紐約時報：奧巴馬知悉對伊朗的網路攻擊◎VOA（2012.06.01）

【Comment】

美國在1997年6月就展開過稱為「Eligible Receiver 97」的網路演習，是世界最早具有網路戰力的國家。2010年5月設立網路司令部，10月正式啟用。2011年5月發表〈網路空間國際戰略〉，2011年7月發表〈網路空間國防戰略〉宣示進入「第五戰場」，並明定對美國的網路戰爭美國將發動「自衛權」以飛彈等武力報復反擊。
2010年9月發生「Stuxnet事件」。德國西門子所研發用來控制產業機械（幫泵、發電機）的軟體 Step 7 ，廣泛用在電廠、水處理、煉油廠中。伊朗中部的核子設施也予以採用。美國透過駭客技術將Stuxnet置換為「惡意軟體」（Malware），從而利用視窗系統弱點控制Step 7程式，掌握鈾分離機的轉速，把分離機操壞，讓鈾分離作業失敗。惡意軟體的感染，不一定靠連線，靠USB以及人性也是好辦法。問題是，假使美國主導了網路攻擊（針對核設施而不是一般基礎建設）被曝光，往後的受攻擊後的「自衛權」也會遜色不少。另外，由此更加證明：誰說2012年的選舉結果不能被網路攻擊所左右？

紐約時報：奧巴馬知悉對伊朗的網路攻擊◎VOA（2012.06.01）
http://www.voanews.com/chinese/news/20120601-iran-cyber-attack-156485485.html

美國一家著名報紙說，奧巴馬總統一直在主導對伊朗主要核設施的秘密和精確的網路攻擊。紐約時引用接近這項計畫的匿名消息來源說，網路攻擊的命令是在奧巴馬接任後的2009年1月下達的，這項計畫擴大了美國的網路武器計畫。紐約時報報導，網路攻擊計畫開始於小布希總統時期。他鼓勵奧巴馬總統繼續這項計畫，奧巴馬總統也照做了。執行攻擊的主要工具是一種後來被稱為“震網”的電腦病毒。它滲入操作伊朗在納坦茲的主要鈾濃縮設施的大部分閉路電腦網路中。紐約時報說，伊朗的電腦網路不能和互聯網連線。這項病毒的滲入方式仍然是一項機密。報導說，美國的國家安全機構和以色列方面合作，共同推行了這項計畫。經由這種病毒，美國獲得重要的伊朗控制系統是如何操作的，然後開始破壞行動。藉著重複開始和中斷伊朗核設施中的離心機的運作，使這種一般相信是伊朗用來生產核武層級鈾原料的精密設備遭到毀壞。伊朗和其它中東國家說，他們最近又發現另一種叫做“火焰”的病毒。一些專家認為，這種病毒比“震網”更具破壞力。不過，來自伊朗以及其它地區的報導說，避開這種病毒的方式已經產生了。紐約時報引述的一些不具名的官員沒有談到“火焰”病毒的細節。不過他們說，“火焰”病毒不是美國對伊朗在納坦茲的核設施進行網路攻擊的工具。紐約時報的這項報導是根據他們在過去18個月中，和現任以及前任的美國、歐洲及以色列官員，以及其他專家的訪談撰寫的。這些官員和專家都涉及網路安全、網路戰方面的工作。同時，美國一家研究機構本星期獲得的衛星圖像顯示，伊朗可能正在設法清除重要軍事基地裡的核武器試驗痕跡。美國科學與國際安全研究所在其網站上公佈樂伊朗帕爾欽軍事設施的照片，那裡據傳用作核子試驗的房舍已被夷為平地。這個研究機構說，衛星拍攝到的之前和後來的圖像顯示，伊朗進行了現場清理工作。他們的結論是，這種做法使人更為關切伊朗在努力消除過去從事核武計畫的證據。國際原子能機構一直在努力交涉，希望能檢查帕爾欽的軍事設施。德黑蘭當局說，那裡僅被用來試驗常規武器。

“火焰”電腦病毒堪比“網戰”武器◎鉅亨網（2012.05.30）
http://news.cnyes.com/Content/20120530/KFKFVW2KZLTMY.shtml?c=sh_stock

國際電信聯盟和多家電腦安全公司當地時間5月28日宣布，一種破壞力巨大的全新電腦惡意軟件被發現，它是迄今為止世界上最復雜的計算機病毒。有電腦安全專家認為，這種名為“火焰”的新型病毒可能是“某個國家專門開發的網絡戰武器”。

暗中秘密錄音

專家們介紹說，這種新型病毒最重要的應用是它的間諜功能。感染該病毒的電腦將自動分析使用者的上網規律，記錄用戶密碼，自動截屏並保存一些文件和通訊信息，甚至可以暗中打開麥克風進行秘密錄音等，然后再將竊取到的這些資料發送給遠程操控該病毒的服務器。
“火焰”之所以擁有如此強大的間諜功能，是因為它的程序構造十分復雜，此前從未有病毒能達到這種水平。它可以通過USB存儲器以及互聯網進行復制和傳播，並能接受來自世界各地多個服務器的指令。一旦完成搜集數據任務，這些病毒還可自行毀滅，不留蹤跡。

已潛伏5年之久

雖然這種病毒是在最近才被發現的，但很多專家認為它可能已經存在了5年之久，包括伊朗、以色列、黎巴嫩、沙特和埃及在內的成千上萬臺電腦都已感染了這種病毒。而且這種病毒的攻擊活動不具規律性，個人電腦、教育機構、各類民間組織和國家機關都曾被其光顧過。電子郵件、文件、消息、內部討論等等都是其搜集的對象。俄羅斯著名電腦安全公司卡巴斯基高級研究員羅埃爾·斯考文伯格表示：“如果‘火焰’病毒真的已經存在了5年而沒被發覺，那麼唯一合乎邏輯的結論是，肯定還有其他正在進行的網絡攻擊，只是我們尚未發現而已。”

黑客無力研發

另有一些專家則認為，“火焰”病毒極具攻擊性，其破壞力極強。個人電腦黑客或者黑客公司都無力研發，因此這一病毒很可能是某個國家專門研製出來用於進行“網絡戰”的。斯考文伯格指出，“火焰”病毒所包含的代碼數量大約相當於之前發現的“震網”病毒或“毒區”病毒的20倍，且有證據表明“火焰”與“震網”都由同一個組織或者國家控制。在此之前，伊朗核設施內的計算機系統曾多次遭到“震網”和“毒區”的攻擊，一些用於鈾濃縮的離心機因此無法運行。伊朗官員曾指責美國和以色列開發、擴散了旨在破壞伊朗核計劃的“震網”等病毒。在“火焰”被曝光以後，伊朗已經決定對該國所有官方機構的電腦系統進行緊急檢查，以便排除可能受到的病毒襲擊。

Cyberattacks on Iran — Stuxnet and Flame◎NY Times（2012.05.30）
http://topics.nytimes.com/top/reference/timestopics/subjects/c/computer_malware/stuxnet/index.html?8qa

Over the last few years, Iran has become the target of a series of notable cyberattacks, some of which were linked to its nuclear program.  The best known of these was Stuxnet, the name given to a computer worm, or malicious computer program.

According to an article in The New York Times in June 2012, during President Obama's first few months in office, he secretly ordered increasingly sophisticated attacks on Iran’s computer systems at its nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.  Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

The Natanz plant was hit by a newer version of the computer worm, and then another after that.  The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it.  In 2011, Iran announced that it had begun its own military cyberunit, but there has been scant evidence that it has begun to strike back.

Internal Obama administration estimates say Iran’s nuclear program was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Stuxnet appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives.  The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of many groups that have dissected the code, said at a symposium at Stanford University in April.  Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

The Flame Virus: More Harmful Than Stuxnet?

A similar dissecting process is now under way to figure out the origins of another cyberweapon called Flame, a data-mining virus that in May 2012 penetrated the computers of high-ranking Iranian officials, sweeping up information from their machines.  But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games.  They have declined to say whether the United States was responsible for the Flame attack.

In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was potentially more harmful than Stuxnet.  In contrast to Stuxnet, Flame appeared to be designed not to do damage but to secretly collect information from a wide variety of sources.

Researchers at Kaspersky Lab in Moscow said that Flame is likely part of the same campaign as Stuxnet, though it appears to have been written by a different group of programmers.  They declined to name the government.

In April, Iran disconnected its main oil terminals from the Internet, after a cyberattack began erasing information on hard disks in the Oil Ministry’s computers.  Iranian cyber defense officials labeled that program Wiper.

The increasing number of cyberattacks on Iran runs parallel to a series of mysterious explosions and assassinations of nuclear scientists and underscores growing feelings among officials and normal Iranians that the country is increasingly targeted by covert operations, organized by the United States and Israel.

Origins of Stuxnet: A Bush Initiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran.  At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies.  Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions.  The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon.  Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect.  General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team.  It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls.  That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.

The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations.  The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds.  The connections were complex, and unless every circuit was understood, efforts to seize control of the centrifuges could fail.

Eventually the beacon would have to “phone home” — literally send a message back to the headquarters of the National Security Agency that would describe the structure and daily rhythms of the enrichment plant.

It took months for the beacons to do their work and report home, complete with maps of the electronic directories of the controllers and what amounted to blueprints of how they were connected to the centrifuges deep underground.

Developing a Complex Worm Called ‘The Bug’

Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.

Soon the two countries had developed a complex worm that the Americans called “the bug.”

The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up.

The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally.

Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.

By the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s advice.

Obama Authorizes Cyberattacks to Continue

Mr. Obama authorized the attacks to continue, and every few weeks — certainly after a major attack — he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.

In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage.

An error in the code had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.

The question facing Mr. Obama was whether the rest of Olympic Games was in jeopardy, now that a variant of the bug was replicating itself “in the wild,” where computer security experts can dissect it and figure out its purpose.

Within a week, another version of the bug brought down just under 1,000 centrifuges. Olympic Games was still on.