Tag Archives: computer worm

Who Controls the Computers in North Korea–the Wapomi worm

Trojan. image from wikipedia

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

The Worm at the Nuclear Plants of South Korea

South Korea Nuclear power plants map. Image from wikipedia

Korea Hydro & Nuclear Power Co Ltd said it would beef up cybersecurity by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.  The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors.

The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul’s energy ministry and nuclear watchdog said in a joint statement, adding the systems were inaccessible from external networks.  Energy Minister Yoon Sang-jick told a parliamentary session that evidence of the presence and removal of a “worm” — which the ministry said was probably inadvertently introduced by workers using unauthorized USB devices — was unrelated to the recent hacking incidents, drawing scepticism from some lawmakers.  “I doubt control systems are perfectly safe as said,” Lee Jung-hyun, a lawmaker in the ruling Saenuri party, told the committee hearing.

Worries about nuclear safety in South Korea, which relies on nuclear reactors for a third of its power and is the world’s fifth-largest nuclear power user, have mounted since the 2011 Fukushima disaster in Japan and a domestic scandal in 2012 over the supply of reactor parts with fake security certificates…Korea Hydro and Nuclear Power President and CEO Cho Seok told the hearing that all control systems of the country’s 23 nuclear reactors were safe against malignant codes. Recently, he said that cyberattacks on non-critical operations at the company’s headquarters were continuing, although he did not elaborate for security reasons.

Excerpt from South Korea nuclear operator finds computer ‘worm’ in control system, Reuters, Jan, 1, 2015

Sabotaging Iran’s Nuclear Program, quiet, cyber, with few fingerprints

Iran’s star-crossed nuclear and energy programs have suffered a rash of setbacks, mishaps and catastrophes in the past two years.  Assassins killed three scientists with links to Iran’s nuclear programs. The Stuxnet computer worm that infected computers worldwide zeroed in on a single target in Iran, devices that can make weapons-usable uranium.  Dozens of unexplained explosions hit the country’s gas pipelines. Iran’s first nuclear power plant suffered major equipment failures as technicians struggle to bring it online.  Has Iran just been unlucky? Probably not.  The chief of Iran’s Atomic Energy Organization, Fereidoun Abbasi, told journalists at a meeting in Vienna last week that the United States was supporting an Israeli assassination campaign against his scientists. His comments came almost a year after motorcyclists attached a bomb to the door of his car in Tehran. He and his wife barely escaped.  As for the three slayings, Iranian President Ahmadinejad told The Associated Press that the killers had been caught and confessed to being “trained in the occupied lands by the Zionists.” He accused the International Atomic Energy Agency of being under U.S. control and said the watchdog agency had “illegally and unethically” released the names of Iran’s nuclear researchers, making them targets.  While Israel and Britain won’t discuss Iran’s charges, the U.S. has denied any role in the slayings.  “We condemn any assassination or attack on a person — on an innocent person,” State Department spokeswoman Victoria Nuland said after the latest killing in July. “We were not involved.”Former U.S. officials point out that assassinations are outlawed by the U.S., which condones drone strikes against terrorists as acts of war against combatants.  Yet there is little doubt that the Obama administration is pursuing a program of high-tech sabotage to disrupt Tehran’s suspected weapons-related nuclear efforts.

“I have no doubt that the U.S. and other countries were behind industrial sabotage aimed at the program of concern,” said Mark Fitzpatrick, a former State Department official who’s now at the International Institute for Strategic Studies in London.  [F] ormer officials said, the U.S. and its allies have ramped up covert actions aimed at slowing Iran’s nuclear progress toward a bomb.  Ex-officials said the U.S. has been careful to target only those facilities suspected of playing a role in weapons work.   One former senior intelligence official said that the U.S. considered a scheme to use a burst of electromagnetic energy to knock out power to one suspected Iranian weapons-related site but rejected the plan because of the risk of causing a widespread power outage. The former official would only speak about classified matters on condition of anonymity.

The suspected sabotage campaign is widely seen as an alternative to military confrontation with Iran, which some experts say could have disastrous consequences for the Middle East.A 2010 U.S. diplomatic memorandum published by the anti-secrecy group WikiLeaks quoted a German government official as saying that a program of “covert sabotage” against Iran, including explosions, computer hacking and engineered accidents, “would be more effective than a military strike whose effects in the region could be devastating.”The memo did not cite any specifics.  While the fact is rarely discussed, the U.S. may be the world’s leader in high-tech industrial sabotage.

According to an official CIA history, the Reagan administration was convinced that the Soviet Union was engaged in the wholesale theft of Western technological secrets. It arranged for the shipment of doctored computer chips, turbines and blueprints to the USSR that disrupted production at chemical plants and a tractor factory. When the KGB obtained plans for NASA’s Space Shuttle, the CIA said it made certain it was for a rejected design.  Thomas C. Reed, a member of the National Security Council in the Reagan administration, wrote in his 2004 book that during the Cold War the CIA tampered with the computer code embedded in Canadian components of a new trans-Siberian gas pipeline system. In 1982, a surge in pressure caused a three-megaton blast in the Siberian forest that was visible from space.

Washington has accused Tehran of sponsoring terrorist groups in Iraq, Syria and Lebanon, of sending arms to the Taliban in Afghanistan and aiding al-Qaida’s leadership in Pakistan. The U.S.-supported Iran Human Rights Documentation Center has said that Iranian intelligence agents have killed more than 160 expatriate political activists abroad.  “We’ve been in a contest with the Iranians now for 30 years, and this is just one phase of it,” said James Lewis, a former State Department official and an expert on technology and security. “The Iranians do things that appeal to them, and they are noisy and physical and explosive.”  The U.S., he said, has preferred quieter methods that leave few fingerprints. “If I was Iran, I would wonder if my stuff would work,” Lewis said.

The U.S. and its allies have avoided discussing the suspected sabotage campaign publicly. At least until recently, Iran has seldom raised the issue and even then has provided few details.  For both sides, the most sensitive issue is the question of who is killing Iran’s nuclear scientists.  Reuel Marc Gerecht, a former CIA officer now at the Foundation for the Defense of Democracies think tank, said a faction within Iran’s government might have ordered the assassinations. He said one researcher supported Iran’s persecuted opposition, while the others may have been suspected of spying for the West.  Other former officials and diplomats said the killings appear to be an effort by Iran’s adversaries to disrupt its nuclear weapons-related work….”If the state and progress of the Iranian nuclear program depends on what is walking around inside the heads of one or two key officials, then we’ve got a lot less to worry about this program than most of the discourse would lead us to believe,” said Paul Pillar, a former CIA national intelligence officer for the Near East and South Asia.

Former officials and experts generally agree that the Stuxnet worm was an effort to sabotage Iran’s uranium enrichment centrifuges, which can be used to make fuel for reactors or weapons-usable material for atomic bombs. Western experts estimate that the malware destroyed 1,000 centrifuges at Iran’s Natanz plant last year.  Some former U.S. officials said that Israel’s Unit 8200, the Defense Force’s electronic intelligence service, probably led the development of Stuxnet, with the help of the U.S. and perhaps other nations. Others said they suspected the U.S. was the chief developer of what has been called the world’s first cyberweapon of mass destruction.

German Stuxnet expert Ralph Langner said in a speech this spring that such advanced software must have been created by what he called a cybersuperpower. “There is only one,” said Langner. “And that is the United States.”  Art Keller, a retired CIA officer who worked in the Middle East and South Asia, said Stuxnet’s self-destruct mechanism, its painstaking focus on a single target and other fail-safe features all suggest the program was screened by U.S. government lawyers concerned about limiting collateral damage.  “These are all the hallmarks of a U.S. covert action,” he said.

Insiders are divided on whether the West has conducted sabotage operations against Iran’s oil and gas pipeline networks.

DOUGLAS BIRCH, Iran’s nuclear setbacks: More than just bad luck?, Associated Press, Sept. 24, 2011