History, Security

Stuxnet Pinned on Israeli Unit 8200

Leave a comment

I still am not convinced that it has to be the US or Israel. Just because geo-politically these two are the most adamant about shutting down Iran’s nuclear capability does not mean they are the Stuxnet authors. There is likely to be a more complex relationship of agents at work, such as Iranian dissidents, insiders and then perhaps support from the US and Israel.

Never mind me, however, the Telegraph says Israeli cyber unit responsible for Iran computer worm

Computer experts have discovered a biblical reference embedded in the code of the computer worm that has pointed to Israel as the origin of the cyber attack.

The code contains the word “myrtus”, which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.

Well, more to the point (pun not intended) Jewish mysticism associates myrtle with masculinity; specifically the penis. Are the computer experts saying this word “myrtle” is sufficient proof because they see Israel as the most likely nation to want to penetrate (for lack of a better word) Iran?

That interpretation is the opposite of the more traditional Jewish practices during harvest celebrations — myrtle is associated with with doing good deeds.

It seems the myrtle could be taken to mean many things.

Moreover, myrtle is also found in northern Africa. The Greeks link it to Aphrodite, Romans say it is dear to Venus. Code is shared. Teams are diverse. Thus, myrtle not only has many meanings but also appears to be important for many nations. I recently went to a Myrtle Beach in South Carolina. Come to think of it there was a suspicious looking person with a laptop there…

Those two reasons (interpretation and geographic distribution) make it difficult for me to automatically think of Israel when I hear of myrtle. If the official symbol for Israeli Unit 8200 was a branch of (flaming?) myrtle I would be more open to believe there is a clear and simple association.

Perhaps a little history can shed more perspective on the Stuxnet references and investigation; take, for example, the CIA document “Clandestine Service History — Overthrow of Premier Mosaddegh of Iran — November 1952-August 1953

The demise of Prime Minister Mossadegh in 1953 came as a result of a coup that was backed by the US CIA to protect British oil companies operating in Iran. The CIA not only convinced Iranians that the democratically elected leader was too dictatorial, but they managed to pressure Mossadegh into defending his ability to stay in power. The US paid “fake” mobs (both against and for a coup) to destabilize the country, stage terrorist activities and eventually arrest the prime minister. Was foreign money the only motivator of these mobs?

Even with the advantage of time past the tangled relationship between US and British intelligence and their roles, not to mention collaboration by internal groups and organizations, are still debated. Some say the coup was clearly a US operation but it can not be denied that there were many facets to the threat that Iran faced.

At this point it seems the word myrtle makes Stuxnet an Israeli operation as much as one swallow makes it spring.

Edited to add: Another reference to Israel has been cited by Threatpost in “Stuxnet Analysis Supports Iran-Israel Connections

Though most of the conversation about Stuxnet is still based on conjecture, [Symantec analyst Liam] O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siems backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O Murch merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.

As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

Are you convinced? Attribution is virtually impossible on the network. This sounds more like wishful thinking than proof. Note the “shortly after the revolution” end to their analysis. That date could also be significant to Iranian insiders. Iranian Jews may not be Israeli, even if they have left Iran. Back to my point above, others were executed at the same time. Speaking of Time, an issue from May 21, 1979 makes my point rather darkly:

Last week’s execution of 38 men brought to 204 the number of those condemned to death before firing squads. Among the latest victims were two former Ministers of Information, the last speaker of the lower house of parliament under the Shah, and a number of members of the notorious antiterrorist committee of SAVAK, the disbanded secret police, including a physician charged with specializing in torture techniques.

The two businessmen, both multimillionaires, were Habib Elghanian, a plastics manufacturer and the first Jew to be condemned, and Rahim Ali Khorram, a Muslim who owned a string of gambling casinos and bordellos.

It could be a date significant to others; 204 men of different faiths, backgrounds, beliefs and families were executed at that time. This is not to downplay the importance of one man’s death, of course, but to try and paint a more realistic picture of who might want to now threaten Iran’s nuclear program (assuming Iran is the target).

It is not as easy as A versus B. My studies in International History, as well as travel, has pushed me towards threat models that are more like this:

Impressionable talent in country X, Y and Z end up in country B where they receive information and training from country C, which believes they must act upon information from country D, E and F, funded by countries D, G and H.

It is more like a social network effect, with hard and soft acquaintances, than the two sides of a boxing ring distinguished by their bright colors. The gray area has to remain in focus not only to keep a more accurate record of attribution but also to make it possible to understand the threats and hopefully detect or even prevent attack. It seems we like to think in polar terms because it brings comfort, but in reality we live in a complex world.

Or I could be totally wrong and the next thing revealed about the Stuxnet code is someone’s phone number and address in downtown Jerusalem, which is obviously located in (wait for it…) Arkansas, USA. Thought I was going to say Israel, didn’t you?

Edited again to add: F-Secure has a hilarious Q&A page on Stuxnet. Well worth reading for a balanced view from a security vendor. I suspect Stuxnet soon will be fodder for best joke of the year. Here is just a brief example:

Q: Is it true that there’s are biblical references inside Stuxnet?
A: There is a reference to Myrtus (myrtle plant). However, this is not “hidden” in the code. It’s an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project “Myrtus”, but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is “Myrtle” a biblical reference?
A: Uhh…we don’t know, really.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.

Q: What’s the signifigance of “19790509”?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Guava? What about 5th of September, 1979? Grateful Dead concert, dude, in Madison Square Garden! It also is the date that the Iranian army occupied Piranshahr on the border with Iraq. That seems more like an “infection marker” if you know what I mean.

Funny stuff.

Ok, so now I wonder how best to dress like Stuxnet for Halloween.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.