Tag Archives: computer virus

Who Controls the Computers in North Korea–the Wapomi worm

Trojan. image from wikipedia

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

The Worm at the Nuclear Plants of South Korea

South Korea Nuclear power plants map. Image from wikipedia

Korea Hydro & Nuclear Power Co Ltd said it would beef up cybersecurity by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.  The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors.

The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul’s energy ministry and nuclear watchdog said in a joint statement, adding the systems were inaccessible from external networks.  Energy Minister Yoon Sang-jick told a parliamentary session that evidence of the presence and removal of a “worm” — which the ministry said was probably inadvertently introduced by workers using unauthorized USB devices — was unrelated to the recent hacking incidents, drawing scepticism from some lawmakers.  “I doubt control systems are perfectly safe as said,” Lee Jung-hyun, a lawmaker in the ruling Saenuri party, told the committee hearing.

Worries about nuclear safety in South Korea, which relies on nuclear reactors for a third of its power and is the world’s fifth-largest nuclear power user, have mounted since the 2011 Fukushima disaster in Japan and a domestic scandal in 2012 over the supply of reactor parts with fake security certificates…Korea Hydro and Nuclear Power President and CEO Cho Seok told the hearing that all control systems of the country’s 23 nuclear reactors were safe against malignant codes. Recently, he said that cyberattacks on non-critical operations at the company’s headquarters were continuing, although he did not elaborate for security reasons.

Excerpt from South Korea nuclear operator finds computer ‘worm’ in control system, Reuters, Jan, 1, 2015

Cyberattacks for Industrial Espionage, the Duqu Virus

Internet security firms have raised the specter of a new round of cyber warfare with last week’s detection of the Duqu virus – a “relative” of last year’s Stuxnet malware, which is thought to have slowed down at least one Iranian nuclear facility.  Duqu’s detection comes amid growing talk in Europe about launching pre-emptive strikes to stop cyberattacks before they happen. But the nature of malware like Duqu and Stuxnet make pre-emptive strikes unrealistic.

“The problem is you can’t really say where they come from,” Candid Wüest, a virus expert at IT security firm Symantec told Deutsche Welle.  “You need evidence about who is behind an attack before you can strike pre-emptively,” said Wüest, “but you can never be sure – you can’t attack infrastructure, or even send in a stealth bomber, because any information about a location could be a red herring.”

Malware makers can hide their tracks using spoofing, VPNs, proxy services and other means to make it look like they are based in any number of countries – when in truth they are somewhere completely different.

Wüest is one of the experts at Symantec, who is currently analyzing the source code behind Duqu. Symantec says it was alerted to the new threat on October 14 by a laboratory that has “international connections.”  Since then, Symantec’s investigations suggest that a “few hundred systems have been infected at a handful of companies,” many of which are in Europe.  Another IT security firm, McAfee, is also working on the virus. McAfee and Symantec both believe that Duqu shares strong similarities with the Stuxnet virus.

Some of its source code matches that of Stuxnet and because the Stuxnet code is not known to be available online, they say it is likely that Duqu was created by the same people or that they sold the code to another group. While it remains unclear where Stuxnet came from, the New York Times reported in January 2011 that Stuxnet was developed by the American and Israeli governments.

But there are significant differences as well between Duqu and Stuxnet.  “Duqu is not spreading like Stuxnet,” said Wüest, “Duqu was carefully placed and can be controlled remotely.”  Experts believe that Duqu has been used to target only a limited number of organizations for the specific assets.  “Its warhead is not aimed at the technology industry, it’s being used to steal information, so it’s more like industrial espionage,” Wüest added.

By contrast, Stuxnet was created to attack particular computer control systems made by the German firm Siemens.  These control systems are typically used to manage water supplies, oil rigs, power plants and other critical infrastructure.  Stuxnet infections were also found at Iranian nuclear facilities in 2010, leading some to speculate that the virus may have been designed by state actors – by governments or state security services who had wanted to disrupt Iran’s nuclear program.  A year later, Siemens spokesman Wieland Simon is keen to stress that “no customers reported any disruptions” of their control systems because of Stuxnet.

British Foreign Minister William Hague has said his country is developing an unspecified electronic weapons that could be used to defend Britain against cyber attacks or prevent them….In Germany,the Criminal Police Union (BDK) called this week for a specialized federal ministry for the Internet.  Andre Schulz, the head of the BDK, told Deutsche Welle there was no danger that such a ministry would politicize issues around cyber warfare.  “It’s a sad situation,” said Schulz, “to realize that the government considers the Chaos Computer Club as its experts on IT security – we need a centralized body and I think that would be in the interest of business too.”  The CCC revealed nearly two weeks ago that a German government tool designed to perform digital surveillance domestically, went well beyond its legal guidelines.

Wieland Simon, the Siemens spokesperson, was less than encouraging, suggesting that “no government can guarantee it can protect a country or entity against cyber attack.”  But there is still pressure for governments to do something.  “In future wars, there will be a cyber element,” said Mikko Hypponen, the chief research officer of F-Secure, a computer security firm, in an interview with Deutsche Welle. “Countries hope that if they threaten to use missiles to retaliate against a cyber attack, others will think twice about about launching one.”

Zulfikar Abbany, ‘Son of Stuxnet’ hits European computer networks, DW-World.De, Oct. 21, 2011

Sabotaging Iran’s Nuclear Program, quiet, cyber, with few fingerprints

Iran’s star-crossed nuclear and energy programs have suffered a rash of setbacks, mishaps and catastrophes in the past two years.  Assassins killed three scientists with links to Iran’s nuclear programs. The Stuxnet computer worm that infected computers worldwide zeroed in on a single target in Iran, devices that can make weapons-usable uranium.  Dozens of unexplained explosions hit the country’s gas pipelines. Iran’s first nuclear power plant suffered major equipment failures as technicians struggle to bring it online.  Has Iran just been unlucky? Probably not.  The chief of Iran’s Atomic Energy Organization, Fereidoun Abbasi, told journalists at a meeting in Vienna last week that the United States was supporting an Israeli assassination campaign against his scientists. His comments came almost a year after motorcyclists attached a bomb to the door of his car in Tehran. He and his wife barely escaped.  As for the three slayings, Iranian President Ahmadinejad told The Associated Press that the killers had been caught and confessed to being “trained in the occupied lands by the Zionists.” He accused the International Atomic Energy Agency of being under U.S. control and said the watchdog agency had “illegally and unethically” released the names of Iran’s nuclear researchers, making them targets.  While Israel and Britain won’t discuss Iran’s charges, the U.S. has denied any role in the slayings.  “We condemn any assassination or attack on a person — on an innocent person,” State Department spokeswoman Victoria Nuland said after the latest killing in July. “We were not involved.”Former U.S. officials point out that assassinations are outlawed by the U.S., which condones drone strikes against terrorists as acts of war against combatants.  Yet there is little doubt that the Obama administration is pursuing a program of high-tech sabotage to disrupt Tehran’s suspected weapons-related nuclear efforts.

“I have no doubt that the U.S. and other countries were behind industrial sabotage aimed at the program of concern,” said Mark Fitzpatrick, a former State Department official who’s now at the International Institute for Strategic Studies in London.  [F] ormer officials said, the U.S. and its allies have ramped up covert actions aimed at slowing Iran’s nuclear progress toward a bomb.  Ex-officials said the U.S. has been careful to target only those facilities suspected of playing a role in weapons work.   One former senior intelligence official said that the U.S. considered a scheme to use a burst of electromagnetic energy to knock out power to one suspected Iranian weapons-related site but rejected the plan because of the risk of causing a widespread power outage. The former official would only speak about classified matters on condition of anonymity.

The suspected sabotage campaign is widely seen as an alternative to military confrontation with Iran, which some experts say could have disastrous consequences for the Middle East.A 2010 U.S. diplomatic memorandum published by the anti-secrecy group WikiLeaks quoted a German government official as saying that a program of “covert sabotage” against Iran, including explosions, computer hacking and engineered accidents, “would be more effective than a military strike whose effects in the region could be devastating.”The memo did not cite any specifics.  While the fact is rarely discussed, the U.S. may be the world’s leader in high-tech industrial sabotage.

According to an official CIA history, the Reagan administration was convinced that the Soviet Union was engaged in the wholesale theft of Western technological secrets. It arranged for the shipment of doctored computer chips, turbines and blueprints to the USSR that disrupted production at chemical plants and a tractor factory. When the KGB obtained plans for NASA’s Space Shuttle, the CIA said it made certain it was for a rejected design.  Thomas C. Reed, a member of the National Security Council in the Reagan administration, wrote in his 2004 book that during the Cold War the CIA tampered with the computer code embedded in Canadian components of a new trans-Siberian gas pipeline system. In 1982, a surge in pressure caused a three-megaton blast in the Siberian forest that was visible from space.

Washington has accused Tehran of sponsoring terrorist groups in Iraq, Syria and Lebanon, of sending arms to the Taliban in Afghanistan and aiding al-Qaida’s leadership in Pakistan. The U.S.-supported Iran Human Rights Documentation Center has said that Iranian intelligence agents have killed more than 160 expatriate political activists abroad.  “We’ve been in a contest with the Iranians now for 30 years, and this is just one phase of it,” said James Lewis, a former State Department official and an expert on technology and security. “The Iranians do things that appeal to them, and they are noisy and physical and explosive.”  The U.S., he said, has preferred quieter methods that leave few fingerprints. “If I was Iran, I would wonder if my stuff would work,” Lewis said.

The U.S. and its allies have avoided discussing the suspected sabotage campaign publicly. At least until recently, Iran has seldom raised the issue and even then has provided few details.  For both sides, the most sensitive issue is the question of who is killing Iran’s nuclear scientists.  Reuel Marc Gerecht, a former CIA officer now at the Foundation for the Defense of Democracies think tank, said a faction within Iran’s government might have ordered the assassinations. He said one researcher supported Iran’s persecuted opposition, while the others may have been suspected of spying for the West.  Other former officials and diplomats said the killings appear to be an effort by Iran’s adversaries to disrupt its nuclear weapons-related work….”If the state and progress of the Iranian nuclear program depends on what is walking around inside the heads of one or two key officials, then we’ve got a lot less to worry about this program than most of the discourse would lead us to believe,” said Paul Pillar, a former CIA national intelligence officer for the Near East and South Asia.

Former officials and experts generally agree that the Stuxnet worm was an effort to sabotage Iran’s uranium enrichment centrifuges, which can be used to make fuel for reactors or weapons-usable material for atomic bombs. Western experts estimate that the malware destroyed 1,000 centrifuges at Iran’s Natanz plant last year.  Some former U.S. officials said that Israel’s Unit 8200, the Defense Force’s electronic intelligence service, probably led the development of Stuxnet, with the help of the U.S. and perhaps other nations. Others said they suspected the U.S. was the chief developer of what has been called the world’s first cyberweapon of mass destruction.

German Stuxnet expert Ralph Langner said in a speech this spring that such advanced software must have been created by what he called a cybersuperpower. “There is only one,” said Langner. “And that is the United States.”  Art Keller, a retired CIA officer who worked in the Middle East and South Asia, said Stuxnet’s self-destruct mechanism, its painstaking focus on a single target and other fail-safe features all suggest the program was screened by U.S. government lawyers concerned about limiting collateral damage.  “These are all the hallmarks of a U.S. covert action,” he said.

Insiders are divided on whether the West has conducted sabotage operations against Iran’s oil and gas pipeline networks.

DOUGLAS BIRCH, Iran’s nuclear setbacks: More than just bad luck?, Associated Press, Sept. 24, 2011