|
||||
|
24 November 2014. Edward Snowden should publicly state that none of the material he provided contained hidden spyware, nor that published was later implanted with it. 23 November 2014 Do Snowden Files Have NSA Implants? Part 2 Part 1: http://cryptome.org/2014/11/snowden-nsa-implants.htm
Did Snowden, wittingly or unwittingly, use USBs to transfer Stuxnet-like programs in files he released to tag, track, infect, report their distribution? #CountdownToZeroDay ----- They only noticed the rogue code going into the PLC because the blocks of code were slightly larger than they should have been. Before infecting their Step 7 system with the malware, they had transferred blocks of code to the PLC and captured them with the analysis tool to record their basic size and characteristics. After infecting the machine with Stuxnet, they transferred the same blocks of code again and saw that they had suddenly grown. They couldn’t yet see what the Stuxnet code was doing to the PLC, but the injection itself was big news. It was way beyond anything they’d ever warned customers about and way beyond anything they expected to see in the first known attack against a PLC. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3067-3072). ----- But, oddly, after making their startling announcement, the Symantec researchers had gone quiet. Langner suspected the researchers had hit a wall, due to their lack of expertise with PLCs and industrial control systems. But curiously, Siemens had also gone silent. This was strange, Langner thought. It was, after all, Siemens controllers that were being attacked; the company had an obligation to analyze the malevolent code and tell customers what it might be doing to their systems. But after a couple of brief announcements the German company had made in July, it had gone mum. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3085-3088). ----- The idea that someone had put so much money and effort into a weapon attacking a single target left Langner dumbfounded. It could mean only one thing— the target had to be extraordinarily important. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3193-3194). ----- On September 13, 2010, nearly a month after Symantec’s revelation that Stuxnet was sabotaging PLCs, Langner published a brief blog post under the title “Hack of the Century.” In it, he asserted that Stuxnet was a directed attack “against a specific control-system installation,” and left it at that. But three days later he followed up with additional information. “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,” he wrote. “Here is what everybody needs to know right now.” Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3229-3233). ----- Oddly, the source of Stuxnet never came up, either during the call or on the NCCIC watch floor. McGurk says that when the code first arrived, intelligence analysts from various agencies on the floor searched their classified data sources for any information or reports related to the worm, but came up with nothing. He also says no one on the watch floor wondered out loud if the worm had been spawned by the United States. An outsider might question why no one on the watch floor turned to the CIA or NSA analysts sitting in the room to ask with a wink , “Is this one of yours?” But McGurk insists this never occurred to them because attribution wasn’t the watch floor’s concern. Their mission was to uncover an attack code’s capabilities and determine the best way for US networks to defend against it. “At first when you look at [malware ]… your assumption is that it’s not friendly fire. You don’t think the sniper on the roof is one of your guys shooting at you,” he says. “It could turn out to be … But in the heat of it, at the very beginning, you’re not overly concerned, nor do you naturally default to [that.]” Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3372-3380). ----- McGurk maintains that never, either in classified briefings or in open testimony with lawmakers, did anyone ask him the question that was on everyone else’s mind. “I don’t think, even jokingly, did someone say in a formal briefing, ‘Hey did we do this?’ Because that’s just not the way those interactions occur. I’m sure there was speculation elsewhere, but it wasn’t done at our level.” McGurk says he also never got the impression from anyone he briefed that Stuxnet was a homemade job. “When I was in a room, regardless of who the audience was, whether it was senior intelligence folks— and I mean senior intelligence folks— I never got the impression that this was all smoke-and-mirrors for them,” he says. “The same thing inside the Department of Homeland Security, when I was briefing up to the secretariat level. Never did I get the impression that, you know, they already knew this … and they were just hoping that I would go away.” Nor did anyone suggest to McGurk that he should pull his team off of Stuxnet either. “No one said hey, cease and desist, leave it alone, don’t go there,” he says. “We were actually getting a lot of cooperation from all of those organizations … assisting with the analysis and assisting with the understanding of what type of threat this actually posed.” But even if officials in Washington weren’t openly asking the obvious question, there was little doubt among experts and observers that the United States was behind the attack— either alone or with Israel—and it seemed only a matter of time before the details behind the attack got out. Ralph Langner’s assertion that Stuxnet was a precision weapon aimed at Iran’s nuclear program must have caused a lot of consternation and panic in the halls of the White House and the Pentagon, as a plot that had been meticulously planned and executed over a number of years was slowly unraveling before their eyes. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3390-3405). ----- The halls of the White House may have been troubled over Stuxnet in 2010 after it was discovered, but in May 2008, optimism reigned among those who knew about the covert program, as the plot behind the digital weapon was unfolding exactly as planned. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3493-3494). ----- IT’S NOT CLEAR exactly when the first planning and development on Stuxnet began, but sometime in 2006, after Iran withdrew from its suspension agreement, US military and intelligence officials reportedly brought the proposal for the cyber operation, later dubbed “Olympic Games,” to the president. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3554-3556). ----- The code was then developed by an elite team of programmers at the NSA, at least initially. Later versions reportedly combined code from the NSA with code from the Israeli Defense Force’s Unit 8200— Israel’s version of the NSA. Once the code was designed , however, it would have been handed off to the CIA to oversee delivery to its destination, since only the CIA has legal authority to conduct covert operations. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3664-3667). ----- It’s unclear how much advance research and work had already been done by the time Bush’s advisers proposed their plan in 2006. But once he gave the go-ahead for the covert operation to advance, it reportedly took just eight months to finalize the scheme. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3685-3687). ----- But the following year [2005?], some say, is when the “cult of offense” really began— when Gen. Keith Alexander took over as director of the NSA from Gen. Michael Hayden, and the focus on developing cyberweapons for warfare ramped up. It was during this period that Operation Olympic Games and Stuxnet were hatched. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3921-3923). ----- More recently, leaks from former NSA systems administrator Edward Snowden have provided some of the most extensive views yet of the government’s shadowy cyber operations in its asymmetric war on terror. The documents describe NSA elite hacker forces at Fort Meade and at regional centers in Georgia, Texas, Colorado, and Hawaii, who provide US Cyber Command with the attack tools and techniques it needs for counterterrorism operations. But the government cyberwarriors have also worked with the FBI and CIA on digital spy operations, including assisting the CIA in tracking targets for its drone assassination campaign. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3949-3954). ----- According to the documents, three-fourths of which focused on “top-priority” targets like Iran, Russia, China, and North Korea. Under a $ 652-million clandestine program code named GENIE, the NSA, CIA, and special military operatives have planted covert digital bugs in tens of thousands of computers, routers, and firewalls around the world to conduct computer network exploitation, or CNE. Some are planted remotely, but others require physical access to install through so-called interdiction— the CIA or FBI intercepts shipments of hardware from manufacturers and retailers in order to plant malware in them or install doctored chips before they reach the customer. The bugs or implants operate as “sleeper cells” that can then be turned on and off remotely to initiate spying at will. Most of the implants are created by the NSA’s Tailored Access Operations Division (TAO) and given code names like UNITEDDRAKE and VALIDATOR. They’re designed to open a back door through which NSA hackers can remotely explore the infected systems, and anything else connected to them, and install additional tools to extract vast amounts of data from them. The implants are said to be planted in such a way that they can survive on systems undetected for years, lasting through software and equipment upgrades that normally would eradicate them. In 2008, the NSA had 22,252 implants installed on systems around the world. By 2011, the number had ballooned to 68,975, and in 2013, the agency expected to have 85,000 implants installed, with plans to expand this to millions. But the embarrassment of riches provided by so many implants has created a problem for the NSA. With so many implants lurking on systems around the world, the spy agency has been unable in the past to take advantage of all the machines under its control. In 2011, for example, NSA spies were only able to make full use of 10 percent of the machines they had compromised, according to one Snowden document. To remedy this, the agency planned to automate the process with a new system code named TURBINE, said to be capable of managing millions of implants simultaneously. All of these operations , however— from Kosovo to Syria to Libya, and the ones exposed in the Snowden documents— have focused on stealing or distorting data or using cyber methods to help deliver physical bombs to a target. None involved a digital attack as replacement for a conventional bomb. This is what made Stuxnet so fundamentally different and new. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3961-3980). ----- Others are more subtle about their intentions, such as a listing for Booz Allen Hamilton, the contractor Snowden worked for while at the NSA, seeking a “Target Digital Network Analyst” to develop exploits “for personal computer and mobile device operating systems, including Android, BlackBerry, iPhone and iPad.” Many of the job listings cite both CND (computer network defense) and CNA (computer network attack) among the skills and expertise sought, underscoring the double duty that vulnerability and exploit research can perform in both making systems secure and attacking them. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 3995-3999). ----- One of the first things that struck him about the attack was that it unfolded in six stages that repeated over weeks and months. Once the attack was done, it recycled itself and began again. This meant that rather than launching a single blow that caused catastrophic failure, as the researchers originally believed Stuxnet was designed to do, the attackers were going for subtle sabotage that extended over time. This, combined with the man-in-the-middle attack that concealed the sabotage from operators as it occurred, would have made it hard for anyone to detect and pinpoint the source of problems. The attackers, Falliere realized, had expected to go undetected for months, and indeed they had. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 4274-4278). ----- Each time the sabotage commenced, the man-in-the-middle attack fed false frequency readings back to the operators and safety system to keep them blind to what was happening. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 4339-4340). ----- As for Duqu’s intent, it was pretty clear it wasn’t a saboteur like Stuxnet, but an espionage tool. Whereas Stuxnet was a black ops mission bent on destruction, Duqu appeared to be the forward scout, sent out to collect intelligence for future assaults. Symantec suspected it was the precursor to another Stuxnet-like attack. Duqu’s life-span was limited, however; a kill date in the code forced it to self-destruct after thirty-six days, deleting all traces of itself from an infected machine. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 4737-4740). ----- When Duqu’s attackers sent their keylogger to infected machines, they embedded it in a .JPEG file— an ordinary image file— to slip it through firewalls unnoticed. The content of most of the image in that file had been deleted so the keylogger code could be tucked inside. As a result, only an inch or so of the image appeared on-screen when O’Murchu opened the file— it consisted of just a few words of white text printed on a dark background. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 4753-4756). ----- When Duqu’s self-destruct mechanism kicked in after thirty -six days, it was supposed to erase all traces of itself from infected machines so a victim would never know he had been hit. But the Kaspersky team discovered that when Duqu removed itself , it forgot to delete some of the temporary files it created on machines to store the data it stole. One of these files, left behind on a machine in Iran, had been created on the machine on November 28, 2008. Kaspersky and Symantec had always suspected that prior to Stuxnet’s assault on the centrifuges in Iran, the attackers had used an espionage tool to collect intelligence about the configuration of the Siemens PLCs. The information could have come from a mole, but now it seemed more likely that a digital spy like Duqu had been used. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 4922-4927). ----- 32 Multiple versions of the Duqu driver showed up on infected machines, each time bearing a different name. Each version appeared to contain the same code, however, and was compiled the same day. Notably, one variant of the Duqu driver that was found on the machines in Hungary was unsigned and tried to pass itself off as a product of JMicron— the Taiwanese company whose certificate was used to sign a driver that was found by ESET in July 2010 and was believed to have been associated with Stuxnet. In the “properties” description of the driver, the attackers had indicated that it was a JMicron Volume Snapshot Driver. It was yet another detail that connected Duqu and Stuxnet. 33 The driver file name was jmidebs.sys. 34 The name of this driver was rndismpc.sys. 35 The name of this driver was rtniczw.sys. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 5086-5093). ----- The unnamed sources said Flame had been developed sometime around 2007— confirming the general timeframe Raiu and his team had established for it— to collect intelligence about Iranian officials and to map computer systems that were part of Iran’s nuclear program. But the officials also suggested that Flame had been an early-generation tool that had since been surpassed by others. Zetter, Kim (2014-11-11). Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Kindle Locations 5300-5303). -----
|
