Natanz uranium enrichment plant
The situation in Syria is becoming increasingly tense. The world froze in anticipation. Forces that consider themselves entitled to decide the fate of the world are preparing another military intervention in the internal affairs of a sovereign state. The growth in the number of facts of external interference in the internal processes of independent states allows us to speak of this as a dangerous tendency in world politics. The methods used are very different. And not only military attacks are becoming more effective. In the near future, no less, and possibly more powerful. weapons, allowing to influence the development of states from the outside, can become informational impact, informational attacks, informational wars. And to influence with impunity and without taking into account the views of the international community.
Recently, information about computer attacks on nuclear facilities of the Islamic Republic of Iran, in particular, the uranium enrichment plant in Natanz and the Bushehr nuclear power plant, has occasionally appeared in the press. Specialists from different countries detected the used malicious computer programs that are called viruses in the media: Stuxnet, Duqu, Flame, Wiper and others. What is the real impact of these and similar computer attacks on the development of Iran’s nuclear program and other problems of the Middle East?
DIRECTION OF COMPUTER ATTACKS - IRAN
For the first time, assumptions that a certain virus purposefully attacked a uranium enrichment facility located in the Iranian city of Natanz appeared in the media in the summer of 2010. How was this explained?
According to the IAEA, in November 2009, 3936 centrifuges operated at the Natanz plant. And in May of the same year, uranium was fed to 4920 centrifuges. Hence, from May to November, the number of operating centrifuges decreased by 20%. Researchers at the Institute for Problems of Science and International Security (ISIS) have suggested that this is due to some breakdowns. This was indicated by the fact that the centrifuges stopped working only in one module, although they continued it in another.
Could this so-called virus, or rather, a malicious computer program (VP) called Stuxnet, be able to harm the enterprise in Natanz and stop the processing and enrichment of uranium? According to some media forecasts, the Stuxnet app should have abandoned Iran’s nuclear program a few years ago. German expert on cyber defense industrial systems Ralph Langer concluded: “To make their systems work again, they (the Iranians) will have to get rid of the virus. It will take time, and they may have to replace equipment, rebuild centrifuges at Natanz, and probably buy a new turbine at Bushehr. ”
Former director of Israel’s foreign intelligence service, Major General Meir Dagan, noted the superiority of the computer attack at Natanz compared to the anti-bunker bombardment: “Stuxnet rejected Iran’s nuclear program four years ago, and after the bombing it would recover in three years.”
But Iran coped. At present, according to European and American experts, not a single computer is infected with this program.
It is also logical to assume that if Stuxnet had caused significant damage to the enterprise in Natanz, the enrichment of uranium would slow down. However, the IAEA reports suggest the opposite: during the 2007 – 2013 period, the amount of uranium enriched at Natanz grew evenly. Moreover, enrichment to 20% began just at the time when part of the centrifuges were disabled.
After disclosing information about Stuxnet CW, Ralph Langner suggested that the “computer worm” could also be directed against the nuclear power plant in Bushehr. He conducted his own study of the program code and, as well as subsequently, the experts of Symantec, said that Stuxnet is a tool for wrecking at industrial sites. He also drew attention to the UPI photo taken at the nuclear power plant in February 2009 of the year, in which it was clear that the station is using an SCADA (Supervisory Controland Data Acquisition) system with an expired license. At the same time, Siemens states that the company did not supply software to Iran. By that time, it was already known that Stuxnet was designed to attack SCADA systems, so Langner was sure that the VP was aiming at the Bushehr nuclear power plant.
Another specialist in cyber defense of control systems, Dale Peterson, agreed with this and noted Israel’s interest in stopping or suspending the Iranian nuclear program, as well as the high level of training of Israeli specialists. He also drew attention to the fact that in the Stuxnet code there are interesting circumstantial indications, including one of the books of the Old Testament - the Book of Esthery. The rootkit driver code contains the author’s name for this project: Myrtus (Myrtle) sounds in Hebrew as Hadassah, and this is the Jewish name of Esther, an Old Testament heroine, a savior of the Jewish people in Persia, whose grave is located in modern Iran.
VERSIONS ON THE ORIGIN OF INFECTIONS
In addition to Stuxnet, in the period from 2010 to 2012, experts from different countries detected other malicious programs to cyberspace Iran’s nuclear facilities: Duqu, Wiper, and Flame. They are united by a number of technical parameters, high complexity of the code, as well as the purposes for which they, apparently, were created. Experts point out that the functionality of these IGs differs from the usual one in the field of cybercrime. Thus, the head of the LC, Yevgeny Kaspersky, compared this fact with the opening of the “Pandora's box” and stated that the Stuxnet VP “was created not to steal money and individual user data, not to send spam, but for the purpose of sabotage in enterprises and disabling industrial systems. " Such systems are widely used in oil pipelines, power plants, large communication systems, airports, ships, and even in global military installations.
There are various versions of the origin of these VIs. But many of them agree on the high probability that behind their creation there is one group of people or cooperating teams.
Almost immediately after the discovery of Stuxnet, LK employees came to the conclusion that the program was created with the support of government agencies. Analysis of the work of the EaP taking into account the multi-layered attack and the legality of access certificates proved that Stuxnet was created by a team of extremely qualified professionals with extensive resources and serious financial support. The EAP was aimed at industrial facilities, which made it possible to speak about it not just as an example of cybercrime, but as a cyber-weapon, cyber-terrorism or cyber-war.
In 2011, specific customer states were named in the media: the reasons were given that Israel and the United States stand behind a cyber attack on Iran’s nuclear facilities. In January, the American newspaper New York Times published that in Israel, in the Negev desert, where the nuclear research center is supposedly located, an exact copy of the enrichment plant in Natanz was built for testing cyber weapons, namely the Stuxnet worm. Not only Israeli, but also American specialists took part in the work. It is noteworthy that one of the authors of the article was the chief of the Washington bureau of the newspaper, David Sanger.
In June, 2012 published his book Confrontation and Concealment: Obama's Secret Wars and the Amazing Uses of American Power, in which he reveals the existence of the Olympic Games program launched in the United States during the Bush junior presidency. In the year 2006, when Iran resumed uranium enrichment at Natanz, on the instructions of Bush Jr., the country's military-political leadership developed an action plan on the Iranian nuclear issue. In the process, the Deputy Chairman of the Joint Chiefs of Staff of the United States, General Cartwright, proposed a cyber attack plan against Iranian industrial systems. And the president himself specified the goal: a nuclear facility in Natanz. At the same time, the development of malicious software was allegedly provided by the 8200 Division of Israel’s military intelligence. The attacks were carried out around the year 2008, but Iranian engineers could not understand then that the damage to the centrifuges was due to cyber action.
Suspicions that it was Israel that could launch a cyberwar against Iran, appeared before the Stuxnet VP was discovered. In 2009, Scott Borg, a specialist at the US Cyber Consequences Unit, a nonprofit research institute, said that sensitive Iranian enterprises, such as a uranium enrichment plant, could use some kind of malware. After discovering the existence of Stuxnet, he suggested that it was Israel that could have been its creator.
A few years before, in 2007, the Israeli Air Force Major-General in reserve Ben Israel said that Israel had the opportunity to throw the Iranian nuclear program back by striking at several key nuclear facilities. Israel was ready for decisive steps, and the attack could have occurred according to the already tested scenario - depriving the country of the possibility of producing nuclear weapons by destroying doubtful industrial facilities. However, for obvious reasons, this did not happen. Probably, later the computer attack was chosen as a fairly effective means that does not require the involvement of the world community and without the danger of a retaliatory strike.
Recall that earlier, Israel had already undertaken bombing of nuclear facilities in the countries of the Middle East in order to prevent the creation of nuclear weapons in them. In June, 1981, the Iraqi Osirak-1 nuclear reactor was attacked. In September 2007, the Israeli Air Force struck a target in the Syrian city of Deir-ez-Zor, where, according to some sources, the Al-Kibar nuclear facility was being built. After a month and a half, ISIS issued a report where it was assumed that it was a nuclear reactor. In June 2008, the IAEA inspectors found in the soil in Al-Kibar "a significant amount of uranium particles" that were "anthropogenic, that is, this material was produced as a result of chemical processing."
More facts. In February, at the ceremony of seeing out of his post as the head of the Israel Defense Forces, Lieutenant-General Gabi Ashkenazi, 2011 was shown a video story in which Stuxnet was named among the general's undeniable success. And in December, 2011, in an interview with IEEE Spectrum magazine, famous American software scientist Larry Konstantin confirmed that Israel is considered the main suspect in the development of Stuxnet.
If you believe that it was Israel that launched the Stuxnet airspace in Natanz, it means that Israel, in the fight against the proliferation of nuclear weapons in the region, has been successfully developing a strategy of using not only armed actions, but also a virtual attack for several years. That is, Iran’s nuclear program, which Israel considers the greatest threat in the Middle East, may be threatened by a new type of war for which Iran is not yet ready. Probably, if Iran does not remove suspicion of creating nuclear weapons and does not fulfill the requirements of the UN and the IAEA, Israel can take a number of cyber attacks against the Natanz plant and against other facilities: the plant and the reactor under construction at Arak, the Fordo nuclear power plant ( in September, 2012, the head of the AEOI, Fereydun Abbasi, has already announced the explosions of power lines supplying Fordo with energy).
Indicative, by the way, is the reaction of the Israeli media to President Obama’s 31 August 2013 statements about his decision to consult with Congress on military strikes on Syria: “According to opinion polls, Israelis see the situation in Syria as a rehearsal for the Iranian scenario. Just as in Syria, Washington established certain red lines for Tehran and promised Israel that it would not allow the Islamic Republic to become a nuclear power. Many Israelis believe that if the United States now retreats and does not take any action against Syria, the same can happen in the case of Iran. ”
Such information says the following: Israel has unambiguous intentions regarding Iran’s nuclear program and is constantly looking for new ways to independently influence the Iranian nuclear issue. And in the information sphere, its capabilities are very significant.
In the context of a clear connection between the Syrian and Iranian scenarios in Israel’s understanding, it’s not surprising that after President Obama’s “hesitant actions” against Syria, 3 September already launched ballistic missiles recorded by Russian EWS from the central part of the Mediterranean Sea in the direction of the eastern Mediterranean coast. And, despite statements by the Israeli and American military departments that they “are not aware of the fact that such an action took place,” the organizers of these launches were not difficult to calculate. This was confirmed by the following confessions after several hours: “According to representatives of the Israeli Ministry of Defense, missile launches in the Mediterranean were military tests of the US and Israeli armies. Countries tested Anchor missiles that are used in anti-missile systems. ” On the same day, Israeli Prime Minister Benjamin Netanyahu warned the enemy states from attacking the Jewish state: “I want to tell everyone who wants to harm us: I do not advise you to do this.”
TYPOLOGY OF "VIRUSES"
VP Stuxnet in June 2010 was found by a specialist from the Belarusian company Virus Block of Hell, Sergei Ulasen. Messages that subsequently led to the discovery of Stuxnet came from Iran. Ulasen and his colleagues published a detailed description of the VP, which used electronic signatures of Microsoft and Realtek, on specialized Internet forums. First of all, IT journalist Krebs and computer security specialist Baldwin drew attention to this, suggesting that Stuxnet had some connection with the Siemens SCADA WinCC control and data collection control system and that the program was written for espionage.
An analysis of the Stuxnet code showed that for the first time its traces were recorded back in the 2005 year, and the first samples were sent to the databases of antivirus companies in the 2007 year. Contamination of this malware stopped in June 2009, and in July 2010, Symantec launched the Stuxnet virus traffic monitoring system. This made it possible to track the number of infected computers in individual regions. Statistics showed that the most virus infections - almost 60% - occurred in Iran, where by September 2010 more than 60 computers suffered. Experts from Symantec revealed that initially the EaP was directed against five organizations, each of which has a representative office in Iran.
The first mention of the Duqu VP was registered on 1 on September 2011 of the year on the Virustotal service. In October, the Cryptography and System Security Laboratory (CrySyS) of the Budapest University of Technology and Economics released an 60-page analysis of this EP. At the same time, LK, Symantec, and other information security specialists analyzed its code. CrySyS believes that the creators of Duquimeli access to the source code of Stuxnet, and also point out a similar structure and philosophy of building two EPs. The programs were written on the same Tilda platform, since most of its files start with a tilde ~ icon. LK staffer Ryan Narein noted that Duqu was probably created to spy on Iran’s nuclear program.
The majority of registered targeted infections of Duqu EAP computers occurred in Iran. The analysis of the activities of the organizations-victims and the nature of the information that interested the Duqu authors speak of the following: the main purpose of the attackers was any data on production management systems in various industries of the IRI and on trade relations of a number of Iranian organizations.
In the spring of last year, there were reports in the world media about some VP, which erased data from computer hard drives in the building of the Iranian Ministry of Petroleum. The program was called Wiper. Her massive attack was recorded on 22 on April 2012 of the year, after which the Iranian authorities decided to disconnect all oil depots from the Internet. The oil industry has not been affected by cyber attacks, as it remains predominantly mechanical.
During the analysis of the Wiper code in the LC, they came to the conclusion: it is she who is responsible for deleting confidential data from the computers of the Iranian government; The Wiper VP uses the Tilda platform, like Stuxnet and Duqu; during the investigation of the incident with the removal of data, another EP was found, called Flame, and experts separate it from Wiper.
In addition, LK believes that Wiper may be associated with Israeli developers: VP created and deleted a registry key referring to the service Rahdaud 64, and the name of the module Rahdaud 64 was formed on behalf of the great biblical king David - Daud and the adjective Rah - translated from Hebrew "evil, bad."
Flame VIs were reported from various sources at about the same time: 29 – 30 in May 2012. In the LC, the Flame is considered "the most sophisticated cyber weapon today." Details of the similarities between Flame and the previously known Stuxnet and Duqu were noted - this is the geography of attacks, a narrow target orientation combined with the use of specific vulnerabilities in software. The functionality of Flame is quite diverse, but it boils down mainly to data theft, access to emails, documents, messages, conversations on the territory of secret objects. Its spread occurred in the countries of the Middle East, with Iran undergoing the most active attack - about 50% of infections.
Conducting a comparative analysis of these VP, the LC compares Stuxnet with a rocket. The overclocking module — the body of the computer “worm” —was used in Duqu, but the “warhead” (in the case of Stuxnet, this was the unit that disabled the centrifuge) was not installed. Symantec believes that Duqu was a stub for making an attack similar to Stuxnet's action. Similarities between Duqu and Stuxnet also manifested themselves in the identical platform architecture of the two VIs, so LK came to the conclusion that Duqu and Stuxnet were parallel projects that were supported by the same development team.
At first glance, there was no connection between Stuxnet and Flame in the program code, suggesting that the same people were behind the creation of these two VPs. Nevertheless, with a deeper analysis, LC experts were able to establish that such a relationship does exist. At the beginning of 2009, the Flame platform already existed, and on its basis one of the Stuxnet modules was written, after which, as expected, Flame continued development independently of Stuxnet.
Thus, all the mentioned VIs are connected, and their developers, apparently, collaborated. At the same time, all VPs are divided by functionality — they spy on the user, erase information from the infected computer, or disable industrial equipment.
PREVENTION AND TREATMENT
Official Iran did not immediately acknowledge the infection of computers within the country with the Stuxnet program. Only a month later, in September 2010, the head of the Information Technology Council of the Ministry of Industry of Iran, Liayi, reported about 30 computers being infected. At the same time news IRNA quoted a project manager at Bushehr NPP, Jafari, saying that Stuxnet had hit some personal computers of the plant’s employees. Al-Alam, an Arabic-language television station, showed an interview with Jafari: “The virus did no harm to the main systems of the Bushehr nuclear power plant. All computer programs at the station are operating normally. ”
In early October, 2010, the Iranian Minister of Intelligence and National Security Moslehi, announced the arrest of "several" spies who were following nuclear facilities in Iran: "The enemies have developed and launched computer worms via the Internet that could undermine Iran’s nuclear program." At the same time, the objects themselves were not called. At the end of November of the same year, Iranian President Ahmadinejad admitted that the uranium enrichment company had experienced cyber attack (the company was not named, but there were few options: the second Iranian enrichment center, located near the city of Qom, was ready to work only in October 2012).
It cannot be ruled out that the Iranian authorities did not completely ignore, but nevertheless publicly responded to the cyber attack, in order to mitigate the position of the western side in the negotiations of the six on Iran’s nuclear program.
In December 2011, the Deputy Chief of the General Staff of the Iranian Armed Forces, Masood Jazayeri, announced the creation of a headquarters to wage a “soft war” in response to the fact that “the enemies transcend themselves to create obstacles to Iran’s success and progress in cyber warfare”. And in February, 2012, the head of the Iranian Passive Defense Organization, General Jalali, announced the creation of a headquarters to counter cyber threats and the intention to organize the first in the future stories Iran's cyberarmy. According to Israeli media, Iran intends to spend 1 billion on creating a defensive cyber potential. At the same time, an unofficial “Iranian cyber army,” consisting apparently of so-called hacktivists, existed as early as 2009. In December, 2009, the hackers managed to crack the Twitter microblogging service - for several hours on the main page of the site hung an image of a green flag with an inscription in Farsi about US interference in Iran’s affairs and the email address [email protected] com. Other actions followed with an indication of “Iranian cyber terrorism”.
In the summer of 2012, the Iranian authorities announced plans to create their own national Internet, in connection with which they began to turn off computers in the ministries and state enterprises from the normal Internet. According to the Minister of Information Technology and Communications of the Islamic Republic of Iran, Reza Tagipur, such a network will help solve the security problems of the country. According to representatives of the non-governmental organization Freedom House, this is a consequence of Iran’s general policy of tightening measures against the global network. It can be assumed that the described VPs, and above all Wiper, which destroyed the data from the computers of the Iranian government, influenced these steps of the Iranian authorities.
Speaking of political implications, we note that over the past years Iran has repeatedly stated that it is possible to exit the NPT if there is external pressure on its nuclear program. For example, in December 2012, Iran’s ambassador to the IAEA, Ali Asghar Soltanieh, did not rule out that his country would withdraw from the NPT if any kind of attack was made on its nuclear facilities. However, after the discovery of the Stuxnet IO, no official representative made any statements about the threat to Iran’s nuclear program or withdrawal from the NPT.
It cannot be ruled out that Tehran did not insist on the illegality of the cyber attack, also because it feared a more aggressive response. It is also possible that the Iranian leadership assumed that the world community would not pay attention to their statement, as, for example, had not paid attention to the attack of hacktivists on the governmental sector of the Internet infrastructure in Estonia, despite the official appeal of the authorities of this country. At the same time, Iran could hide the real damage from the EaP in order to create its own cyber war. This hypothesis is confirmed by the statement of General Jalali on the creation of a corresponding headquarters.
In any case, it is logical to assume that after a series of serious cyber attacks, which, according to specialists, were sponsored by the government agencies of the countries concerned, Iran will have to pay more attention to information security at its facilities and plans to acquire its own cyber weapon (recall that the desire of the Islamic Republic to possess WMD In particular, with the fact that during the Iran-Iraq war against Iran chemical weapons were used). On the other hand, it is possible that now Iran can stand on the international arena for the creation of a legal base on the non-proliferation of cyber-weapons. In addition, Iran will probably find it harder to hide the current stage of its nuclear program.
The strategic leadership of the Islamic Republic of Iran is already considering and will plan in the future answers to cyber threats. And it is possible that in the medium term, it will be able to get cyber-weapon capable of causing significant damage to developed countries. First and foremost, such weapons can be directed against Israel and the United States.