Ralph Langner on Stuxnet, copycat threats (Q&A)

The security expert who first identified Iran as the target for Stuxnet talks about why he thinks the U.S. and Israel are behind it and why we should fear copycats.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
9 min read
Control system security expert Ralph Langner put the pieces of the Stuxnet puzzle together.
Control system security expert Ralph Langner put the pieces of the Stuxnet puzzle together. James Martin/CNET

SAN FRANCISCO--A year ago, Ralph Langner was plugging away in relative obscurity, doing security consulting work for the industrial control system industry in his Hamburg headquarters. Then along came Stuxnet, the first malware targeting not consumer financial data like so many viruses these days but the very systems he knows so well--software used to control processes in manufacturing and utility plants.

The sophistication behind Stuxnet, which appeared last July, was fairly clear from the get-go. It spreads via unpatched holes in Windows and USB devices, drops a rootkit to hide the compromise from administrators, and uses fraudulent digital certificates to pose as trusted software. But analyzing the code beyond that was proving difficult for researchers unfamiliar with the type of systems the malware was designed to attack.

Langner's team reverse engineered the code, eyeballing it from an industrial control perspective and began putting the puzzle pieces together. He speculated in a blog post that it was designed to sabotage Iran's nuclear program and elaborated on that theory at an industry conference in the U.S. shortly thereafter. The daring theory thrust Langner into the international limelight and soon he was all over stories in the mainstream newspapers and magazines and giving a talk at the esteemed TED conference.

He sat down with CNET late last week while in San Francisco to give a talk at the University of California at San Francisco and discussed why he thinks the who-done-it is less important than the threat of copycat attacks and other matters of international interest.

Q: So, you made quite a splash last year with your research on Stuxnet. You were the first one to realize the link between Stuxnet and Iran?
Langner: Yes, I was the first one to make that connection. I was the first one who said this must be targeting the Iranian nuclear program. And as it turned out it actually did. That was the turning point when Stuxnet got hot. Most of media was thinking it's not a big deal. This pretty much changed when I came up with the target theory, that this was about delaying the Iranian nuclear program and the media went crazy.

How do you feel about that?
Langner: Unfortunately, most of the media still today focuses on one single question. The question of who did it? To be absolutely honest, this is one of questions that bothers me the least, especially in the early stages of Stuxnet analysis the main thing was to understand what this really is. And the second most important thing was to understand could this also be a threat against other installations, U.S. critical infrastructure. Unfortunately, the answer is yes because it can be copied easily. That's more important than question of who did it. The media was persistent, and I took some efforts with my team to develop the theories of forces behind Stuxnet, and we concluded that the U.S. is the leading force behind Stuxnet development. They didn't do it on their own; they had help from nation states. But it's clearly the work of the U.S.

But you say the more important issue is that it could be copied, right?
Langner: The bigger problem is we have is the risk of copy cat attacks and I personally take it for granted that we will see copy cat attacks. Not against targets in the Middle East but against targets in the U.S. and Europe. From an IT security perspective, imagine we're not talking about Stuxnet but about the very first distributed denial-of-service attack we've seen. It would be completely naive to assume that nothing would follow. Other attacks have been copied. There is no reason this should not happen with Stuxnet, especially in response to the media attention it got and the cyberwar aspects of it. How many freaks are out there who in their wet dreams can't imagine anything better than doing something similar against, for example, a U.S. power plant? I think that's a reality we must face.

But if this was written specifically to target a certain type of software running in an Iranian facility, would it necessarily translate to U.S. plants?
Langner: Most people think this was to attack a uranium enrichment plant and if I don't operate that I'm not at risk. This is completely wrong. The attack is executed on Siemens controllers and they are general purpose products. So you will find the same products in a power plant, even in elevators. Just the ability to inject rogue code on such a controller is a very big problem for us. If an attacker just copies the way it's done in Stuxnet, this is your entry ticket to messing with controllers. Also, many people think that an attack like this would require an extreme amount of insider knowledge and technological capability. This would only be true if you are talking about a very similar scenario, which is quite unlikely to happen in the near future.

The bigger problem is you can easily imagine other scenarios that have other goals and are executed using other strategies. For example, I can analyze the attack code in Stuxnet and ignore the stuff that is specific for cracking the centrifuge rotors. If my target is a power plant, I would not be interested in the target-specific routines in Stuxnet. There are so many other routines in the attack code that aren't target specific at all. Remember, the dropper part of it used four zero-day vulnerabilities, the (fraudulent) digital certificates, the peer-to-peer functionality, all are not target specific. So you could use similar attack techniques against completely different targets. The same applies to the attack code that goes on the controllers. There we also find parts of or sub routines of the attack that aren't target specific at all, that are generic, starting with the ability to inject rogue code on the controller. This is quite a risk we are facing. We see other sub routines in the digital warheads that also are not at all target specific.

Do you think government officials around the world truly understand the threat?
Langner: I don't think so. The U.S. government is taking the problem serious. That's a known fact. The U.S. government has cared about infrastructure protect for more than decade. The problem I see is that so far the efforts that had been taken have been pretty much best efforts that were unguided. Many people did a lot of good things, but unfortunately without being able to measure the effectiveness of these measures because we didn't have attacks on the record. Now with Stuxnet, this has changed. This was the first single cyber strike against control system installations. For all of us in the security community, it was necessary to assess if our efforts we had taken over the last decade were really intelligent and would really protect us against these threats, and the simple answer is no. Don't get me wrong, there is nobody to blame here. With all the efforts before Stuxnet we weren't able to measure them against reality. Now, the first sign strike comes up and we are able to see that our efforts were in many ways misguided. The attackers were able to slice through existing conventional wisdom. We had no learning experience. This changed after Stuxnet.

So, do you think the U.S. government teamed up with Israel on Stuxnet development?
Langner: Definitely, I would assume there is a collaboration. Look back in history. We know Israel has taken some efforts to interfere with Iran's nuclear program, such as conventional sabotage. But the U.S. did not have all the information that was required to carry out this attack, when it comes to intelligence about the plant. We clearly see in the attack code that attackers had full insider knowledge about technical details that must be considered top secret. Which in a way is funny because now we, and Symantec, know more, in a way, about the Natanz plant structure (in Iran) than the International Energy Agency inspectors know. And another clue that it is related to Israel--it was clear from the technical analysis that the attackers had an outstanding problem in the area of reliability. They were writing highly sophisticated controller code that they were unable to test drive in the installation for some reasons. If you are purchasing a controller program it is always tested by the end user at the installation, and usually engineers need to adapt the program and make last minute changes. Obviously, this could not be done in the case of Stuxnet. There must have been ways to test with real equipment before it was deployed.

So given that, if you look at who is in the possession of such centrifuges besides Iran, there are two sites. One is in the [U.S.] Oak Ridge National Lab and the other is [Israel's] Dimona complex. There are centrifuges from the dismantled Libyan uranium enrichment program. They are identical to Iran in centrifuges because they go back to the same model. Libya and Iran bought blueprints from Pakistani nuclear scientist Abdul Qadeer Khan. It was the first German centrifuge, built in the 1960s. Khan went back to Pakistan with the blueprints, built up the Pakistan enrichment program, and then sold the design on the black market to Libya and Iran. Libya was smart enough to follow U.S. requests to dismantle this program. Some of the centrifuges that used to be in Libya went to Oak Ridge and Israel.

So not only was the attack code tested on centrifuges in Oak Ridge but also in Israel. And if you follow the publications and public opinion in Israel on the Iranian nuke situation over last three or four years, something strange happened. In 2007 and 2008, the topic was red hot. In 2008, Israel even practiced an air strike against these facilities, with over 100 fighter jets in the air. Then the topic got very, very quiet. So in 2009, it seemed that it was not an issue any more. At the same time, Iran was continuing to install more and more centrifuges. It didn't make sense to me. When I saw the Stuxnet attack, for me it finally made sense.

Do you think Siemens cooperated with Stuxnet development?
Langner: That's an interesting question. Forgive me if I am unable to answer this straight away because I don't want to end up next week in trouble with Siemens' legal department. If you look at the facts, it is pretty clear that the attackers had substantial Siemens insider information. Just by looking at the attack code, you can infer this because it would take an outsider years to discover the vulnerabilities that were exploited by Stuxnet by just reverse engineering. When I saw this, in a way freaked me out. We're talking vulnerabilities that are so hidden it would take an independent expert years to figure out. Also, we're talking about complex software, complex firmware, and ways to compromise a controller that are so remote and yet so efficient that I can not believe they would have been just found out by a smart guy who was experimenting with the controller and stumbled over it. It doesn't make any sense.

So I tend to believe there was access to Siemens proprietary technical secrets and access to development documentation. If this was all completely unknown to Siemens, I don't know. Also, Siemens wasn't very convincing in their response to Stuxnet. A Siemens press rep told the German press that the company would have to wait and see where Stuxnet strikes before being able to understand what it's about and how it works. But the fact that it was a directed attack means it was Code Red. Which means we better find out as soon as possible what it's all about. We were working around the clock. It could have been a threat to U.S. national security. We just didn't know.

What do you think about the official U.S. reaction to Stuxnet? Some people complained that it was minimal and hands off.
Langner: The official ICS-CERT communications and Siemens didn't create the impression that they are doing everything they can to figure out what Stuxnet was. Siemens behaved so funny they raised suspicion. And I just learned that a couple of days ago that [someone from ICS-CERT was asked at a recent conference what they learned from Stuxnet] and the guy tells the crowd 'we learned a lot.' Period. So what's the point here? If I would have been in the audience I would have said 'please tell us exactly what you learned.' They just don't do it. The U.S. government is not telling you about the threat from Stuxnet inspired copycats. This is a real threat against our control system installations, which extend from private sector into deep critical infrastructure.