Threat Management, Incident Response, Network Security, TDR, Threat Management

Stuxnet’s persistent legacy: Cybersecurity is blended security

Cybersecurity duties in cleaning up Stuxnet are now strongly suspected to have resulted in Prof. Majid Shahriari being marked for death. This could be a first for cybersecurity as a profession, but as we wrap our heads around the concepts of cyberwarfare, it certainly may not be the last.

Cyberwarfare: Literally promotion through attrition

Of global importance to IT managers and CIOs: If Prof. Shahriari's death is related to his work in computer science rather than his work in nuclear physics, it shows a significant turning point in the full concept of security. Blended physical and cyber worlds must cooperate and coordinate in order to effectively protect personnel and data assets or inevitably they will be breached.

Last week, I promised that further investigation would add more than a single source of information which spoke toward recent assassinations in Iran pertaining to Stuxnet, particularly to the cleanup of Stuxnet which has been proliferating in systems thought previously to be unconnected. The single source of information from last week stated:

Prof. Shahriari was the Iranian nuclear program's top expert on computer codes and cyberwar. The scientist's death deals a major blow to Iran's Herculean efforts to purge its nuclear and military control systems of the destructive worm since it went on the offensive six months ago. Only this month, Stuxnet shut down nuclear enrichment at Natanz for six days from Nov. 16-22 and curtailed an important air defense exercise.

At the end of a week of investigation, which included personal contact with several Iranian dissidents as well as obtaining Persian language web research, my summary stands on six key points. I'm only as good as my source information and the first rule of military intelligence is to corroborate source intel. In this case, I had to get outside help because I don't read Persian. Fortunately, my personal social network includes many who were willing to help translate.

First, let's dive into some little known facts about Southern California and our Persian/Iranian communities.

Stuxnet: The Tehrangeles connection

One of my resources told me to think of Westwood in Los Angeles as Tehrangeles. I'd never heard this word before last night. This social network is tightly knit, and I've been fortunate to have known certain community members for more than 10 years.

Few may realize that Los Angeles has a significant Persian/Iranian community, estimated at a half million by one count. This community has thrived, paid taxes and become integrated into California culture for the past 30 years since the fall of the Shah in 1979. While most denounce the Iranian regime in power, few actually want their identifying information published.

Additionally, there are still strong social networks reaching from Tehrangeles back to Tehran – the informal handshake money network known as hawaladar produces millions of dollars back and forth between communities, much to the consternation of those tasked with enforcing national security.

This shouldn't create confusion about where Iran stands: The Iran Trade Embargo, under Executive Order in 1995, prohibits U.S. citizens from supplying goods, services or technology to Iran or the government of that country. It also prohibits any transaction by any U.S. person, or within the United States, that evades or avoids, or has the purpose of evading or avoiding, any prohibition set forth in the embargo.

My resources were more than happy to help, and after the results were shared, I was happy to enjoy a great meal of lamb, basmati and saffron rice as we discussed their findings.

Note: These facts were found even though most Persian language web information about Shahriari was blocked or changed within 24 hours of his death, ostensibly by the Iranian government. This in itself raised eyebrows for some of the research team, yet it merely indicated the challenges which lay ahead.

Shahriari's research: Stuxnet, SESAME, centrifuges

The target, Prof. Majid Shahriari, was involved with at least three projects – nuclear physics, the SESAME laser physics project and cybersecurity. According to the emphasis relayed to me, Shahriari's involvement in the nuclear program's cybersecurity could have been likened in corporate responsibility level to a multi-facility IT director or CIO.

Were cybersecurity tasks responsible? Likely.

Professor Majid Shahriari was a trusted insider for the nuclear program; however, his current tasks centered on production elements. His expertise in computer science, according to one source, was a very key component of the nuclear program. With Stuxnet gumming up the works, this key asset to fixing the infestation likely became a leading target of opportunity.

December's Stuxnet/Iran/Shahriari research: Six points

  1. Prof. Shahriari had an extensive computer science background including custom coding experience.
  2. Relevant background of Prof. Shahriari's has become censored and virtually erased through internet filtering within Iran within 24 hours. Some resources remain, but they are hard to find. [Note: Another restrictive country used the same internet erasing tactic to cloud an Olympic athlete's age during a 2008 dispute.]
  3. Prof. Shahriari was considered to be a key information security component of the Stuxnet-targeted nuclear centrifuge operations. Speculation ran wild about the 'brain drain' sabotage allegedly occurring within these centrifuge operations, of which Stuxnet was only one piece of an overall campaign – which mirrors the tactics detailed in the CIA's 1980's operation known as the Farewell Dossier.
  4. The surviving scientist targeted last week had key participation in the ballistic missile field and was specifically mentioned in a recent United Nations Resolution (UN 1737).
  5. Word on the street: Pro-AM collaboration (Professional-Amateur). The Tehrangeles community considers these hits were not just the job of native resistance within Iran, nor just the job of external intelligence agencies. By targeting key staff involved with multiple projects, the hits were sniper-sure to sever the links in order to create the most chaos and disruption with the least effort.
  6. CIO threat awareness: Actions related to the Stuxnet operation dictate new physical security measures must be considered to provide critical cybersecurity staff safety in both dot-com and dot-mil worlds. Watch your backs and lock down your servers.

Threat of EMP: Potential justification?

It should go without saying that a single nuclear armed missile could be devastating to the United States or to Europe, but you would be surprised that it's not how most people think. Military insiders familar with NATO policy recently confirmed that Europe primarily desires a missile defense due to this Iranian ballistic missile threat.

Why is one little missile such a worry? Electromagnetic pulse, or EMP. Effectively, an EMP becomes the single attack HILF which puts an entire continent into the Dark Ages. EMP effects are described in the HILF advisory put out by NERC we covered earlier this year in the Cybercrime Corner.

The threat of a single missile becomes force multiplied when that missile is converted to target the region of our troposphere and outer atmosphere. In that instance, a single missile could effectively wipe out all vehicle onboard computers, internet technology and supply chains.

While this is grim, there are strategies which work against this. Canada has already implemented them, and the U.S. power grid is still under consideration to harden in a similar fashion for under $200 million.

Result: EMP concerns seem to not be enough to validate assassination, at least from the perspective of most experts.

SESAME: Red herring or social network?

Of particular note was that all three Iranian scientists killed in the past year, all had ties to SESAME, a UNESCO project based in Jordan. Upon examination, it was found that Professor Shahriari and one other murdered scientist were only lightly involved with SESAME:

SESAME president Chris Llewellyn Smith, who is also a former director-general of CERN, says that he does not remember Shahriari, though the official records state that he did attend one council meeting. Llewellyn Smith does, however, recall meeting Alimohammadi, but he, likewise, was only able to attend one meeting before he was killed.

SESAME remains a nexus, yet my assessment is that the victims were not directly targeted because of SESAME goals. The UN is hardly known to finance weapons projects. Israel, the United States, Russia and Iran and other nations all participated in the Jordan-based project, as well as other IAEA and CERN staffers.

One thought is that participation in SESAME may have aided identification of these individuals eliminated in 2010. What's more probable is that the social network of SESAME facilitated overt intelligence on these scientists, which was used in consideration for the assassinations and the trail forks into multiple nations at that point. Result: SESAME may have been connected, but is not the reason behind the hits.

The bottom line is that without the entire background of a victim it's hard to point out the motivation behind the killing. Only through tracking down facts before they're erased by censors – like something out of Orwellian nightmares – has the leading candidate emerged: cybersecurity and Stuxnet lead the pack.

The case for computer security expertise seems to outweigh the case for other nuclear-related work. Additionally, the messy coverup may be an effort to muddy the associates of the late Dr. Shahriari who are left to carry on his Stuxnet cleanup. We used to call that 'promotion through attrition' in the military.

Game-changing cyberwarfare: The seal Is broken

If Prof. Shahriari was targeted because of his work in computer science rather than his work in nuclear physics, the turning point in cyberwarfare is defined with a case study.

What is the next step? Since threats have been leveled against everyone and a kitchen sink, it's best to consider the worst case and work backwards from there. Rhetoric was already leveled by Shahriari's mentor Salehi, who warned of grave consequences. To date, the rhetoric targets Israel, the United States, the IAEA, the Mossad, the CIA.

The threat assessment is valid. With the assets of Hezbollah and other deep intel assets within multiple global communities, retaliation by Iran at any perceived adversary is not out of the question. In the future, there will be those who want to hurt people whose daily knowledge management work is merely part of a larger process.

Physical security worlds and cyber worlds must cooperate and coordinate. Otherwise personnel and data assets inevitably will be breached.

The hard part is for CIOs and IT gurus to accept that sometimes outside actors, potentially state sponsored, may indeed have priorities which mandate the death penalty for our own cybersecurity resources.

Some people can't be bargained with or reasoned with, they just want to watch the world burn. (Michael Caine as Alfred in The Dark Knight)

Defending against this persistent threat?

  1. What you can learn from Stuxnet
  2. Learn Seven Ways To Keep HILFS From Crashing Your Party
  3. What HILFs mean to Critical Infrastructure: Stuxnet and Beyond
  4. Securing our eCity: Grassroots block-by-block cyber threat awareness

Further resources:

  1. Kinetic Warfare vs. Cyberwarfare
  2. BBC News
  3. Al Jazeera
  4. Debka.com – single English language source of Stuxnet involvement
  5. Securing Our eCity
  6. Stuxnet: Cyber warfare's game-changer, Part One
  7. Stuxnet: Cyber warfare's game-changer, Part Two
  8. From sci-fi to Stuxnet: Exploding gas pipelines and the Farewell Dossier

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.