How Stuxnet Took Down an Iranian Nuclear Facility
0
Dan Gavin
How Stuxnet Took Down an Iranian Nuclear Facility

Back around the beginning of the century, way out in the middle of the Iranian desert there was this irrigation facility (or so the Iranians called it). But there was something oddly suspicious about it. Not that there was an irrigation facility in the desert, but that it seemed to be misplaced. There appeared to be no farms served by it. And it had significant air defenses. 

In reality, it had nothing to do with irrigation, or agriculture. 

The name of the facility was the “Natanz Fuel Enrichment Plant”. Enrichment? Yes, but not agricultural enrichment. Instead, it was a uranium enrichment facility. Like for nuclear fuel; or weapons. The enrichment facility housed centrifuges. 

To enrich uranium, the centrifuges have a large tube running down the center. The tube spins – at 63,000 revolutions per minute (RPM). But it spins off-center. So yes, that would make it unstable. So much so that the straight tube will bend in the middle and take on a banana shape. Because of this design, the speed HAS TO BE tightly controlled. Too fast and it will blow apart. The rate of spin is controlled by a small, embedded computer called a Programmable Logic Controller (PLC). 

PLCs aren’t only found in uranium enrichment. They are in every industrial application on the planet. You find them anywhere robotics are used. Like manufacturing and warehousing; water, gas, oil, and electric distribution; etc. And they are INCREDIBLY vulnerable to viruses. Like the one discovered in 2010. 

Back in 2010 some antivirus researchers found this malware. It was unlike anything they had ever seen. They named it Stuxnet. On this website “Wilders Security Forum” a researcher named Sergey Ulasen disclosed that he had found this virus on 17 June 2010. He had looked through the extensive code and found much that was atypical of run of the mill viruses. For one, there were no bugs. It seems normal viruses are riddled with them. Lack of quality control, I guess. But Stuxnet was entirely bug free. Weird. According to the researchers, only a Nation State would have this level of QC. 

The Stuxnet virus (way before 2010) had found its way (or was specifically targeting) the Natanz plant. It was designed to spend the first 13 days recording normal centrifuge operations. Then when it attacked, it simply played back the normal recordings to the operators. To the operators, everything looked normal. In reality, the centrifuges were spinning at about 80,000 RPM. Until BOOM. The centrifuges began to blow apart. 

The International Atomic Energy inspectors noticed these centrifuges were suddenly and quietly removed. Certain people working at the facility were just gone. 

Researchers found that the virus was designed so that on January 11, 2009 at 3:25 PM the heartbeat of Stuxnet came to a grinding stop. Coincidentally just a few days before President Obama’s inauguration. There was a kill date in the code. Ostensibly because the Bush administration couldn’t have an attack of this magnitude crossing administrative boundaries. It would need to be reauthorized by the new President of the United States. And it was. 

The accusation it seems, was that the code was written by the National Security Agency (NSA). They were authorized to so by Title 10 (operations for the US military) Computer Network Operations (CNO) under USCYBERCOM direction and legal authority and had a budget of 52.6 Billion dollars. Mostly for offensive cyber operations. 

But the NSA wasn’t alone. They had built the code for the Israeli Intelligence. Mossad. When Stuxnet (the NSA didn’t call it that, by the way. They called it “Olympic Games”) was released to Mossad, it was stealthy. It was surgical. A little too much it seems for Mossad. Remember, the earlier code had a kill switch. This was an updated version under the Obama administration. And in 2010 Mossad changed the code. 

It was noisier. It as less surgical. And it escaped. Once in the wild, it flooded the earth. For the last decade or so it has been altered by Russia, China, North Korea, Iran, and anyone else with the technical capability. And then it was sent to the US. To our infrastructure. 

A few months ago we informed you here that our critical national infrastructure was infiltrated by enemy nation states. It is quite probable that this is how it happened. 

It’s like the old Cold War days of Mutually Assured Destruction. But this time it’s a silent killer. There won’t be any bombs. There will just be … nothing. The power one day might just turn off. And never turn back on. 

The original article was published in the Sierra Vista Herald and can be found here.

Change Healthcare Hack Sparks New Cybersecurity Regulations 
0
Dan Gavin
Change Healthcare Hack Sparks New Cybersecurity Regulations 

On February 12, 2024, hackers from the ransomware group ALPHV used credentials found on the dark web to log in remotely to the Change Healthcare network servers. Because the company did not require multi-factor authentication, the hackers gained full access to one of its key servers and, after a week, dropped ransomware, shutting down much of the network. 

If that wasn’t bad enough, in April, ALPHV executed a double-extortion attack by hitting Change with a second round of ransomware. They claimed to have 4TB (a huge amount) of the company’s data containing personally identifiable information belonging to active US military personnel and other patients: medical records, payment information, etc. ALPHV warned that they would sell the data to the highest bidder if the ransom was not paid within twelve days. Change admitted to paying the $22M ransom. 

The hacks caused serious cashflow issues for small and medium-size healthcare providers and delays in processing claims. (Change Healthcare, a subsidiary of UnitedHealth Group, is one of the world’s largest health payment processing companies. It is a clearing house for 15 billion claims yearly, accounting for 40% of national claims.) The government stepped in to offer short-term loans until the claims could be processed. 

Although Change reacted quickly to avoid spreading the ransomware to the UnitedHealth network, they failed to notify customers and vendors as required by the Health Insurance Portability and Accountability Act (HIPAA) . In May, more than 100 medical associations banded together to urge federal regulators to hold Change responsible. In June, notifications went out to patients, providers, and vendors. 

Three months later, after two hearings on the matter, the Senate Committee on Finance decided to draft a law called the Health Infrastructure Security and Accountability Act (HISAA) to work in conjunction with HIPAA. According to the FBI, the healthcare sector is the #1 target of ransomware. They claim that the hacks are entirely preventable and are a direct result of lax cybersecurity practices by healthcare providers. They add that healthcare has some of the weakest cybersecurity rules of any federally regulated industry. 

If passed, HISAA will establish newer, stronger, stricter security requirements applicable to HIPAA-covered entities and business associates. That includes large and small organizations alike. The Cybersecurity and Infrastructure Agency will decide minimum requirements; annual risk assessments involving disaster planning, recovery planning, and incident handling must be developed by an independent auditor; organizational leadership will be required to sign a document affirming their compliance. And thanks in large part to Change Healthcare’s lateness in notifying the public of the ALPHV security breach, transparency requirements will also tighten up tremendously. HHS must be notified within 24 hours. Affected individuals must be notified within 48, and if the breach affects more than 500 people, the media must be notified within 72.  

The bill has teeth due to its heavy penalties and fines for non-compliance. HISAA would establish tiered monetary penalties up to $5000 per day for failure to meet the new minimum and enhanced security requirements. 

HISAA has not yet been signed into law. It promises to provide the oversight and enforcement structure that was largely missing from HIPAA. This may cause additional burdens that local healthcare providers will have to bear. They can thank Change Healthcare for the increased scrutiny. If you are a local healthcare provider, you are not alone. Your friendly neighborhood Cyber Guys can help guide you along the path to solid cybersecurity defenses and compliance with any new cyber laws. 

The original article was published in the Sierra Vista Herald and can be found here.

Copyright © 2025 CyberEye Call us at: ‪(520)224-8981