Bought my first house

[DBTrek]

Or ...maybe it IS how it was done (just did a quick search on this):

...Researchers now know that the sabotage-oriented code first attacked five component vendors that are key to Iran's nuclear program, including one that makes the centrifuges Stuxnet was targeting. These companies were unwitting Trojan horses, security firm Kaspersky Lab says. Once the malware hit their systems, it was just a matter of time before someone brought compromised data into the Natanz plant (where there's no direct internet access) and sparked chaos. As you might suspect, there's also evidence that these first breaches didn't originate from USB drives. Researchers saw that Stuxnet's creators compiled the first known worm mere hours before it reached one of the affected companies; unless there was someone on the ground waiting to sneak a drive inside one of these firms, that code reached the internet before it hit Natanz....


https://www.engadget.com/2014-11-13-stu ... first.html

Compromise the hardware vendors - let the rest run it's due course.
No secret weaponry.
Using the same tactics that have always worked - reach isolated systems through necessary hardware updates.
Another path is using inside agents.

[Smitty-48]

I've read the media reports which quotes "anonymous American intelligence officials" stating that it was delivered by MEK agent with a thumb drive

that actually strikes me as a cover story

one reason being the Iranians were on high alert for that, unsupervised access to USB ports seems unlikely, they were watching everybody in there all the time

but also, any official revealing the actual method would be committing treason, so seems unlikely that they would be giving the real story

[DBTrek]

I only know what the independent security experts say.
In this case, Kapersky says they did it through fairly well known and effective means.
/shrug

I doubt there's a magic CIA hack-from-afar with no connectivity weapon - simply beacuse Stuxnet is so old that we would have almost certainly have seen this weapon used again and again by now.
But ... it's not like the CIA would advertise it if it existed.

[Smitty-48]

I just don't find the thumb drive story plausible

it wasn't just that the computers were not connected to the outside world, they weren't even connected to each other

there were multiple levels of computers, none of which were connected to the other, these computers were not networked internally

one USB drive wouldn't get it done, because it had to jump to other computers in the facility from there without any connections between them

[Smitty-48]

like the Iranians did everything right

they had all their computers working in isolation, not hooked up to anything. they had them on multiple floors, with no connections between them

somebody would have had to go to each computer and insert the virus manually, over & over, that just doesn't seem plausible with the level of draconian security in play

[Smitty-48]

you have these isolated computers on different floors, each one running a centrifuge array

none of them are connected to each other, they don't talk to each other, there's no interface from computer to computer

yet they are all running a coordinated ruse at the same time, seamlessly so nobody notices

that is slick, there's no way for them to communicate, yet somehow they are all working in concert undetected

it's not just that Stuxtnet got in

it got in everywhere at once and was coordinating between computers which were not connected to each other

[Smitty-48]

to the larger point tho,

operational nuclear weapons security is tight, but not crazy paranoid Iranian secret program tight

if you can get into Natanz, you can get into the Russian Strategic Rocket forces computers much more easily

the Iranians hold people's families hostage, they torture people to death, they have no limits

the Russians don't have that level of security, not even close, and certainly NORAD doesn't neither

[Smitty-48]

bear in mind I'm not saying you can hack in to launch nuclear missiles

that's not computerized at all, that's entirely mechanical, you have to turn a physical key

what you would hack into the is the higher command & control which sends the orders to those guys who turn the keys

the point of attack is the early warning systems, to blind them, and only for the few minutes required

[SuburbanFarmer]

The most credible story I heard about Stuxnet was that they hacked the PLCs, not the actual computers.

[Smitty-48]

in the case of the Russian Perimeter or Dead Hand system

that has to be turned on

and even if it is autonomous once it is turned on

the turning on part has to be networked

which means turning it off is networked as well

the Natanz effect is when it is telling the Kremlin it is on, when in fact you have turned it off