This is the most fascinating piece of code that I have ever heard of. The authors had access to the most detailed information that there is and so much confidential information from so many vendors that it has to be state-sponsored.
It's all but been directly admitted by our security community because there clearance won't allow them to admit it publicly, though a lot of people involved or that over seen it basically admitted too it years ago. Even Obama got shocked on stage an said he couldn't speak about it when he was asked, notice he didn't say they weren't involved lol so he didn't lie, just that he could speak about it. On top of the fact that only governments would want to do this, any financially motivated group would have no interest in attacking Iran or investing the money to reverse the Siemens hardware, there was little to no research on this hardware back when stuxnet was used unlike now where there is much more public analysis and research of these products available online.
@@notme4526 *their *overseen *to *and *couldn't The last sentence is wild speculation, a gut feeling, and practically/logically speaking it lacks imagination. IF there is enough money (Premise) on the line, a FINANCIALLY MOTIVATED group IS motivated to do whatever will make them a boatload of money (Conclusion: I mean ... DUH; opportunity to make "enough" money + financial motivation => do the thing to collect the money) Google: corporate espionage/sabotage 😒 (e.g. British East India Company and Chinese Monopoly on Tea [billions of USD in today's money] and Volkswagen and Poaching of Opel Executives [one of the biggest settlements in industrial espionage in the modern era - 100 million in cash + 1 billion in bought car parts over 7 years] are the two biggest that come to mind)
@@KushLemon Global Supreme Leader KushLemon casually commenting in a random UA-cam video. You speak for the entire planet sir, please get back to work. There's important things that need your attention.
Yes. We point to this as an example of a great S4 Stage 2: Technical Deep Dive session for new Stage 2 speakers. Lots of technical meat that drives to a point. It has had over 50K views on UA-cam, and for the first five years was on Vimeo. BTW, 60 Minutes came down to film footage of Ralph giving this session.
no idea how i missed that talk, it was incredible. i think the extreme precision is about predictability, they wanted to know when something happens, when it will happen the next time, etc. so they could have the option of planning with it, i.e. to know when a tech would be required etc.
These are some of the things that we tend to overlook when it comes to any kind of system or device that is connected to and powered by some type of electrical power grid. First, you cannot stop the signal. You might be able to divert it, redirect it, transform it, but you cannot completely stop it. Voltage and current has to flow somewhere, and there's always some type of power draw. Otherwise, it wouldn't be a circuit. From there, then it's a generalization of understanding the devices and systems that are built on top of that power grid, electrical circuit system. From there it's just a matter of finding the schematics - blueprints - patent filings, etc. of said device. From there, anyone who understands how to read them, can easily reverse engineer the device without even having to have a physical device on hand. There's always going to be actors on both sides of the fence, and there's no know system to be 100% secure. However, we can take measures to mitigate those vulnerabilities as much as possible. The thing is when it comes to any type of computational devices such as a computer with a CPU/GPU etc. the entire binaries which includes, instructions, data, memory locations, etc. at the end of the day are really just representations of numbers in the form of electrical signals. It's a house of cards where every single bit is one of those cards. The card is either standing or it is not. The bit is either set or it is not. Regardless of ethical concerns, I do have to say, that this type of attack vector was well thought out, well planned, and yet even in some fashion a bit respectful. The reason I say a bit respectful is that it did not seek to "destroy or cause massive loss of life" it was specifically targeted to control specific devices to cause minimal and controlled damage. In some ways I can partially respect it from the perspective of an engagement on a battlefield. This was one hell of a chess move! And as we can see the discovery of this system back in 2010 and here in 2024 almost 2025 nearly 15 years later is still being highly studied. We'll be learning about this for the next 50-100 years. This is as about as historical as the deciphering and reverse engineering of the Enigma machine during WWII.
28:45 Which dots is he talking about here? His laser pointer isnt showing up on the video? The bottom image doesnt have the missing dots that the first two real scada screens had
Very fascinating talk from one of the few people who were embroiled in understanding the stuxnet attack. Would love to here from Andrew Chien from Symantec as well. Langber, Chien, and many other involved were featured the brilliant 2016 documentary "Zero Day" by Alex Gibney. I urge those interested in forensics, security, or really any other STEM field to check it out
56:28 An interesting counterpoint to the "different approach" is the CrowdStrike bug that shut down all the airports in july 2024. Because creating qualified images became a big pain, updates were delivered as data running like bytecode Sure it was not a "targeted attack" in the same sense, but it had the effect as one
It seems very obvious that this was an inside job of some sort. The amount of information required to pull these attacks off is stunning. There had to be a team of people working on this
The NSA can get inside practically anywhere in the world remotely. They had full access to the software on the system, the cctv, the whole network including the personal devices of many who worked there- thanks to Mossad for providing info & identities on those individuals. How intelligent and creative the NSA is… is just mind blowing- couple that with virtually unlimited funding.
Siemens was involved, they even build a functional sandbox cascade to recreate the real world conditions of the target, as Ralph says, even with the UF6
How about stuxnet. And I I came out and I put and I open changed in Google speaker system that has been changed in the program itself because the program itself is actually written Google docs system to be exact
44:30. Unfortunately there are "valid" reasons inputs could be writable. When testing code, it's common practice to put simulation routines to emulate plant equipment. It doesn't have to be complicated, oftentimes it's just reflecting an output "run" signal to a "running" input. For various reasons, it's desirable to write as close to raw input as possible. To be clear this code should 'never' make it to production, and if forgotten would typically be removed during commissioning. It's only something you'd ever see during dev, or perhaps for a digital twin/training rig. But hell. This sort of intentional exploit is just straight up not something I've never seen considered Even to this day. Spoken as a process control engineer with about 10 years experience across various industries.
Couple follow-ups from the q and a. I'm assuming old-mate at 55:10 ish is referring to what I mentioned above. I agree with the host here, I have never come across a situation where writing to the input tables is required *in production*. And for my example above, I have to doubt there is a solution the vendor could implement to allow us engineers for our sim purposes. I will disagree with the host about the authors of Stuxnet having an exact physical replica. Again, machines operate in predictable ways, which allows us to write sim code. If you see a run signal, put in some small delay, then reflect it back to the running input. The run speed feedback can ramp to the run speed setpoint according to some ramping rules. How machines and processes interact is more complicated, but I'm sure someone with a strong understanding of how a centrifuge cascade works could predict how the target plant would respond. Having a physical reproduction certainly wouldn't hurt though :)
I wished someone had asked if they thought it was possible to consider a compromise where the input process image was not made immutable until the driver factory(s) were initialized at install-time. Oh well.
I thought it was largely written in C (with some assembly bit-fiddling)? Surely it would be almost impossible to keep track of a program this large writing just in an assembly language. Edit: Just seen the part about the C-style pseudo code. This is probably what I've seen before so I assumed it was mostly C code.
Folks, the high level code samples are translations from SCL to a C-like language in order to understand how the code is structured and what they intend to achieve. Those snippets were created manually and usually required a couple of days of work per SCL module (or function block/FB in Siemens parlance).
It's wired to see even after 6 years S4 Events could not upload a proper FHD video of such a presentation as if it just does not matter.... Not sure what to call it - Arrogance or Carelessness?
I'm sorry about that. We did not record it that way back in 2012, so this is the best quality we have. Back then it was 60 people in a small room with a single, simple camera. Now the Main Stage is a 4 camera shoot with a lot more emphasis on staging and other elements for the video. I too regret we don't have a higher quality video. So of your two choices, carelessness back during the recording is the answer.
@@S4EventsI was so disappointed 5 days ago, i hope we had tech to upgrade the video atleast to 480p. But I do understand your response. Thanks for the reply.
Shoot Don't Tell Us Nuclear Power Generation Use Read/Write Logic In Their Control System Design For Cooling. kdagPlymouthUK. Please Stay Blessed. GodBless S4.
But it's true, as Ralph said; These are just design flaws. (as amusing as using loops, when struct/assert, may be preferred, speed, security, whatever…) The funny mistakes, as plentiful as they were, make no mistake, it worked.
6:48 geez, I guess Amazon and Google should stop using Apache, Spark, Nginx, Postgres, MongoDB, Linux, Bash, and other non-professional open source tools then. Boomer comment on an otherwise very cool talk.
@@josefaschwanden1502 I know right? I don't know why the speaker would imply that a tool is not professional because it is open source. BTW, I hope they upstreamed their enhancements with a pull request. Otherwise, a very dick move.
He never implied that open source means bad quality. He's referring to the open source decompiler that he used to decompile StuxNet. Professional anti virus companies use commercial tools like IDA Pro to decompile executables.
@@urnan7499 "we had to make a couple of enhancements BECAUSE it is open source and not really professionally mantained". Ofc he is implying open source means bad quality, that is clear as water.
This is the most fascinating piece of code that I have ever heard of. The authors had access to the most detailed information that there is and so much confidential information from so many vendors that it has to be state-sponsored.
Glad you enjoyed it!
It's all but been directly admitted by our security community because there clearance won't allow them to admit it publicly, though a lot of people involved or that over seen it basically admitted too it years ago. Even Obama got shocked on stage an said he couldn't speak about it when he was asked, notice he didn't say they weren't involved lol so he didn't lie, just that he could speak about it. On top of the fact that only governments would want to do this, any financially motivated group would have no interest in attacking Iran or investing the money to reverse the Siemens hardware, there was little to no research on this hardware back when stuxnet was used unlike now where there is much more public analysis and research of these products available online.
@@notme4526 *their *overseen *to *and *couldn't
The last sentence is wild speculation, a gut feeling, and practically/logically speaking it lacks imagination. IF there is enough money (Premise) on the line, a FINANCIALLY MOTIVATED group IS motivated to do whatever will make them a boatload of money (Conclusion: I mean ... DUH; opportunity to make "enough" money + financial motivation => do the thing to collect the money)
Google: corporate espionage/sabotage 😒 (e.g. British East India Company and Chinese Monopoly on Tea [billions of USD in today's money] and Volkswagen and Poaching of Opel Executives [one of the biggest settlements in industrial espionage in the modern era - 100 million in cash + 1 billion in bought car parts over 7 years] are the two biggest that come to mind)
Everybody knows it's Israel.
@@KushLemon Global Supreme Leader KushLemon casually commenting in a random UA-cam video. You speak for the entire planet sir, please get back to work. There's important things that need your attention.
Absolutely my favorite explanation. I was looking for a deeper dig into the code such as this instead of the super dramatized videos with edits.
Yes. We point to this as an example of a great S4 Stage 2: Technical Deep Dive session for new Stage 2 speakers. Lots of technical meat that drives to a point. It has had over 50K views on UA-cam, and for the first five years was on Vimeo. BTW, 60 Minutes came down to film footage of Ralph giving this session.
Absolutely, the Field Engineer's worst nightmare! Trying to figure out why the rotors were failing must have been keeping some people awake at night.
Engineers got killed, reprimanded by management, fired and whatnot. Stuxnet had a huge impact on, not just machinery, but peoples lives.
"Countdown to ZeroDay" made me come here. Fascinating talk!
no idea how i missed that talk, it was incredible. i think the extreme precision is about predictability, they wanted to know when something happens, when it will happen the next time, etc. so they could have the option of planning with it, i.e. to know when a tech would be required etc.
These are some of the things that we tend to overlook when it comes to any kind of system or device that is connected to and powered by some type of electrical power grid. First, you cannot stop the signal. You might be able to divert it, redirect it, transform it, but you cannot completely stop it. Voltage and current has to flow somewhere, and there's always some type of power draw. Otherwise, it wouldn't be a circuit.
From there, then it's a generalization of understanding the devices and systems that are built on top of that power grid, electrical circuit system. From there it's just a matter of finding the schematics - blueprints - patent filings, etc. of said device. From there, anyone who understands how to read them, can easily reverse engineer the device without even having to have a physical device on hand.
There's always going to be actors on both sides of the fence, and there's no know system to be 100% secure. However, we can take measures to mitigate those vulnerabilities as much as possible.
The thing is when it comes to any type of computational devices such as a computer with a CPU/GPU etc. the entire binaries which includes, instructions, data, memory locations, etc. at the end of the day are really just representations of numbers in the form of electrical signals. It's a house of cards where every single bit is one of those cards. The card is either standing or it is not. The bit is either set or it is not.
Regardless of ethical concerns, I do have to say, that this type of attack vector was well thought out, well planned, and yet even in some fashion a bit respectful. The reason I say a bit respectful is that it did not seek to "destroy or cause massive loss of life" it was specifically targeted to control specific devices to cause minimal and controlled damage. In some ways I can partially respect it from the perspective of an engagement on a battlefield. This was one hell of a chess move!
And as we can see the discovery of this system back in 2010 and here in 2024 almost 2025 nearly 15 years later is still being highly studied. We'll be learning about this for the next 50-100 years. This is as about as historical as the deciphering and reverse engineering of the Enigma machine during WWII.
I wonder who gave thumbs down? This is a great presentation.
Maybe some Iranians... ;-)
Maybe Mossad doesn't like you exposing their work
Mossad, NSA, or Langner competitors.
28:45 Which dots is he talking about here? His laser pointer isnt showing up on the video? The bottom image doesnt have the missing dots that the first two real scada screens had
Is there a report or a writeup that details this? I would love to read this in PDF format
Langner's definitive work on Stuxnet is "To Kill A Centrifuge" www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
S4 Events thanks!
Very fascinating talk from one of the few people who were embroiled in understanding the stuxnet attack. Would love to here from Andrew Chien from Symantec as well. Langber, Chien, and many other involved were featured the brilliant 2016 documentary "Zero Day" by Alex Gibney. I urge those interested in forensics, security, or really any other STEM field to check it out
*** Eric Chien from Symantec
Check out the book "Countdown to Zeroday"
56:28 An interesting counterpoint to the "different approach" is the CrowdStrike bug that shut down all the airports in july 2024.
Because creating qualified images became a big pain, updates were delivered as data running like bytecode
Sure it was not a "targeted attack" in the same sense, but it had the effect as one
Batch files are most commonly known to be in the system part C
The configuration system of the batch file
Thanks for sharing this outstanding presentation!
It seems very obvious that this was an inside job of some sort. The amount of information required to pull these attacks off is stunning. There had to be a team of people working on this
Not an inside job, but espionage. This is what the CIA does.... get info like this.
Dutch secret service was involved aswel. Apparantly the physical usb insertation was done by an AIVD mole.
The NSA can get inside practically anywhere in the world remotely. They had full access to the software on the system, the cctv, the whole network including the personal devices of many who worked there- thanks to Mossad for providing info & identities on those individuals.
How intelligent and creative the NSA is… is just mind blowing- couple that with virtually unlimited funding.
Siemens was involved, they even build a functional sandbox cascade to recreate the real world conditions of the target, as Ralph says, even with the UF6
Don’t forget unit 8200 joining in
the numbers in red are censores for the video?? huh
I like how the decompiled code still uses windows type names: BOOL DWORD etc
These are common data types in S7 im pretty sure
i imagine it's easier to stay anonymous if there's no personality to the code
Love the HB Gary reference! XD
How about stuxnet. And I I came out and I put and I open changed in Google speaker system that has been changed in the program itself because the program itself is actually written Google docs system to be exact
So when will we have Felix Lindner's talk?
Felix was ill and sent hadez in his place. We are putting up two talks a week, so sometime in the next few weeks.
44:30. Unfortunately there are "valid" reasons inputs could be writable. When testing code, it's common practice to put simulation routines to emulate plant equipment. It doesn't have to be complicated, oftentimes it's just reflecting an output "run" signal to a "running" input. For various reasons, it's desirable to write as close to raw input as possible.
To be clear this code should 'never' make it to production, and if forgotten would typically be removed during commissioning. It's only something you'd ever see during dev, or perhaps for a digital twin/training rig.
But hell. This sort of intentional exploit is just straight up not something I've never seen considered Even to this day.
Spoken as a process control engineer with about 10 years experience across various industries.
Couple follow-ups from the q and a.
I'm assuming old-mate at 55:10 ish is referring to what I mentioned above. I agree with the host here, I have never come across a situation where writing to the input tables is required *in production*. And for my example above, I have to doubt there is a solution the vendor could implement to allow us engineers for our sim purposes.
I will disagree with the host about the authors of Stuxnet having an exact physical replica. Again, machines operate in predictable ways, which allows us to write sim code. If you see a run signal, put in some small delay, then reflect it back to the running input. The run speed feedback can ramp to the run speed setpoint according to some ramping rules.
How machines and processes interact is more complicated, but I'm sure someone with a strong understanding of how a centrifuge cascade works could predict how the target plant would respond.
Having a physical reproduction certainly wouldn't hurt though :)
I wished someone had asked if they thought it was possible to consider a compromise where the input process image was not made immutable until the driver factory(s) were initialized at install-time. Oh well.
The Code is C++? Or Java Script?
@Eduardo Souza whats that?
I thought it was largely written in C (with some assembly bit-fiddling)?
Surely it would be almost impossible to keep track of a program this large writing just in an assembly language.
Edit: Just seen the part about the C-style pseudo code. This is probably what I've seen before so I assumed it was mostly C code.
@Eduardo Souza no it was written in c and c++
@@moose43h The language is called SCL or Structured Text(ST). It is a PASCAL based language that's used for programming Programmable Logic Controllers
Folks, the high level code samples are translations from SCL to a C-like language in order to understand how the code is structured and what they intend to achieve. Those snippets were created manually and usually required a couple of days of work per SCL module (or function block/FB in Siemens parlance).
It's wired to see even after 6 years S4 Events could not upload a proper FHD video of such a presentation as if it just does not matter.... Not sure what to call it - Arrogance or Carelessness?
I'm sorry about that. We did not record it that way back in 2012, so this is the best quality we have. Back then it was 60 people in a small room with a single, simple camera. Now the Main Stage is a 4 camera shoot with a lot more emphasis on staging and other elements for the video. I too regret we don't have a higher quality video. So of your two choices, carelessness back during the recording is the answer.
@@S4EventsI was so disappointed 5 days ago, i hope we had tech to upgrade the video atleast to 480p.
But I do understand your response. Thanks for the reply.
Why would it be arrogance you mug
My master sent me here. ;)
I know
did they punish you for being a human too
Shlomo?
Shoot Don't Tell Us Nuclear Power Generation Use Read/Write Logic In Their Control System Design For Cooling. kdagPlymouthUK. Please Stay Blessed. GodBless S4.
“They know everything!” - But, they don't know C++ very well. 🤣
But it's true, as Ralph said; These are just design flaws. (as amusing as using loops, when struct/assert, may be preferred, speed, security, whatever…) The funny mistakes, as plentiful as they were, make no mistake, it worked.
6:48 geez, I guess Amazon and Google should stop using Apache, Spark, Nginx, Postgres, MongoDB, Linux, Bash, and other non-professional open source tools then. Boomer comment on an otherwise very cool talk.
How tf are these tools not professional?
@@josefaschwanden1502 I know right? I don't know why the speaker would imply that a tool is not professional because it is open source.
BTW, I hope they upstreamed their enhancements with a pull request. Otherwise, a very dick move.
@@elimgarak3597 he didnt imply that open source means bad quality, but that this specific open source project was. Atleast thats how i understood it.
He never implied that open source means bad quality. He's referring to the open source decompiler that he used to decompile StuxNet. Professional anti virus companies use commercial tools like IDA Pro to decompile executables.
@@urnan7499 "we had to make a couple of enhancements BECAUSE it is open source and not really professionally mantained". Ofc he is implying open source means bad quality, that is clear as water.
Did you check under stuxnet. EXE
Stuxnet.exe
Stuxnet.ini
Stuxnet.rar