No Place Safe from CyberTerror

Posted on November 10, 2014November 10, 2014 by Denise Simon

Cant shop at Target. Cant use your plastic at restaurants. Cant use hotspots for internet access. Cant buy medical coverage from Obamacare. Now if you are an employee at many companies your information is compromised. Now, the United States Post Office has been hacked and signs continue to point to China while Russia is just as aggressive.

Postal Service reveals cyber breach

By Colby Hochmuth
Nov 10, 2014

The Postal Service suffered a cybersecurity breach of its information systems and has launched an investigation into the attack that potentially compromised employee and customer personal information, including addresses, Social Security numbers and emails.

The Nov. 10 announcement of the attack, which was discovered in September, comes little more than a week after the White House reported it too had been the victim of hacking.

As in the White House breach, suspicion immediately fell on China, where President Barack Obama is now attending an economic summit and visiting with President Xi Jinping.

“This intrusion was similar to attacks being reported by many other federal government entities and U.S. corporations,” David Partenheimer, manager of media relations at USPS, said in a statement. “We are not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in any malicious activity.”

12 other key federal breaches

But a private sector analyst suggested employees should be on the lookout, nonetheless.

“Unfortunately, this breach is just the latest in a series of incidents that have targeted the U.S. government,” said Dan Waddell, director of government affairs at (ISC)2. “It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees.”

“All of us need to be aware of potential phishing schemes,” Waddell added, “but in this particular case, USPS employees should be on the lookout for any suspicious email that would serve as a mechanism to extract additional information such as USPS intellectual property, credit card information and other types of sensitive data.”

Call center data submitted to the Postal Service Customer Care Center by customers via email or phone between Jan. 1 and Aug. 16, 2014, is thought to be compromised; that includes names, addresses, telephone numbers, email addresses and other information customers provided to the center. However, USPS officials said they do not believe customers who contacted the call center during that period need to take any action as a result of the incident.

USPS is working with the FBI, Justice Department and the U.S. Computer Emergency Readiness Team to investigate the breach.

USPS is also tapping the private sector and bringing in specialists in forensic investigations and data systems “to assist with the investigation and remediation to ensure that we are approaching this event in a comprehensive way, understanding the full implications of the cyber intrusion and putting in place safeguards designed to strengthen our systems,” according to an agency statement.

According to an April 2014 USPS Inspector General audit on the security of USPS’s wireless networks, “the Postal Service has effective security policies and controls that detect unauthorized access to its wireless network.”

The audit also found that USPS has continuous monitoring technology and procedures to ensure security of the wireless network in place, and that larger USPS facilities have dedicated access points configured for wireless intrusion detection.

As for the security of USPS’s stored data, the OIG found several weak spots in a March 2014 report.

“The Data Management Services group did not manage the storage environment in accordance with Postal Service security requirements because its managers did not provide adequate oversight of the storage teams,” the report said.

In the first half of 2014, more than 500 million commercial records have been compromised by hackers, and “this represents another example of the aggressive nature of nation-state adversaries looking for personally identifiable information for potential phishing attacks and other types of fraud — an area where information can be easily monetized,” said Edward Ferrara, principal analyst at Forrester. “This could also be an attempt to further probe aspects of the United States government’s cyber defenses in the unclassified areas of government operations.”

USPS has implemented additional security measures to improve the security of its information systems, which attracted attention this weekend, as some of USPS’s systems went offline. According to USPS, these additional security measures include equipment and system upgrades, as well as changes in employee procedures and policies to be rolled out in the coming days and weeks.

“It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity,” Postmaster General Patrick Donahoe said in a statement. “The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data.”

About the Author:

Colby Hochmuth is a staff writer covering big data, cloud computing and the federal workforce. Connect with her on Twitter: @ColbyAnn.

Asia Pivot, Made in China

Posted on November 10, 2014November 10, 2014 by Denise Simon

The last visit Barack Obama made to China did not go well such that relations have soured on the diplomatic scale. The visit to China this week consumed huge resources to lay the groundwork in advance of the trip for the 2014 Asia Pacific Economic Cooperation. Susan Rice spent the last weeks challenging the fact that China was so slighted during the 2009 extended trip that China has refused since to extend visas and temporary housing permits of Americans in China on business and with media.

First out of the gate, Obama delivered a most generous gift to China and that was to open a new front on visas for Chinese, from one year renewals to 5-10 years effective immediately claiming it will add to American jobs as it is touted that China infuses $80 billion yearly into the U.S economy. $80 billion is hardly a great sum or epic deal when in fact the Chinese hacking world costs the U.S. corporate industry billions and is a top concern of James Comey, Director of the FBI.

It should also be noted that Russia has been quite effective at cultivating a sustained relationship with China while China’s own economy has almost zero growth and their debt ratio to revenue ratio is stagnant cancelling out each other.

China has presented many issues that must be addressed prior to all the enhanced trade talks and global policy cooperation. China has been most aggressive towards yet other U.S. allies in Asia causing outrage and conflict in the S. China sea with regard to island and territory disputes. There is also censorship within the internet industry and continued human rights issues, both of which the White House and the State Department overlook for the sake of placing a happy face on Obama’s foreign policy strategy.

China does have issues when it comes to its own infrastructure including transportation, medical advancements, factories, power and use of energy sources like oil and gas. Each of those conditions facing China are being addressed in partnership with Russia.

Obama will also use his time in China to push for more attention and resources when it comes to Climate Change, an exclusively assigned mission given to John Podesta and investment treaties.

A topic that will likely not receive any time and attention is the Chinese relationship with North Korea and the associated human rights violations on the heels to two Americans being released from a DPRK prison allegedly managed by ODNI Director James Clapper this past weekend.

In summary, what is really behind Obama’s policy platform in China? Well with the beating he took in the midterms, his policy team has decided to focus on the economy. Obama wants Chinese money and he offered a visa pass to get their money. Going visa free in exchange for money is the common ‘go-to’ agenda of the Obama Administration. Question is, exactly who DOES benefit from the $80 billion of Chinese investment where winners and losers are predetermined by the White House.

Rich Chinese overwhelm U.S. visa program

Any foreigner willing to commit at least $500,000 and create 10 jobs in America can apply for an investor immigrant visa — also known as an EB-5.

The demand from mainland Chinese eager to move abroad has already led the U.S. government to warn the program could hit a wall as early as this summer.

Chinese nationals account for more than 80% of visas issued, compared to just 13% a decade ago, according to government data compiled by CNNMoney. That translates to nearly 6,900 visas for Chinese nationals last year, a massive bump up from 2004, when only 16 visas were granted to Chinese.

“The program has literally taken off to the point [that] in China, the minute anybody hears I’m an immigration lawyer, the first thing they say is, ‘Can we get an EB-5 visa?’ ” said Bernard Wolfsdorf, founder of the Wolfsdorf Immigration Law Group.

“There is a panic being created in China about the demand [getting] so big that there is going to be a visa waiting line,” he said.

Dragonfly vs. America, Courtesy of Russia

Posted on November 8, 2014November 8, 2014 by Denise Simon

Can you live without electricity for a day or two? Yes of course if you in advance right? Can you live without power for a week or so? Yes of course with advanced notice right? Can you live without power for a month, 4 months or 18 months? NOPE. It is time to not only think about preparations, but to get prepared and then to practice procedures for short term and long term power outages and the reason is Russia.

There is a sad truth to what is below, the United States is not prepared and what is worse we are not declaring war to stop Russia either. Russia has hacked into U.S. government sites, hacked into corporate sites and hacked into the financial industry all without so much as a whimper as a U.S. reply. We have no countermeasures, we have no offensive measures and have not even written a strongly worded letter.

Russia has gone to the dragons against America, well actually to the Dragonflies and this is what you need to know and do. Remember the entire infrastructure is tied to SCADA, that includes water systems, transportation systems, water, hospitals, schools and retail.

Dragonfly: Western Energy Companies Under Sabotage Threat

Cyberespionage campaign stole information from targets and had the capability to launch sabotage operations.

An ongoing cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.

Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.

In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.

Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.

Background
The Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013.

The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms. Later, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.

Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

Figure. Top 10 countries by active infections (where attackers stole information from infected computers)

Tools employed
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.

Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.

Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data is then written to a temporary file in an encrypted format before being sent to a remote command-and-control (C&C) server controlled by the attackers.

The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.

The second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that Dragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec as Trojan.Karagany!gen1.

Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.

Symantec found that the majority of computers compromised by the attackers were infected with Oldrea. Karagany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.

Multiple attack vectors
The Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address.

The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.

The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.

In September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The landing page for this kit contains JavaScript which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a URL which in turn determines the best exploit to use based on the information collected.

Trojanized software
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.

The second company to be compromised was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices was compromised. Symantec estimates that the Trojanized software was available for download for at least six weeks in June and July 2013.

The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.

The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.

Two additional links are below for more information and key use.

http://energy.gov/sites/prod/files/Large%20Power%20Transformer%20Study%20-%20June%202012_0.pdf

http://www.fgdc.gov/usng/

Obama subervient to Iran and Russia

Posted on November 7, 2014November 7, 2014 by Denise Simon

America has been caught up in Ebola, the midterm elections and the DACA executive order allowing tens of thousands to come across the southern border. We have been horrified by a handful of beheadings of Daesh (ISIS) in Iraq.

Now the real work begins for Americans to get engaged as some very nefarious events could occur between now and the time the 114th Congress is seated in January of 2015.

It is important to look at the Middle East with particular emphasis as a 3rd Intifada is brewing there again in Israel. Meanwhile, we cannot ignore Vladimir Putin any longer and his aggression on Ukraine and the handful of Baltic States.

The community organizer, Barack Obama cannot compete in any arena with other world leaders that include those of China, Russia and Iran.

On the Denise Simon Experience Radio show hosted by Cowboy Logic Radio, Alex Holstein spend almost two hours putting into perspective matters of geo-politics and the future implications.

Alex Holstein is the Director of Corporate & Government Relations for Geopoliticalmonitor Intelligence Corps. He holds a BA from the University of Southern California and an MSc. in Russian and Post-Soviet Studies from the London School of Economics, where he wrote his thesis on the Soviet KGB. Through years of extensive research and worldwide experience, Alex has developed a strong grasp of foreign affairs, maintaining a particular interest in espionage, terrorism, special operations, border security and international relations. A former Executive Director of the Republican Party of San Diego County, he has managed communications and stakeholder engagement for major statewide and national political and issue advocacy campaigns in both California and Washington D.C., including the California Recall 2003 and the US Presidential Election 2004. He is currently a contributing expert for International Security and Intelligence issues at the SUN News Network in Canada. Geopoliticalmonitor Intelligence Corp. GPMGlobalSolutions.com / Geopoliticalmonitor.com

As a subject matter expert with well placed and selected placeholders, Alex explained in layman’s terms the implications of Syria, Iran, Iraq and what the near future holds. To hear the show, click here.

Most disturbing is the actions of Putin as noted here:

(Reuters) – Russian President Vladimir Putin held talks with top security chiefs on Thursday over a “deterioration of the situation” in eastern Ukraine after pro-Russian rebels there accused Kiev of launching a new offensive in violation of a ceasefire.

Sporadic violence has flared since the Sept. 5 truce in a conflict that has cost over 4,000 lives; but the ceasefire has looked particularly fragile this week with separatists and the central government accusing each other of violations.

Andrei Purgin, deputy prime minister of the self-proclaimed Donetsk People’s Republic, said the Ukrainian army had launched “all-out war” on rebel positions, Russian news agency RIA said.

Ukrainian military spokesman Vladyslav Seleznyov denied this, saying the army remained in agreed positions.

“We refute these allegations…we’re strictly fulfilling the Minsk memorandum (on a ceasefire),” he said by telephone.

A Kremlin statement said the presidential Security Council, which groups key security and defense officials under Putin’s chairmanship, discussed among other things a “deterioration of the situation in the Donbass due to repeated violations of the ceasefire by the armed forces of Ukraine.”

It did not say what decisions, if any, had been reached over the conflict that broke out in the industrialized east after the overthrow of Ukraine’s Moscow-backed leader Viktor Yanukovich in February and Russia’s subsequent annexation of Crimea.

A Reuters witness in the rebel stronghold of Donetsk said there was no sign the conflict was escalating.

Representatives of the separatist regions earlier put out a joint statement calling for a redrafting of the Minsk deal, which established a ceasefire in exchange for Kiev granting “special status” to eastern territories.

Rebels say Ukraine has violated the deal by seeking to revoke a law that would have granted eastern regions autonomy. Kiev says this was a consequence of Sunday’s separatist leadership elections which it says go against the agreement.

The Ukrainian military said three soldiers had been killed on Thursday, reporting a total of 26 separate artillery clashes with separatists.

In summary, make no mistake that the adversaries of America, Iran, Russia and China are working in cadence for their own agendas and completely against America, hence our State Department, National Security Council and the White House and willfully allowing this. Question is to what end?

Behpajooh and John Kerry

Posted on November 7, 2014November 7, 2014 by Denise Simon

At least four secret letters have been dispatched from the White House and sent to Iran. The full contents of the letters are still unknown except the most recent was revealed by the Wall Street Journal containing two items, points of collaboration over the ISIS war in Iraq and striking a final deal on the Iranian nuclear program.

Denials have been made by the White House that the United States was not working with Iran on the matter of Iraq as noted here. ‘Appearing on NBC’s “Meet the Press” last month, National Security Adviser Susan Rice said the U.S. wasn’t working with Iran on the fight against the Islamic State. “We are not in coordination or direct consultation with the Iranians about any aspect of the fight against ISIL,” Rice said, using an alternate acronym for the jihadist group. “It is a fact that, in Iraq, they also are supporting the Iraqis against ISIL, but we are not coordinating. We are doing this very differently and independently.”

After doing some deep research, it was found that under SecState John Kerry, nothing else matters when it comes to Iraq, Syria, Russia or Iran except gaining a nuclear deal with the help of the P5+1, a deal that has excluded the U.S. Congress and ALL allies in the Middle East.

The United States under the G. W. Bush administration worked a stealthy mission to halt the Iran program in coordination with Israel by creating and infecting the Iranian nuclear program with an undetected virus into the computers controlling the spinning centrifuges. Outside companies were identified and sanctions and later targeted via a thumb drive to infect the computer network to bring a halt to the cascading centrifuge system.

One such company was Behpajooh and there are many more, but all of these associated firms have been ignored by the State Department, Treasury, the interagency and the envoy working in cadence with John Kerry giving freedom to Iran to continue their program.

The betrayal of the State Department and the White House of allies and Congress is epic in nature, when this could lead to a nuclear arms race in the Middle East, a long future of hostilities with Daesh and a much sooner launch of a nuclear weapon by Iran on their targeted enemies the little Satan and the big Satan, Israel and the United States.

Here is the story on how Stuxnet came to be. Clearly, the Bush administration and Israel were clandestine in this regard and the mission was successful. It now begs the question, will it happen again if a deal is reached by the November 24 deadline?

An Unprecedented Look at Stuxnet, the World’s First Digital Weapon

In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them.

Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon.

Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, written by WIRED senior staff writer Kim Zetter, tells the story behind Stuxnet’s planning, execution and discovery. In this excerpt from the book, which will be released November 11, Stuxnet has already been at work silently sabotaging centrifuges at the Natanz plant for about a year. An early version of the attack weapon manipulated valves on the centrifuges to increase the pressure inside them and damage the devices as well as the enrichment process. Centrifuges are large cylindrical tubes—connected by pipes in a configuration known as a “cascade”—that spin at supersonic speed to separate isotopes in uranium gas for use in nuclear power plants and weapons. At the time of the attacks, each cascade at Natanz held 164 centrifuges. Uranium gas flows through the pipes into the centrifuges in a series of stages, becoming further “enriched” at each stage of the cascade as isotopes needed for a nuclear reaction are separated from other isotopes and become concentrated in the gas.

As the excerpt begins, it’s June 2009—a year or so since Stuxnet was first released, but still a year before the covert operation will be discovered and exposed. As Iran prepares for its presidential elections, the attackers behind Stuxnet are also preparing their next assault on the enrichment plant with a new version of the malware. They unleash it just as the enrichment plant is beginning to recover from the effects of the previous attack. Their weapon this time is designed to manipulate computer systems made by the German firm Siemens that control and monitor the speed of the centrifuges. Because the computers are air-gapped from the internet, however, they cannot be reached directly by the remote attackers. So the attackers have designed their weapon to spread via infected USB flash drives. To get Stuxnet to its target machines, the attackers first infect computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. The aim is to make each “patient zero” an unwitting carrier who will help spread and transport the weapon on flash drives into the protected facility and the Siemens computers. Although the five companies have been referenced in previous news reports, they’ve never been identified. Four of them are identified in this excerpt.

The Lead-Up to the 2009 Attack

The two weeks leading up to the release of the next attack were tumultuous ones in Iran. On June 12, 2009, the presidential elections between incumbent Mahmoud Ahmadinejad and challenger Mir-Hossein Mousavi didn’t turn out the way most expected. The race was supposed to be close, but when the results were announced—two hours after the polls closed—Ahmadinejad had won with 63 percent of the vote over Mousavi’s 34 percent. The electorate cried foul, and the next day crowds of angry protesters poured into the streets of Tehran to register their outrage and disbelief. According to media reports, it was the largest civil protest the country had seen since the 1979 revolution ousted the shah and it wasn’t long before it became violent. Protesters vandalized stores and set fire to trash bins, while police and Basijis, government-loyal militias in plainclothes, tried to disperse them with batons, electric prods, and bullets.

That Sunday, Ahmadinejad gave a defiant victory speech, declaring a new era for Iran and dismissing the protesters as nothing more than soccer hooligans soured by the loss of their team. The protests continued throughout the week, though, and on June 19, in an attempt to calm the crowds, the Ayatollah Ali Khamenei sanctioned the election results, insisting that the margin of victory—11 million votes—was too large to have been achieved through fraud. The crowds, however, were not assuaged.

The next day, a twenty-six-year-old woman named Neda Agha-Soltan got caught in a traffic jam caused by protesters and was shot in the chest by a sniper’s bullet after she and her music teacher stepped out of their car to observe.

Two days later on June 22, a Monday, the Guardian Council, which oversees elections in Iran, officially declared Ahmadinejad the winner, and after nearly two weeks of protests, Tehran became eerily quiet. Police had used tear gas and live ammunition to disperse the demonstrators, and most of them were now gone from the streets. That afternoon, at around 4:30 p.m. local time, as Iranians nursed their shock and grief over events of the previous days, a new version of Stuxnet was being compiled and unleashed.

Recovery From Previous Attack

While the streets of Tehran had been in turmoil, technicians at Natanz had been experiencing a period of relative calm. Around the first of the year, they had begun installing new centrifuges again, and by the end of February they had about 5,400 of them in place, close to the 6,000 that Ahmadinejad had promised the previous year. Not all of the centrifuges were enriching uranium yet, but at least there was forward movement again, and by June the number had jumped to 7,052, with 4,092 of these enriching gas. In addition to the eighteen cascades enriching gas in unit A24, there were now twelve cascades in A26 enriching gas. An additional seven cascades had even been installed in A28 and were under vacuum, being prepared to receive gas.

The performance of the centrifuges was improving too. Iran’s daily production of low-enriched uranium was up 20 percent and would remain consistent throughout the summer of 2009. Despite the previous problems, Iran had crossed a technical milestone and had succeeded in producing 839 kilograms of low-enriched uranium—enough to achieve nuclear-weapons breakout capability. If it continued at this rate, Iran would have enough enriched uranium to make two nuclear weapons within a year. This estimate, however, was based on the capacity of the IR-1 centrifuges currently installed at Natanz. But Iran had already installed IR-2 centrifuges in a small cascade in the pilot plant, and once testing on these was complete and technicians began installing them in the underground hall, the estimate would have to be revised. The more advanced IR-2 centrifuges were more efficient. It took 3,000 IR-1s to produce enough uranium for a nuclear weapon in one year, but it would take just 1,200 IR-2 centrifuges to do the same.

Cue Stuxnet 1.001, which showed up in late June.

The Next Assault

To get their weapon into the plant, the attackers launched an offensive against computers owned by four companies. All of the companies were involved in industrial control and processing of some sort, either manufacturing products and assembling components or installing industrial control systems. They were all likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.

To ensure greater success at getting the code where it needed to go, this version of Stuxnet had two more ways to spread than the previous one. Stuxnet 0.5 could spread only by infecting Step 7 project files—the files used to program Siemens PLCs. This version, however, could spread via USB flash drives using the Windows Autorun feature or through a victim’s local network using the print-spooler zero-day exploit that Kaspersky Lab, the antivirus firm based in Russia, and Symantec later found in the code.

Based on the log files in Stuxnet, a company called Foolad Technic was the first victim. It was infected at 4:40 a.m. on June 23, a Tuesday. But then it was almost a week before the next company was hit.

The following Monday, about five thousand marchers walked silently through the streets of Tehran to the Qoba Mosque to honor victims killed during the recent election protests. Late that evening, around 11:20 p.m., Stuxnet struck machines belonging to its second victim—a company called Behpajooh.

It was easy to see why Behpajooh was a target. It was an engineering firm based in Esfahan—the site of Iran’s new uranium conversion plant, built to turn milled uranium ore into gas for enriching at Natanz, and was also the location of Iran’s Nuclear Technology Center, which was believed to be the base for Iran’s nuclear weapons development program. Behpajooh had also been named in US federal court documents in connection with Iran’s illegal procurement activities.

Behpajooh was in the business of installing and programming industrial control and automation systems, including Siemens systems. The company’s website made no mention of Natanz, but it did mention that the company had installed Siemens S7-400 PLCs, as well as the Step 7 and WinCC software and Profibus communication modules at a steel plant in Esfahan. This was, of course, all of the same equipment Stuxnet targeted at Natanz.

At 5:00 a.m. on July 7, nine days after Behpajooh was hit, Stuxnet struck computers at Neda Industrial Group, as well as a company identified in the logs only as CGJ, believed to be Control Gostar Jahed. Both companies designed or installed industrial control systems.

electrical systems for the oil and gas industry in Iran, as well as for power plants and mining and process facilities. In 2000 and 2001 the company had installed Siemens S7 PLCs in several gas pipeline operations in Iran and had also installed Siemens S7 systems at the Esfahan Steel Complex. Like Behpajooh, Neda had been identified on a proliferation watch list for its alleged involvement in illicit procurement activity and was named in a US indictment for receiving smuggled microcontrollers and other components.

About two weeks after it struck Neda, a control engineer who worked for the company popped up on a Siemens user forum on July 22 complaining about a problem that workers at his company were having with their machines. The engineer, who posted a note under the user name Behrooz, indicated that all PCs at his company were having an identical problem with a Siemens Step 7 .DLL file that kept producing an error message. He suspected the problem was a virus that spread via flash drives.

When he used a DVD or CD to transfer files from an infected system to a clean one, everything was fine, he wrote. But when he used a flash drive to transfer files, the new PC started having the same problems the other machine had. A USB flash drive, of course, was Stuxnet’s primary method of spreading. Although Behrooz and his colleagues scanned for viruses, they found no malware on their machines. There was no sign in the discussion thread that they ever resolved the problem at the time.

It’s not clear how long it took Stuxnet to reach its target after infecting machines at Neda and the other companies, but between June and August the number of centrifuges enriching uranium gas at Natanz began to drop. Whether this was the result solely of the new version of Stuxnet or the lingering effects of the previous version is unknown. But by August that year, only 4,592 centrifuges were enriching at the plant, a decrease of 328 centrifuges since June. By November, that number had dropped even further to 3,936, a difference of 984 in five months. What’s more, although new machines were still being installed, none of them were being fed gas.

Clearly there were problems with the cascades, and technicians had no idea what they were. The changes mapped precisely, however, to what Stuxnet was designed to do.