The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility. The gray boxes that you see, these are real-time control systems. Now if we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems with the centrifuge. The gray boxes don't run Windows software; they are a completely different technology. But if we manage to place a good Windows virus on a notebook that is used by a maintenance engineer to configure this gray box, then we are in business. And this is the plot behind Stuxnet.
電腦蠕蟲 Stuxnet 背後的概念 其實相當簡單 我們不希望伊朗擁有核武 而他們能發展核武的主要資產 就是Natanz 鈾料濃縮工廠 你看到的灰色方塊 就是即時控制系統 現在如果我們真的能操弄系統 控制速度與閥門開關 那我們就能讓離心機 出各種狀況 這個灰色方塊無法執行 Windows 軟體 而是用全然不同的科技 但如果我們能 在筆記電腦中 放個 Windows 的病毒 而那筆電是設備工程師用來 控制系統的 那我們就快成功了 這也就是 Stuxnet 的計畫
So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished. That's easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is it's very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems. So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. And then some very funny things happened. Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed, but didn't want to eat. Didn't make sense to me. And after we experimented with different flavors of cheese, I realized, well, this is a directed attack. It's completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program code that it's trying to infect is actually running on that target. And if not, Stuxnet does nothing.
讓我們從 Windows 的釋放程式開始 使攻擊程式能進入灰色方塊 破壞離心機 就會拖延伊朗的核武計畫 任務達成 很容易對吧? 我想要告訴大家我們是怎麼發現的 我們六個月前開始研究 Stuxnet時 完全不明白這東西的攻擊目標是什麼 只知道這東西 是非常非常複雜的 Windows 釋放程式 使用多個零日攻擊 (註: 指利用軟體未修補漏洞進行攻擊) 它似乎想對這些灰色方塊 也就是即時控制系統下手 所以引起我們的關注 開始一個實驗室計畫 我們故意讓系統感染 Stuxnet 的病毒 再試著檢查 結果有趣的事發生了 Stuxnet 就像白老鼠一樣 它不喜歡我們的起司 聞了聞, 卻不想吃 我覺得這完全沒道理啊 我們試過不同口味的起司 才明白這是一個指向性攻擊 徹底的指向攻擊 釋放程式會主動潛伏在 灰色方塊裡 如果它發現一個特定組態 甚至是正在嘗試感染的程式 都會確實在目標上執行 不然 Stuxnet什麼也不做
So that really got my attention, and we started to work on this nearly around the clock, because I thought, "Well, we don't know what the target is. It could be, let's say for example, a U.S. power plant, or a chemical plant in Germany. So we better find out what the target is soon." So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. And we also saw that they are very professionally engineered by people who obviously had all insider information. They knew all the bits and bites that they had to attack. They probably even know the shoe size of the operator. So they know everything.
所以這真的引起我的注意 我們沒日沒夜的 進行研究 因為我們並不知道它的目標為何 可能是,打個比方 美國的核電廠 或是德國的化工廠 所以我們最好趕快發現它的目標 我們抽出攻擊程式 並進行反組譯 才發現 它是由兩個 數位炸彈構成的 -- 一個較小 一個較大 我們也發現 這是非常專業的設計 設計者顯然知道一切內部資訊 他們知道所有需要攻擊的 位元和字節 他們大概還知道控制員的鞋子尺寸 總之 他們什麼都知道
And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It's way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about -- around about 15,000 lines of code. Looks pretty much like old-style assembly language. And I want to tell you how we were able to make sense out of this code. So what we were looking for is, first of all, system function calls, because we know what they do.
如果你們聽過Stuxnet釋放程式 的高科技與複雜程度 讓我肯定地說: 這病毒根本就像是火箭科技 艱難得超過 過去我們所研究的所有程式 這裡是一小段實際攻擊程式的樣本 總共約有 15,000 行的代碼 看起來像是舊式機器組合語言 讓我向大家說明 我們是如何理解這些代碼的 首先,我們會找出其中電腦系統函式呼叫 因為我們知道它們的作用
And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. So we do need target theories that we can prove or disprove. In order to get target theories, we remember that it's definitely hardcore sabotage, it must be a high-value target and it is most likely located in Iran, because that's where most of the infections had been reported. Now you don't find several thousand targets in that area. It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant.
再來找時間控制器與資料結構 然後試著與真實世界中的運用連結 也就是可能的真實攻擊目標 所以我們的確需要推測目標 才能進一步證實 為了要找到這個目標 我們想起 這會造成極大破壞 一定是高價值的目標 它非常可能位於伊朗 因為據報大多數感染都在那裡發生 現在已經不是數以千計的可能目標 可以簡單歸納成 Bushehr 核能電廠 以及 Natanz 核鈾料濃縮廠兩個
So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. And that worked pretty well. So we were able to associate the small digital warhead with the rotor control. The rotor is that moving part within the centrifuge, that black object that you see. And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode. What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly.
我跟我的助理說 "把我們客戶裡了解所有離心機與核電廠的專家列出一張表給我" 我一個個親自去電 聽取他們的意見 努力把他們的專業知識 和我們在代碼與資料找到的訊息做比對 這部份很成功 我們確實找出 小型數位彈頭 與轉子控制間的關聯 而轉子就是離心機內重要的移動單元 也就是畫面中黑色物體 若能控制轉子轉速 你就能破壞轉子 最終甚至導致離心機爆炸 我們也發現 這攻擊的目的 是緩慢而不引人注意的達成目標 明顯的要把 維修工程師們逼瘋 而他們也不能馬上想到這是怎麼一回事
The big digital warhead -- we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can't overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, that was a match.
而這大型數位彈頭 -- 我們試著 仔細查看它的 資料與資料結構 比如說, 數字164 在代碼裡相當突出 很難忽視它 我開始研究科學文獻 想了解這些離心機 是怎樣在Natanz建造的 也找出他們的結構 是一層層的 每一個層級有 164 個離心機 所以和我們的猜測相符
And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure. So again, that was a real good match. And this gave us very high confidence for what we were looking at. Now don't get me wrong here, it didn't go like this. These results have been obtained over several weeks of really hard labor. And we often went into just a dead end and had to recover.
我們更發現 伊朗的離心機會下分為 15個等級 你猜 我們在程式中找到什麼? 幾乎完全相同的架構 又是完美的相符 這給麼我們很大的信心 但別會錯意了 這其實是非常嚴謹的 一切都是經由 好幾週的艱苦努力才得來的 我們也常常遇到死胡同 得重頭做起
Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. So in all, we are very confident that we have actually determined what the target is. It is Natanz, and it is only Natanz. So we don't have to worry that other targets might be hit by Stuxnet.
總之 我們推論出 兩個數位彈頭 都只針對一個目標 但從不同角度 小彈頭是攻擊其中一個層級的 轉子升速與降速 而大的彈頭 是攻擊6個層級 控制閥門 簡言之 我們相當有信心 我們已經找出真正的特定攻擊目標 就是Natanz 只會是Natanz 所以我們不用擔心 會有其他的目標 受到 Stuxnet 攻擊
Here's some very cool stuff that we saw -- really knocked my socks off. Down there is the gray box, and on the top you see the centrifuges. Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate program code, which is still running during the attack, with fake input data. And as a matter of fact, this fake input data is actually prerecorded by Stuxnet. So it's just like from the Hollywood movies where during the heist, the observation camera is fed with prerecorded video. That's cool, huh?
我們發現一些相當酷的東西 讓我印象深刻 在這灰色方塊的下方 也就是離心機的上方 在這裡,病毒攻擊 攔截感應器的測得數值 像是 壓力感應計 和震動感應器 而病毒攻擊是持續提供正常數值 使得攻擊發生時 一切看似正常 但卻是錯誤資料 實際上 這一連串錯誤數值 是預藏在 Stuxnet 內的 就像好萊塢電影一樣 在搶劫時 監視器輸出畫面 被換入預錄的影像 很酷吧?
The idea here is obviously not only to fool the operators in the control room. It actually is much more dangerous and aggressive. The idea is to circumvent a digital safety system. We need digital safety systems where a human operator could not act quick enough. So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond. Obviously, this cannot be done by a human operator. So this is where we need digital safety systems. And when they are compromised, then real bad things can happen. Your plant can blow up. And neither your operators nor your safety system will notice it. That's scary.
這個想法很明顯的 不只是要騙過控制室的操作人員 它的目標其實更加大膽與危險 想要 規避數位電子安全系統 我們需要數位電子安全系統 來補足人類操控員不夠快的時候 舉例說 在電廠中 當大型蒸氣渦輪轉速過快 你一定要在一毫秒內打開洩壓閥 很明顯這絕不是人類辦的到的 所以需要數位電子安全系統 一旦它們被破壞 真正嚴重的事情就會發生 電廠可能會爆炸 而且人員和系統都無法及時察覺 這就可怕了
But it gets worse. And this is very important, what I'm going to say. Think about this: this attack is generic. It doesn't have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That's the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments. We have to face the consequences, and we better start to prepare right now.
更糟的是 接下來要說的是更重要的 想想看 這個攻擊是一般性的 它不一定要和特定 核鈾料廠中的 離心機有關 舉例說吧 它也能適用於 發電廠 或是汽車工廠 可以被廣泛利用 就攻擊形式而言 你不需要藉由 USB 碟傳遞病毒載體 雖然這是 Stuxnet 預設方式 你也可以 用傳統蠕蟲技術來散播 盡可能的擴散出去 這麼一來 最後你就有了 可以造成大規模破壞的數位武器 那也是我們得面對的 後果 不幸的是 大多數的攻擊目標 不是在中東 是在美國 歐洲 與 日本 所有綠色區域 就是充滿攻擊目標的地方 我們得面對這些後果 而且最好現在就開始準備
Thanks.
謝謝大家
(Applause)
(掌聲)
Chris Anderson: I've got a question. Ralph, it's been quite widely reported that people assume that Mossad is the main entity behind this. Is that your opinion?
Chris Anderson: 我有個疑問 Ralph, Stuxnet 已經廣為人知 而人們猜測它背後 的主使者是 Mossad (以色列特工) 你也是這麼想嗎?
Ralph Langner: Okay, you really want to hear that? Yeah. Okay. My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that's the United States -- fortunately, fortunately. Because otherwise, our problems would even be bigger.
Ralph Langner: 好, 你真的想知道? 是啊 我的看法是 Mossad 有參與其中 但以色列絕不是主導角色 所以背後的主導力量 就是網路超級大國 也只有一個了 那就是美國 幸好、幸好 不然的話 我們的問題會更嚴重
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
CA: 謝謝你把我們都給嚇壞了 謝謝 Ralph.
(Applause)
(掌聲)