Tag Archives: Stuxnet Iran nuclear power plants

A War Like No Other: the Covert Invasion of Iran

Within hours of Iran proudly announcing the launch of its latest centrifuges, on April 10, 2021, a power blackout damaged some of the precious machines at its site in Natanz…One thing reports seem to agree on is that an “incident” affected the power distribution network at Natanz.

Natanz is critical to Iran’s nuclear program. The heavily secured site is protected by anti-aircraft guns and has two large centrifuge halls buried more than 50 feet underground to protect them from airstrikes. Despite the conflicting reports, it appears the facility’s main power distribution equipment — Natanz has its own grid — was taken out with explosives. Backup emergency electricity also was taken down, and power cut out across the multibuilding compound, Behrouz Kamalvandi, spokesperson for Iran’s Atomic Energy Organization, told Iran’s state-run TV.

A blackout may not sound that serious, but it can be at an enrichment plant. Centrifuges are slender machines linked up in what are called cascades which enrich uranium gas by spinning it at incredibly high speeds using rotors. The stress on the advanced materials involved is intense and the process is technically immensely challenging. A small problem can send a centrifuge spinning out of control, with parts smashing into each other and damaging a whole cascade.

The question is: what caused the blackout – a cyber-attack or a physical act of sabotage, like a bomb?

Israel has a long history of sabotaging nuclear facilities in Iraq, Syria, and Iran, both through cyber means — including the sophisticated Stuxnet attack against Iran, which Israel conducted with U.S. and Dutch intelligence agencies — and with conventional bombs and explosives. Israel is also reportedly behind a number of assassinations of Iranian nuclear scientists and officials over the last decade. The Stuxnet attack was particularly significant because it launched the era of cyberwarfare, as it was the first cyberattack known to use a digital weapon that could leap into the physical realm to cause actual destruction of equipment. The highly skilled covert operation was conducted in lieu of a kinetic attack to avoid attribution and an escalation in hostilities with Iran; it remained undetected for three years..

Excerpts from Gordon Corera, Iran nuclear attack: Mystery surrounds nuclear sabotage at Natanz, BBC, Apr. 12, 2021, Kim Zetter, Israel may have Destroyed Iran Centrifuges Simply by Cutting Power, Intercept, Apr. 13, 2021

Who is the Boss? Cyber-War

A new National Cyber Power Index by the Belfer Centre at Harvard University ranks 30 countries on their level of ambition and capability…That America stands at the top of the list is not surprising. Its cyber-security budget for fiscal year 2020 stood at over $17bn and the National Security Agency (NSA) probably gets well over $10bn. The awesome scale of America’s digital espionage was laid bare in leaks by Edward Snowden, a former NSA contractor, in 2013, which showed the agency hoovering up vast amounts of the world’s internet traffic and trying to weaken encryption standards.

China, in second place, has demonstrated a voracious appetite for commercial cyber-espionage abroad and an iron grip on the internet at home. Britain, whose National Cyber Security Centre has parried over 1,800 cyber-attacks since its creation in 2016, is third. Russia, whose spies interfered with America’s last election, is in fourth place. The big surprise is the Netherlands in fifth place, ahead of France, Germany and Canada. Dutch expertise in analyzing malware is particularly sharp…

Many countries outsource the dirtiest work to deniable proxies, like “hacktivists” and criminals….But while stealing things and disrupting networks is important, what matters most over the longer term is control of digital infrastructure, such as the hardware that runs mobile telecommunications and key apps. Dominance there will be crucial to economic strength and national security.

Excerpt from Digital dominance: A new global ranking of cyber-power throws up some surprises, Economist, Sept. 19, 2020

Who is Afraid of Shamoon? How to Wipe a Country Off the Face of the Earth

Suspected Iranian hackers infiltrated critical infrastructure and government computers in the Persian Gulf nation of Bahrain in July-August  2019, raising fears among leaders in the region that Tehran is stepping up its cyberattacks amid growing tensions…Hackers broke into the systems of Bahrain’s National Security Agency—the country’s main criminal investigative authority—as well as the Ministry of Interior and the first deputy prime minister’s office, according to one of the people familiar with the matter.

On July 25, 2019 Bahrain authorities identified intrusions into its Electricity and Water Authority. The hackers shut down several systems in what the authorities believed was a test run of Iran’s capability to disrupt the country, the person said. “They had command and control of some of the systems,” the person said.  The breaches appeared broadly similar to two hacks in 2012 that knocked Qatar’s natural-gas firm RasGas offline and wiped data from computer hard drives belonging to Saudi Arabia’s Aramco national oil company, a devastating attack that relied on a powerful virus known as Shamoon.  Bahrain is the smallest country in the Persian Gulf, but it is strategically important because it’s the permanent home of the U.S. Navy’s Fifth Fleet and Navy Central Command. It is closely allied with its much larger neighbor, Saudi Arabia, a regional rival of Iran.

The Bahrain authorities haven’t definitively attributed the attack to Iran, but they have been provided intelligence by the U.S. and others suggesting Iran is behind it, the people familiar with the matter said….“In the first half of 2019, the Information & eGovernment Authority successfully intercepted over 6 million attacks and over 830,000 malicious emails. The attempted attacks did not result in downtime or disruption of government services,” 

Excerpt from High-Level Cyber Intrusions Hit Bahrain Amid Tensions With Iran, WSJ, Aug. 7, 2019

The Brutal Kangaroos

On June 22nd 2017, WikiLeaks published documents from the Brutal Kangaroo project of the CIA. Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives…

The documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangaroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

Excerpts from Brutal Kangaroo Press Release Wikileaks, June 22, 2017

Hacking German Nuclear Plants

A computer virus has been found in a nuclear power plant in Bavaria…The virus was found in Block B of the nuclear reactor at Gundremmingen in western Bavaria, a statement released by the power plant said.  The malware is well known to IT specialists and it attempts to create a connection to the internet without the user of the computer choosing to do so, the statement added…[T]he virus posed no danger to the public as all the computers which are responsible for controlling the plant are disconnected from one another and not connected to the internet. The virus is also not capable of manipulating the functions of the power plant, the statement claims. State authorities have been informed about the issues and specialists from the energy firm RWE are examining the computer system to asses how it became infected with the virus..

Germans are very sensitive to the dangers of nuclear technology… As recent as 2010, officials found traces of radioactivity connected to the 1986 Chernobyl catastrophe in German wildlife, like wild boar…Shortly after the Fukushima meltdown in 2011, Chancellor Angela Merkel announced that the country would phase out nuclear power by 2021…

Several newspapers reported that the terrorists behind the Paris attacks had the plans for a German nuclear facility, a claim later denied by German intelligence. Then, days later, it was found that inspectors responsible for carrying out safety checks at two nuclear plants had submitted fake reports.

Excerpts from Computer Virus in Bavarian Nuclear Plant, http://www.thelocal.de/, Apr. 26, 2016