DRAGONS, TIGERS, PEARLS, AND YELLOWCAKE:

FOUR STUXNET TARGETING SCENARIOS

By Jeffrey Carr

16 November 2010

T A I A G L O B A L

Executive Cyber Protective Services

c o p y r i g h t 2 0 1 0 j e f f r e y c a r r a l l r i g h t s r e s e r v e d • h t t p s : / / t a i a g l o b a l . c o m • 3 6 0 3 0 1 - 1 7 1 6

Dragons, Tigers, Pearls, & Yellowcake:

Four Stuxnet Targeting Scenarios

“In the rush to examine a criminal’s behavior, it is not difficult to become distracted by the dangling carrot of that criminal’s potential characteristics and forget about the

value of understanding his victims.” - Brent Turvey

“When a person commits a crime something is left behind at the scene of the crime that was not present when the person arrived.” - Locard’s Principle of Exchange

Introduction

The discovery of the Stuxnet worm has initiated a major shift in thinking by everyone from Information Security engineers to government officials about how offensive cyber operations are being conducted by State and Non-State actors. There’s been extensive

technical analysis12 34 done on the malware’s code and several anti-virus companies have released their sometimes conflicting data on infection statistics5, however a lot of un-knowns remain including the worm’s purpose, it’s target or targets, and who designed it. In other words, we’ve found the weapon used to commit a crime but we don’t know who the attackers are, nor the intended victims, nor the purpose of the attack. The goal of

this white paper is to demonstrate how investigating the victims of a cyber attack may yield clues as to its purpose as well as the identity of those responsible. While this paper

!

1

1 Siemens “Stuxnet Malware” official communication presented by Thomas Brandstetter at CIP Seminar 02 Nov 2010

2 Symantec “W32.Stuxnet Dossier” by N. Falliere, L O’Murchu, E Chien, Sep 2010

3 VirusBlokAda, “Trojan Spy 0485 and Malware Cryptor Win32 Inject.gen2 Review” by K. Oleg, U. Sergey, June 17, 2010

4 ESET “Stuxnet Under The Microscope” by A. Matrosov, E. Radionov, D. Harley, J. Malcho, Sept 2010

5 “Myrtus and Guava: the Epidemic, the Trends, and the Numbers” http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers

focuses upon the Stuxnet worm, the concept and different modalities of alternative

analysis6 may be applied to other cyber attacks as well.

Symantec, Kaspersky, and Microsoft have released infection rates numbering in the thousands across dozens of countries however they were not all victims of the Stuxnet worm. According to Liam O Murchu, Manager of Operations, Symantec Security Re-sponse, only a small percentage of those infected hosts had the software configuration

that matched Stuxnet’s attack code7. Siemens AG has publicly stated8 that it’s aware of only 15 victims of the Stuxnet worm, five of which are in Germany with others in the U.S., the E.U., and Asia. Symantec’s W32.Stuxnet dossier featured one graph (see figure 1 below) of infected hosts that had Siemens Step 7 software installed, however, the fact that S7 software is present doesn’t mean that that the Stuxnet worm is active. According

to Symantec’s latest update9, the worm targets a specific industrial process involving frequency convertor drives (aka variable frequency drives) which are manufactured by Vacon PLC of Finland and Fararo Paya of Iran. Those drives are then issued commands to operate in ways that will gradually cause the system to malfunction and ultimately break down. According to Vacon’s website, the uses for these drives are quite varied but

include mining and mineral solutions.10

!

2

6 Richards J. Heuer, “The Future of Alternative Analysis”, presentation from ODNI conference Jan 9-10, 2007:

7 Told to the author in a phone conversation on Nov 15, 2010

8 Cyber worm found at German industrial plants (http://www.thelocal.de/national/20101002-30225.html)

9 “Stuxnet: A Breakthrough”: http://www.symantec.com/connect/blogs/stuxnet-breakthrough

10 Vacon company website (Industrial Segments page): http://www.vacon.com/Default.aspx?id=469223

While it’s important to understand that there are only a small number of actual “vic-

tims” among the 100,000 or more hosts infected by the Stuxnet worm, no one has an accurate count nor does anyone know precisely when this attack began. Regardless of whose statistics you look at (Symantec, Microsoft, or Kaspersky), the majority of states impacted by Stuxnet are in Asia and Central Asia with outliers in Africa, South America and North America. If you think of these states as multiple victims of the same unknown

threat actor, then clues as to who the actor is may be extrapolated from what the victims have in common. For example, China, Russia, Kazakhstan, Uzbekistan, Kyrgyzstan, Ta-jikistan, India, Pakistan, Iran, and Mongolia are all members of the Shanghai Coopera-tion Organization (SCO), which is a Central Asia collective working in areas related to commerce and security. Many of the affected states are also members of the Group of 15

(G15), which is the developing nations’ answer to the better known Group of 8 (G8).

There are, of course, many relationships that exist between nations but the most impor-tant relationship to be considered is what makes them a potential target for the creators of the Stuxnet worm. After studying this attack

for more than 3 months, I’ve identified four possible targeting scenarios:

•Rare-Earth Metals Producing States

•Uranium-producing States

•Corporate Sabotage To Discredit Siemens AG

•Protecting the Malacca Straits (String of Pearls)

!

3

Attack Scenario #1: Rare-Earth Minerals Producing States

Peoples Republic of China

India Brazil

Malaysia Australia United States

Canada South Africa Kazakhstan

Table 1: Rare earth producing States with Stuxnet infections highlighted

The top producing countries of rare earth minerals are China, India, Brazil, and Ma-

laysia11. The Peoples Republic of China provides 95% of the world’s demand for rare earths while holding 35% of the world’s supply.12 As a result, other nations are stepping up their own mining production; the top 3 of which are India, Brazil, and Malaysia, and all of whom are on the Stuxnet list of affected nation states. Other rare earth producing-states are Canada, Australia, United States., Kazakhstan, and South Africa; the last 3 of

which have reported Stuxnet infections.

Opportunity: As of November 2010, there are 251 individual active rare-earth projects in different stages of development, run by 165 companies in 24 different countries out-side of China13.

Motive: sabotage competitors’ mining operations to further consolidate control over

the global supply of essential rare-earth metals.

Means: Target the most promising mining operations for attack. Here are a few possi-bilities taken from the top 13 picks in the TMR Advanced Rare-Earth Projects Index14:

• Bear Lodge (Bull Hill Zone) - Wyoming, USA : operated by Rare Element Re-sources Ltd. (TSX.V:RES, AMEX:REE);

!

4

11 Global InfoMine Website: http://www.infomine.com/commodities/rareearth.asp

12 Yale Global Online: “China’s Chokehold on Rare Earth Metals Raises Concerns” http://yaleglobal.yale.edu/content/chinas-rare-earth-minerals

13 Value Metrics for 13 Advanced Rare Earth Projects: http://www.resourceinvestor.com/News/2010/11/Pages/Comparative-Value-Metrics-for-13-Advanced-RareEarth-Projects.aspx

14 Ibid

• Kutessay II – Chui, Kyrgyzstan : operated by Stans Energy Corp. (TSX.V:RUU);

• Mountain Pass – California, USA : operated by Molycorp Inc. (NYSE:MCP);

• Nechalacho (Thor Lake Basal Zone) – Northwest Territories, Canada : operated by Avalon Rare Metals Inc. (TSX:AVL; OTCQX:AVARF);

• Steenkampskraal – Western Cape, South Africa : operated by Great Western Minerals Group Ltd. (TSX.V:GWG, OTCBB:GWMGF) in association with Rare Earth Extraction Co. ;

• Strange Lake (B Zone) – Quebec, Canada : operated by Quest Rare Minerals Ltd. (TSX.V:QRM);

• Zandkopsdrift – Northern Cape, South Africa : operated by Frontier Rare Earths Ltd. (TSX:FRO from 11/17/10 onwards);

• Zeus (Kipawa) – Quebec, Canada : operated by Matamec Explorations Inc. (TSC.V:MAT, PK:MTCEF).

Assessment

Although rare-earths are a probable candidate for future cyber attacks modeled after the Stuxnet worm, it is highly unlikely to be the current target. Production by states other than China is still in a very early stage and it may be 4 years or longer before new pro-

jects go online.

!

5

Attack Scenario #2: Uranium Producing States (Asia)

The list of states in Asia who are engaged in mining Uranium as well Uranium enrich-ment and fuel fabrication closely aligns with the list of states reporting Stuxnet infec-

tions (highlighted) :

Peoples Republic of China India Kazakhstan

Republic of Korea Democratic Peoples Republic of Korea

Kyrgyzstan

Mongolia Pakistan Russian Federation

Saudi Arabia Tajikistan Turkey

Iran Uzbekistan Vietnam

Table 2: Uranium mining and fuel enrichment data source: (http://www.wise-uranium.org)

Iran’s Natanz nuclear reactor has been mentioned in the press as a potential target however according to the IAEA, 2008 was the year that the Fuel Enrichment Plant at Natanz suffered a significant drop in performance. The cause for that drop is not known but there is a lot of speculation ranging from incompetence to sabotage15. Whatever the

reason, it happened before the earliest Stuxnet sample was discovered (June, 2009).

Figure 2: Timeline from Symantec’s W32.Stuxnet dossier

Stuxnet has frequently been classified as a state or state-sponsored attack however start-ing in 2009 there’s been a marked increase of anti-nuclear power protests in Germany, Russia, Finland, and France by activist organizations like Ecodefense, ECOperestroika, Greenpeace, the Green League, and Ydinverkosto, a movement in northern Finland which opposes uranium mining and nuclear power. Finland is of particular interest

since one of the two frequency convertor drives that Stuxnet issues commands to is made by a Finnish company, Vacon PLC. Some of the above-mentioned groups self-

!

6

15 ISIS Report “Iran’s Gas Centrifuge Program: Taking Stock: http://isis-online.org/isis-reports/detail/irans-gas-centrifuge-program-taking-stock/#9

identify as anarchists and are on various law enforcement watchlists for engaging in acts

of ecoterorism 16 Whether members of these groups have the requisite technical skill or the funds to create Stuxnet or similar malware is a matter for the respective state agen-cies to investigate.

Opportunity: Greenpeace is well-funded and has frequently conducted actions against nuclear facilities of the type that Stuxnet may be targeting. It is not known whether any

members of Ydinverkosto are employed by Vacon or have contacts there.

Motive: Nuclear power plants, uranium mines, and Fuel Enrichment facilities are popular targets for environmental activists as well as eco-terrorists. The use of a virus like Stuxnet provides these groups with the ability to disrupt operations at targeted fa-cilities with little to no risk to their members.

Means: Whether any of these groups have the resources or skill sets to develop, test, and launch this level of malware is unknown to the author at this time however Green-peace France has been the victim of a cyber attack allegedly sponsored by French energy company EDF (see Attack Scenario #3).

Assessment: More information is needed about the financial assets and technical ca-

pabilities of these environmental action groups before an accurate assessment can be made however these actors may pose a credible threat to this sector in the next few years.

Attack Scenario #3: Corporate Sabotage Against Siemens AG

The link that connects all of Stuxnet’s victims is that they are Siemens’ customers. This

fact raises the possibility that the threat actor responsible for the Stuxnet worm is a competing company who would benefit by creating an aura of uncertainty or lack of trust in Siemens products. The following is an incident which began in March, 2009 and may not end until January, 201217 which falls within the three year lifespan of Stuxnet:

!

7

16 EcoDefense and Repression in Russia: (Oct 19, 2010): http://www.crimethinc.com/blog/2010/10/19/eco-defense-and-repression-in-russia/

17 Symantec’s timeline for Stuxnet lists June, 2009 as first Stuxnet sample seen and June 24, 2012 as the scheduled “kill date” for the worm (W32.Stuxnet Dossier v 1.3, p.4)

• June, 2009 (earliest Stuxnet sample seen)

• June 24, 2012 (the date found in Stuxnet’s config file)

EU Commission Filing: Areva versus Siemens

On March 4, 2009, France 24 18 published a news story about French nuclear giant Areva publicly accusing Siemens of breaching its non-compete clause with Areva when it

formed an alliance with Russian Federation-owned Rosatom to become “the world leader in civilian nuclear technology” - a sector currently led by Areva and estimated to be worth 1 trillion dollars.

On June 2, 2010, the European Commission launched an inquiry 19 into the anti-compete clause in Siemens joint venture agreement with Areva - Areva NP

Figure 3: Graphic depicting Areva NP’s services (source: www.areva-np.com)

!

8

18 France 24 International News (March 4, 2009): http://www.france24.com/en/20090304-areva-says-siemens-venture-with-rosatom-breaches-contract

19 Antitrust: Commission opens an investigation into alleged restriction of competition between Areva and Siemens (June 2, 2010): http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/655&format=HTML&aged=0&language=EN&guiLanguage=en

Opportunity: As former majority partner with Siemens in the joint venture Areva NP,

Areva has inside knowledge of Siemens operational instrumentation and control sys-tems which it supplied for their nuclear power plant projects.

Motive: Siemens is seeking to take Areva’s place in a joint venture with Rosatom that could be worth 1 trillion dollars. Should Siemens suffer a reputation or trust issue in the global marketplace, it may convince Rosatom to reconsider its plans and stay with

Areva.

Means: Areva SA is the world’s largest nuclear energy company with 2009 revenues of €14bn (+6.4%).20 The French government owns 90% of Areva.

Assessment: There is a low to moderate likelihood that Areva planned and launched Stuxnet with the intention of de-railing the Siemens - Rosatom deal. In order for such a

plan to succeed there would have to be multiple reports of failures due to Siemens appli-cations, which have not occurred. Stuxnet has not harmed Siemens profits to date and Rosatom’s interest in working with Siemens has not diminished over the past year or more. Although there’s no evidence of Areva being involved in sponsoring cyber attacks of any kind, there is a broader precedent of a French company engaging in those activi-

ties. Électricité de France (EDF) is the world’s largest utility company with €66.34 bil-lion in revenues in 2009, operating a diverse portfolio of 120,000+ megawatts of gen-eration capacity in Europe, Latin America, Asia, the Middle-East and Africa. EDF is be-ing investigated by a French prosecutor for allegedly hiring Kargus Consultants to con-duct a cyber attack against the director of Greenpeace France in 2006 21.

Attack Scenario #4: The String of Pearls

The Peoples Republic of China (PRC) is actively involved in acquiring mining companies or embarking on joint ventures with them to fulfill its increasing demand for energy re-sources for which it has serious shortages (table 3).

!

9

20 Areva Annual Report 2009: http://www.areva.com/EN/news-8247/annual-results-2009.html

21 Bloomberg “EDF Should Face Greenpeace Computer-Hacking Trial, French Prosecutor Says”:

http://www.bloomberg.com/news/2010-09-06/edf-should-face-greenpeace-computer-hacking-trial-french-prosecutor-says.html

SERIOUS SHORTAGE SHORTAGE NO SHORTAGE

Chromium Oil Titanium

Copper Uranium Sulfur

Zinc Iron

Cobalt Manganese

Platinum Group Elements Bauxite

Strontium Tin

Potassium Lead

Boron Nickel

Diamond Antimony

Gold

Table 3: Source: ResourceInvestor.com (Dec 10, 2009) 22

In addition to the minerals and metals above, China needs to import natural gas. Of the three countries reporting the highest rates of Stuxnet-infected hosts (Iran, India, Indo-nesia), Indonesia is the world’s largest exporter of Liquified Natural Gas (LNG) and coal used in power stations, and it has the largest gold mine and recoverable copper

reserve.23

Iran’s oil exports to China jumped 30% in the last 9 months according to OPEC24. Rus-sia, Kazakhstan and other nations in the Commonwealth of Independent States (CIS) export oil to China through the Atasu to Alashankou pipeline, financed by China’s popu-lar loan-for-oil program.

Unlike Indonesia and Iran, India is China’s competitor for energy resources, particularly oil for which it’s the world’s fourth largest consumer (China is currently in second place after the U.S.). In fact, India is almost entirely dependent on external resources for its growing energy needs. This puts India and China at odds over securing energy resources as well as ensuring that key choke points like the Malacca straits remain open.

!

10

22 ResourceInvestor.com http://www.resourceinvestor.com/News/2009/12/Pages/Himfr-China-seriously-short-on-nine-kinds-of-mineral-resources.aspx

23 Ibid

24 Tehran Times (Nov 12, 2010): http://www.tehrantimes.com/index_View.asp?code=230364

China’s strategy to combat India’s own security interests in this region is one of engag-

ing in foreign development projects at key locations along the oil shipping lanes. Each location is known as a “pearl”. Christopher J. Pehrson lists a few examples in a paper 25 that he wrote on this subject for the U.S. Army Strategic Studies Institute:

• Hainan Island - upgraded military facilities

• Woody Island - upgraded airstrip

• Chittagong, Bangladesh - constructed a container shipping facility

• Sittwe, Myanmar - constructed a deep water port

Apart from these examples, the states most often referred to as part of China’s String of Pearls strategy are Pakistan, Sri Lanka, Myanmar, and Bangladesh. India has re-sponded by building its own alliances in that region and holding military exercises with

the Gulf Cooperation Council and Iran, among other contingencies.

Opportunity: The Chinese government is negotiating energy deals, joint ventures or acquisitions with companies that are located along the Malacca Straits, which India is trying to counter by making its own strategic alliances in some of the same countries.

Motive: China’s reliance on foreign sources to meet its energy needs increases every

year. It must continually succeed in acquiring assets as well as developing new resources on foreign soil, yet avoid escalating military tensions with India, it’s chief competitor. India has similar needs and motivations.

Means: Siemens has a strong presence in China. It was a global sponsor of China’s World Shanghai Expo 2010. Its PLC SIMATIC Step 7 software targeted by Stuxnet is

used in the radial gate control of the largest electricity-generating plant in the world - the Threee Gorges dam in Hubei province. There’s no question that China has the capa-bility of developing and launching malware sufficient to the task and its highly likely that its cyber capabilities exceed that evidenced by the creators of the Stuxnet worm.

!

11

25 Pehrson, Christopher J. LCOL USA “String of Pearls: Meeting the Challenge of China's Rising Power Across the Asian Littoral” http://www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubid=721

Siemens also has a large presence in India with 18 manufacturing plants employing

17,000 people so finding individuals with the necessary skills to create malware on the scale of Stuxnet would not be a problem.

Assessment: There is a low to moderate likelihood that Stuxnet’s creators had planned to sabotage a competing state’s operations along the Straits of Malacca and other choke points for strategic advantage in the uninterrupted flow of oil and other critical re-

sources.

SUMMARY:

There are numerous obstacles to building a case for attribution with any cyber attack. In Stuxnet’s case, the obstacles may be insurmountable unless further details on Stuxnet’s real or potential target sites are forthcoming. Symantec’s discovery that the malware provides instructions to two specific frequency converter drives has confirmed that sabotage, not espionage, was the purpose of the attack. It also rules out processes that

don't require a frequency above 807hz or higher.26 According to the Vacon website, they serve the following industrial segments: Water, Marine, Pulp and Paper, Building Automation, Mining and Minerals, Solutions for MV Motors. Of those, the segment that holds the most value for nation states who engage in cyber operations of one type or an-other is Mining and Minerals, and that fact has helped inform the scenario choices that

the author researched for this paper.

State Sponsorship or Corporate Sponsorship?

The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with cer-tain unique skill sets and several months for development and testing. The obvious con-

clusion is that this team was sponsored by a nation state, however certain multi-national corporations have the same or better resources than many governments. In some coun-tries, the government has a controlling interest in their largest corporations such as China’s “national champion” companies (i.e., Huawei) or France’s majority ownership of Areva (see Attack Scenario #3).

!

12

26 “7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufac- tured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.”, Symantec W32.Stuxnet Dossier, p.35

A Target Worthy Of The Weapon That Was Built For It

While the goal of the creators of the Stuxnet worm remains a mystery, the time, money, and skill that went into its creation provide some insight into its target; i.e., Predator drones aren’t deployed to target shoplifters. Whatever Stuxnet was designed to attack, one can infer that it’s a high value target worthy of the weapon that was created to sabo-tage it. More work needs to be done searching for mechanical failures or accidents that

have occurred in the first half of 2010 in high value sectors that use frequency convertor drives within the proscribed range. Means, Motive, and Opportunity combined with technical analysis and critical thinking will, at the very least, expose a heretofore unseen target that can be hardened before it becomes the inspiration for the next Stuxnet-inspired attack team. Forward-looking security is the only real security there is.

!

13

APPENDIX

Although this white paper was published in November, I wasn’t satisfied with any of the above scenarios and continued my research for another 30 days which culminated with

my writing “Stuxnet’s Finnish-Chinese Connection” for Forbes Firewall on December 14, 2010. The following is a condensed version of that article.

------------------

Reviewing The Evidence

• China has an intimate knowledge of Iran's centrifuges since they're of Chinese design.

• China has better access than any other country to manufacturing plans for the Vacon frequency converter drive made by Vacon’s Suzhou facility and specifically targeted by the Stuxnet worm (along with an Iranian company’s drive). Furthermore, in March 2010, China's Customs ministrystarted an audit at Vacon's Suzhou facility and took two employees into custody thereby providing further access to Vacon's manufacturing

specifications under cover of an active investigation.

• China has better access than any other country to RealTek's digital certificates through it's Realsil office in Suzhou and, secondarily, to JMicron's office in Taiwan.

• China has direct access to Windows source code, which would explain how a malware team could create 4 key zero day vulnerabilities for Windows when most hackers find

it challenging to develop even one.

• There were no instances of Stuxnet infections in the PRC until very late which never made sense to me, particularly when Siemens software is pervasive throughout China's power installations. Then, almost as an after-thought and over three months from the time the virus was first discovered, Chinese media reported one million infections, and

here's where the evidence becomes really interesting.

• That report originated with a Chinese antivirus company called Rising International, who we now know colluded with an official in Beijing's Public Security Bureau to make announcements encouraging Chinese citizens to download AV software from Rising International (RI) to fight a new virus that RI had secretly created in its own lab. Con-

!

14

sidering this new information, RI's Stuxnet announcement sounds more like a CYAs-

trategy from the worm's originators than anything else.

China’s Motive

On April 13, 2010, Beijing reiterated its opposition to Iran's goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counter-productive. In other words, the PRC wanted to support its third largest supplier of oil

(after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz' centrifuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanc-tions pushed by the U.S. It's both simple and elegant. Even if the worm was discovered

before it accomplished its mission, who would blame China, Iran's strongest ally, when the most obvious culprits would be Israel and the U.S.?

!

15

About Taia Global

Taia Global is a startup company founded by Jeffrey Carr, the author of Inside Cyber

Warfare, and a team of highly accomplished individuals who come from the technology

industry, the Intelligence community, and the Department of Defense.

Our company is based on the premise that an enterprise’s most critical data cannot be

protected in the same way as the enterprise’s network; that a corporation’s senior man-

agement are high value targets, particularly when they travel overseas; and that these

individuals require an entirely different security posture.

Taia Global provides physical and cyber security countermeasures to safeguard the

computing assets of key executives and government officials while they travel overseas,

and by extension, protect the enterprise’s critical data against a common attack vector –

the exploitation of the senior executive’s trusted credentials on the network.

Contact Taia Global today for more information or to book a consultation.

Contact Information

Email: info@taiaglobal.com

Website: https://taiaglobal.com

Digital Dao blog: http://jeffreycarr.com

!

16