpeace France has been the victim of a cyber attack allegedly sponsored by French energy company EDF (see Attack Scenario #3). Assessment: More information is needed about the financial assets and technical capabilities of these environmental action groups before an accurate assessment can be made however these actors may pose a credible threat to this sector in the next few years.

Attack Scenario #3: Corporate Sabotage Against Siemens AG

The link that connects all of Stuxnets victims is that they are Siemens customers. This fact raises the possibility that the threat actor responsible for the Stuxnet worm is a competing company who would benefit by creating an aura of uncertainty or lack of trust in Siemens products. The following is an incident which began in March, 2009 and may not end until January, 2012 18 which falls within the three year lifespan of Stuxnet:
17

EcoDefense and Repression in Russia: (Oct 19, 2010):

http://www.crimethinc.com/blog/2010/10/19/eco-defense-and-repression-in-russia/
18

Symantecs timeline for Stuxnet lists June, 2009 as rst Stuxnet sample seen and June 24, 2012 as the scheduled kill

date for the worm (W32.Stuxnet Dossier v 1.3, p.4)

! 7

 June, 2009 (earliest Stuxnet sample seen) June 24, 2012 (the date found in Stuxnets config file)

EU Commission Filing: Areva versus Siemens

On March 4, 2009, France 24 19 published a news story about French nuclear giant Areva publicly accusing Siemens of breaching its non-compete clause with Areva when it formed an alliance with Russian Federation-owned Rosatom to become the world leader in civilian nuclear technology - a sector currently led by Areva and estimated to be worth 1 trillion dollars. On June 2, 2010, the European Commission launched an inquiry 20 into the anticompete clause in Siemens joint venture agreement with Areva - Areva NP

Figure 3: Graphic depicting Areva NPs services (source: www.areva-np.com)

19

France 24 International News (March 4, 2009):

http://www.france24.com/en/20090304-areva-says-siemens-venture-with-rosatom-breaches-contract
20

Antitrust: Commission opens an investigation into alleged restriction of competition between Areva and Siemens

(June 2, 2010): http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/655&format=HTML&aged=0&language=EN&gu iLanguage=en

! 8

Opportunity: As former majority partner with Siemens in the joint venture Areva NP, Areva has inside knowledge of Siemens operational instrumentation and control systems which it supplied for their nuclear power plant projects. Motive: Siemens is seeking to take Arevas place in a joint venture with Rosatom that could be worth 1 trillion dollars. Should Siemens suffer a reputation or trust issue in the global marketplace, it may convince Rosatom to reconsider its plans and stay with Areva. Means: Areva SA is the worlds largest nuclear energy company with 2009 revenues of 14bn (+6.4%). 21 The French government owns 90% of Areva. Assessment: There is a low to moderate likelihood that Areva planned and launched Stuxnet with the intention of de-railing the Siemens - Rosatom deal. In order for such a plan to succeed there would have to be multiple reports of failures due to Siemens applications, which have not occurred. Stuxnet has not harmed Siemens profits to date and Rosatoms interest in working with Siemens has not diminished over the past year or more. Although theres no evidence of Areva being involved in sponsoring cyber attacks of any kind, there is a broader precedent of a French company engaging in those activities. lectricit de France (EDF) is the worlds largest utility company with 66.34 billion in revenues in 2009, operating a diverse portfolio of 120,000+ megawatts of generation capacity in Europe, Latin America, Asia, the Middle-East and Africa. EDF is being investigated by a French prosecutor for allegedly hiring Kargus Consultants to conduct a cyber attack against the director of Greenpeace France in 2006 22.

Attack Scenario #4: The String of Pearls

The Peoples Republic of China (PRC) is actively involved in acquiring mining companies or embarking on joint ventures with them to fulfill its increasing demand for energy resources for which it has serious shortages (table 3).

21 22

Areva Annual Report 2009: http://www.areva.com/EN/news-8247/annual-results-2009.html Bloomberg EDF Should Face Greenpeace Computer-Hacking Trial, French Prosecutor Says:

http://www.bloomberg.com/news/2010-09-06/edf-should-face-greenpeace-computer-hacking-trial-french-prosecut or-says.html
! 9

SERIOUS SHORTAGE Chromium Copper Zinc Cobalt Platinum Group Elements Strontium Potassium Boron Diamond Oil Uranium Iron

SHORTAGE

NO SHORTAGE Titanium Sulfur

Manganese Bauxite Tin Lead Nickel Antimony Gold

Table 3: Source: ResourceInvestor.com (Dec 10, 2009) 23

In addition to the minerals and metals above, China needs to import natural gas. Of the three countries reporting the highest rates of Stuxnet-infected hosts (Iran, India, Indonesia), Indonesia is the worlds largest exporter of Liquified Natural Gas (LNG) and coal used in power stations, and it has the largest gold mine and recoverable copper reserve. 24 Irans oil exports to China jumped 30% in the last 9 months according to OPEC25. Russia, Kazakhstan and other nations in the Commonwealth of Independent States (CIS) export oil to China through the Atasu to Alashankou pipeline, financed by Chinas popular loan-for-oil program. Unlike Indonesia and Iran, India is Chinas competitor for energy resources, particularly oil for which its the worlds fourth largest consumer (China is currently in second place after the U.S.). In fact, India is almost entirely dependent on external resources for its growing energy needs. This puts India and China at odds over securing energy resources as well as ensuring that key choke points like the Malacca straits remain open.
23

ResourceInvestor.com

http://www.resourceinvestor.com/News/2009/12/Pages/Himfr-China-seriously-short-on-nine-kinds-of-mineral-re sources.aspx
24 25

Ibid Tehran Times (Nov 12, 2010): http://www.tehrantimes.com/index_View.asp?code=230364

10

Chinas strategy to combat Indias own security interests in this region is one of engaging in foreign development projects at key locations along the oil shipping lanes. Each location is known as a pearl. Christopher J. Pehrson lists a few examples in a paper 26 that he wrote on this subject for the U.S. Army Strategic Studies Institute: Hainan Island - upgraded military facilities Woody Island - upgraded airstrip Chittagong, Bangladesh - constructed a container shipping facility Sittwe, Myanmar - constructed a deep water port Apart from these examples, the states most often referred to as part of Chinas String of Pearls strategy are Pakistan, Sri Lanka, Myanmar, and Bangladesh. India has responded by building its own alliances in that region and holding military exercises with the Gulf Cooperation Council and Iran, among other contingencies. Opportunity: The Chinese government is negotiating energy deals, joint ventures or acquisitions with companies that are located along the Malacca Straits, which India is trying to counter by making its own strategic alliances in some of the same countries. Motive: Chinas reliance on foreign sources to meet its energy needs increases every year. It must continually succeed in acquiring assets as well as developing new resources on foreign soil, yet avoid escalating military tensions with India, its chief competitor. India has similar needs and motivations. Means: Siemens has a strong presence in China. It was a global sponsor of Chinas World Shanghai Expo 2010. Its PLC SIMATIC Step 7 software targeted by Stuxnet is used in the radial gate control of the largest electricity-generating plant in the world the Threee Gorges dam in Hubei province. Theres no question that China has the capability of developing and launching malware sufficient to the task and its highly likely that its cyber capabilities exceed that evidenced by the creators of the Stuxnet worm.

26

Pehrson, Christopher J. LCOL USA String of Pearls: Meeting the Challenge of China's Rising Power

Across the Asian Littoral http://www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubid=721

! 11

Siemens also has a large presence in India with 18 manufacturing plants employing 17,000 people so finding individuals with the necessary skills to create malware on the scale of Stuxnet would not be a problem. Assessment: There is a low to moderate likelihood that Stuxnets creators had planned to sabotage a competing states operations along the Straits of Malacca and other choke points for strategic advantage in the uninterrupted flow of oil and other critical resources.

SUMMARY:
There are numerous obstacles to building a case for attribution with any cyber attack. In Stuxnets case, the obstacles may be insurmountable unless further details on Stuxnets real or potential target sites are forthcoming. Symantecs discovery that the malware provides instructions to two specific frequency converter drives has confirmed that sabotage, not espionage, was the purpose of the attack. It also rules out processes that don't require a frequency above 807hz or higher. 27 According to the Vacon website, they serve the following industrial segments: Water, Marine, Pulp and Paper, Building Automation, Mining and Minerals, Solutions for MV Motors. Of those, the segment that holds the most value for nation states who engage in cyber operations of one type or another is Mining and Minerals, and that fact has helped inform the scenario choices that the author researched for this paper. State Sponsorship or Corporate Sponsorship? The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with certain unique skill sets and several months for development and testing. The obvious conclusion is that this team was sponsored by a nation state, however certain multi-national corporations have the same or better resources than many governments. In some countries, the government has a controlling interest in their largest corporations such as Chinas national champion companies (i.e., Huawei) or Frances majority ownership of Areva (see Attack Scenario #3).
27

7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also

known as variable frequency drive) manufac- tured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland., Symantec W32.Stuxnet Dossier, p.35
! 12

A Target Worthy Of The Weapon That Was Built For It While the goal of the creators of the Stuxnet worm remains a mystery, the time, money, and skill that went into its creation provide some insight into its target; i.e., Predator drones arent deployed to target shoplifters. Whatever Stuxnet was designed to attack, one can infer that its a high value target worthy of the weapon that was created to sabotage it. More work needs to be done searching for mechanical failures or accidents that have occurred in the first half of 2010 in high value sectors that use frequency convertor drives within the proscribed range. Means, Motive, and Opportunity combined with technical analysis and critical thinking will, at the very least, expose a heretofore unseen target that can be hardened before it becomes the inspiration for the next Stuxnetinspired attack team. Forward-looking security is the only real security there is.

! 13

APPENDIX
Although this white paper was published in November, I wasnt satisfied with any of the above scenarios and continued my research for another 30 days which culminated with my writing Stuxnets Finnish-Chinese Connection for Forbes Firewall on December 14, 2010. The following is a condensed version of that article. -----------------Reviewing The Evidence China has an intimate knowledge of Iran's centrifuges since they're of Chinese design. China has ready access to Siemens software since the company has 16 R&D centers operating within China with 2300 employees working on over 1000 projects per year. China has better access than any other country to manufacturing plans for the Vacon frequency converter drive made by Vacons Suzhou facility and specifically targeted by the Stuxnet worm (along with an Iranian companys drive). Furthermore, in March 2010, China's Customs ministry started an audit at Vacon's Suzhou facility and took two employees into custody thereby providing further access to Vacon's manufacturing specifications under cover of an active investigation. China has better access than any other country to RealTek's digital certificates through it's Realsil office in Suzhou and, secondarily, to JMicron's office in Taiwan. China has direct access to Windows source code, which would explain how a malware team could create 4 key zero day vulnerabilities for Windows when most hackers find it challenging to develop even one. There were no instances of Stuxnet infections in the PRC until very late which never made sense to me, particularly when Siemens software is pervasive throughout China's power installations. Then, almost as an after-thought and over three months from the time the virus was first discovered, Chinese media reported one million infections, and here's where the evidence becomes really interesting. That report originated with a Chinese antivirus company called Rising International, who we now know colluded with an official in Beijing's Public Security Bureau to make
! 14

announcements encouraging Chinese citizens to download AV software from Rising International (RI) to fight a new virus that RI had secretly created in its own lab. Considering this new information, RI's Stuxnet announcement sounds more like a CYAstrategy from the worm's originators than anything else. Chinas Motive On April 13, 2010, Beijing reiterated its opposition to Iran's goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counterproductive. In other words, the PRC wanted to support its third largest supplier of oil (after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz' centrifuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S. It's both simple and elegant. Even if the worm was discovered before it accomplished its mission, who would blame China, Iran's strongest ally, when the most obvious culprits would be Israel and the U.S.?

! 15

About Taia Global

Taia Global is a startup company founded by Jeffrey Carr, the author of Inside Cyber Warfare, and a team of highly accomplished individuals who come from the technology industry, the Intelligence community, and the Department of Defense.

Our company is based on the premise that an enterprises most critical data cannot be protected in the same way as the enterprises network; that a corporations senior management are high value targets, particularly when they travel overseas; and that these individuals require an entirely different security posture.

Taia Global provides physical and cyber security countermeasures to safeguard the computing assets of key executives and government officials while they travel overseas, and by extension, protect the enterprises critical data against a common attack vector the exploitation of the senior executives trusted credentials on the network.

Contact Taia Global today for more information or to book a consultation.

Contact Information
Email: info@taiaglobal.com Website: https://taiaglobal.com Digital Dao blog: http://jeffreycarr.com

! 16