8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 1/17

DRAGONS, TIGERS, PEARLS, AND YELLOWCAKE:

FOUR STUXNET TARGETING SCENARIOS

By Jeffrey Carr

16 November 2010

T A I A G L O B A L

  Executive Cyber Protective Services

c o p y r i g h t 2 0 1 0 j e f f r e y c a r r a l l r i g h t s r e s e r v e d • h t t p s : / / t a i a g l o b a l . c o m • 3 6 0 3 0 1 - 1 7 1 6

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 2/17

Dragons, Tigers, Pearls, & Yellowcake:

Four Stuxnet Targeting Scenarios

“In the rush to examine a criminal’s behavior, it is not difficult to become distracted by

the dangling carrot of that criminal’s potential characteristics and forget about the

value of understanding his victims.” - Brent Turvey

“When a person commits a crime something is left behind at the scene of the crime that 

was not present when the person arrived.” - Locard’s Principle of Exchange

Introduction1

The discovery of the Stuxnet worm has initiated a major shift in think ing by everyone

from Information Security engineers to government officials about how offensive cyber

operations are being conducted by State and Non-State actors. There’s been extensive

technical analysis2345 done on the malware’s code and several anti-virus companies

have released their sometimes conflicting data on infection statistics6, however a lot of 

unknowns remain including the worm’s purpose, it’s target or targets, and who designed

it. In other words, we’ve found the weapon used to commit a crime but we don’t know 

 who the attackers are, nor the intended victims, nor the purpose of the attack. The goal

of this white paper is to demonstrate how investigating the victims of a cyber attack may 

 yield clues as to its purpose as well as the identity of those responsible. While this paper

!1

1 This white paper was written before it became clear that Iran’s fuel enrichment plant at Natanz and possibly other

Iranian installations were the target.

2 Siemens “Stuxnet Malware” official communication presented by Thomas Brandstetter at CIP Seminar 02 Nov 2010

3 Symantec “W32.Stuxnet Dossier” by N. Falliere, L O’Murchu, E Chien, Sep 2010

4 VirusBlokAda, “Trojan Spy 0485 and Malware Cryptor Win32 Inject.gen2 Review” by K. Oleg, U. Sergey, June 17,

2010

5 ESET “Stuxnet Under The Microscope” by A. Matrosov, E. Radionov, D. Harley, J. Malcho, Sept 2010

6 “Myrtus and Guava: the Epidemic, the Trends, and the Numbers”

http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 3/17

focuses upon the Stuxnet worm, the concept and different modalities of alternative

analysis7 may be applied to other cyber attacks as well.

Symantec, Kaspersky, and Microsoft have released infection rates numbering in the

thousands across dozens of countries however they were not all victims of the Stuxnet

 worm. According to Liam O Murchu, Manager of Operations, Symantec Security Re-

sponse, only a small percentage of those infected hosts had the software configuration

that matched Stuxnet’s attack code8. Siemens AG has publicly stated9 that it’s aware of 

only 15 victims of the Stuxnet worm, five of which are in Germany with others in the

U.S., the E.U., and Asia. Symantec’s W32.Stuxnet dossier featured one graph (see figure

1 below) of infected hosts that had Siemens Step 7 software installed, however, the fact

that S7 software is present doesn’t mean that that the Stuxnet worm is active. According

to Symantec’s latest update10, the worm targets a specific industrial process involving

frequency convertor drives (aka variable frequency drives) which are manufactured by  Vacon PLC of Finland and Fararo Paya of Iran. Those drives are then issued commands

to operate in ways that will gradually cause the system to malfunction and ultimately 

 break down. According to Vacon’s website, the uses for these drives are quite varied but

include mining and mineral solutions.11 

!2

7 Richards J. Heuer, “The Future of Alternative Analysis”, presentation from ODNI conference Jan 9-10, 2007:

8 Told to the author in a phone conversation on Nov 15, 2010

9 Cyber worm found at German industrial plants (http://www.thelocal.de/national/20101002-30225.html )

10 “Stuxnet: A Breakthrough”: http://www.symantec.com/connect/blogs/stuxnet-breakthrough

11 Vacon company website (Industrial Segments page): http://www.vacon.com/Default.aspx?id=469223

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 4/17

 While it’s important to understand that there are only a small number of actual “vic-

tims” among the 100,000 or more hosts infected by the Stuxnet worm, no one has an

accurate count nor does anyone know precisely when this attack began. Regardless of 

 whose statistics you look at (Symantec, Microsoft, or Kaspersky), the majority of statesimpacted by Stuxnet are in Asia and Central Asia with outliers in Africa, South America

and North America. If you think of these states as multiple victims of the same unknown

threat actor, then clues as to who the actor is may be extrapolated from what the victims

have in common. For example, China, Russia, Kazakhstan, Uzbekistan, Kyrgyzstan, Ta-

 jikistan, India, Pakistan, Iran, and Mongolia are all members of the Shanghai Coopera-

tion Organization (SCO), which is a Central Asia collective working in areas related to

commerce and security. Many of the affected states are also members of the Group of 15 

(G15), which is the developing nations’ answer to the better known Group of 8 (G8).There are, of course, many relationships that exist between nations but the most impor-

tant relationship to be considered is what

makes them a potential target for the creators

of the Stuxnet worm. After studying this attack 

for more than 3 months, I’ve identified four

possible targeting scenarios:

•Rare-Earth Metals Producing States

•Uranium-producing States

•Corporate Sabotage To Discredit Siemens AG

•Protecting the Malacca Straits (String of 

Pearls)

!3

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 5/17

 Attack Scenario #1: Rare-Earth Minerals Producing States

Peoples Republic of 

China

India Brazil

Malaysia Australia United States

Canada South Africa Kazakhstan

Table 1: Rare earth producing States with Stuxnet infections highlighted 

The top producing countries of rare earth minerals are China, India, Brazil, and Ma-

laysia12. The Peoples Republic of China provides 95% of the world’s demand for rare 

earths while holding 35% of the world’s supply. 13 As a result, other nations are stepping

up their own mining production; the top 3 of which are India, Brazil, and Malaysia, andall of whom are on the Stuxnet list of affected nation states. Other rare earth producing-

states are Canada, Australia, United States., Kazakhstan, and South Africa; the last 3 of 

 which have reported Stuxnet infections.

Opportunity: As of November 2010, there are 251 individual active rare-earth projects

in different stages of development, run by 165 companies in 24 different countries out-

side of China 14.

Motive: sabotage competitors’ mining operations to further consolidate control overthe global supply of essential rare-earth metals.

Means: Target the most promising mining operations for attack. Here are a few possi-

 bilities taken from the top 13 picks in the TMR Advanced Rare-Earth Projects Index 15:

• Bear Lodge (Bull Hill Zone) - Wyoming, USA : operated by Rare Element Re-sources Ltd. (TSX.V:RES, AMEX:REE);

!4

12

Global InfoMine Website: http://www.infomine.com/commodities/rareearth.asp13 Yale Global Online: “China’s Chokehold on Rare Earth Metals Raises Concerns”

http://yaleglobal.yale.edu/content/chinas-rare-earth-minerals

14 Value Metrics for 13 Advanced Rare Earth Projects:

http://www.resourceinvestor.com/News/2010/11/Pages/Comparative-Value-Metrics-for-13-Advanced-RareEarth-

Projects.aspx

15 Ibid

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 6/17

• Kutessay II – Chui, Kyrgyzstan : operated by Stans Energy Corp. (TSX.V:RUU);

• Mountain Pass – California, USA : operated by Molycorp Inc. (NYSE:MCP);

• Nechalacho (Thor Lake Basal Zone) – Northwest Territories, Canada : operated

 by Avalon Rare Metals Inc. (TSX:AVL; OTCQX:AVARF);

• Steenkampskraal – Western Cape, South Africa : operated by Great WesternMinerals Group Ltd. (TSX.V:GWG, OTCBB:GWMGF) in association with RareEarth Extraction Co. ;

• Strange Lake (B Zone) – Quebec, Canada : operated by Quest Rare Minerals Ltd.(TSX.V:QRM);

• Zandkopsdrift – Northern Cape, South Africa : operated by Frontier Rare EarthsLtd. (TSX:FRO from 11/17/10 onwards);

• Zeus (Kipawa) – Quebec, Canada : operated by Matamec Explorations Inc.(TSC.V:MAT, PK:MTCEF).

 Assessment

 Although rare-earths are a probable candidate for future cyber attacks modeled after the

Stuxnet worm, it is highly unlikely to be the current target. Production by states other

than China is still in a very early stage and it may be 4 years or longer before new pro- jects go online.

!5

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 7/17

 Attack Scenario #2: Uranium Producing States (Asia)

The list of states in Asia who are engaged in mining Uranium as well Uranium enrich-

ment and fuel fabrication closely aligns with the list of states reporting Stuxnet infec-

tions (highlighted) :

Peoples Republic of China India Kazakhstan

Republic of Korea Democratic Peoples Republic of 

Korea

Kyrgyzstan

Mongolia Pakistan Russian Federation

Saudi Arabia Tajikistan Turkey

Iran Uzbekistan Vietnam

Table 2: Uranium mining and fuel enrichment data source: (http://www.wise-uranium.org)

Iran’s Natanz nuclear reactor has been mentioned in the press as a potential target

however according to the IAEA, 2008 was the year that the Fuel Enrichment Plant at

Natanz suffered a significant drop in performance. The cause for that drop is not known

 but there is a lot of speculation ranging from incompetence to sabotage16. Whatever the

reason, it happened before the earliest Stuxnet sample was discovered (June, 2009).

 Figure 2: Timeline from Symantec’s W32.Stuxnet dossier 

Stuxnet has frequently been classified as a state or state-sponsored attack however start-

ing in 2009 there’s been a marked increase of anti-nuclear power protests in Germany,

Russia, Finland, and France by activist organizations like Ecodefense, ECOperestroika,

Greenpeace, the Green League, and Ydinverkosto, a movement in northern Finland

 which opposes uranium mining and nuclear power. Finland is of particular interest

since one of the two frequency convertor drives that Stuxnet issues commands to is

made by a Finnish company, Vacon PLC. Some of the above-mentioned groups self-

!6

16 ISIS Report “Iran’s Gas Centrifuge Program: Taking Stock:

http://isis-online.org/isis-reports/detail/irans-gas-centrifuge-program-taking-stock/#9

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 8/17

identify as anarchists and are on various law enforcement watchlists for engaging in acts

of ecoterorism 17 Whether members of these groups have the requisite technical skill or

the funds to create Stuxnet or similar malware is a matter for the respective state agen-

cies to investigate.

Opportunity: Greenpeace is well-funded and has frequently conducted actions against

nuclear facilities of the type that Stuxnet may be targeting. It is not known whether any 

members of Ydinverkosto are employed by Vacon or have contacts there.

Motive: Nuclear power plants, uranium mines, and Fuel Enrichment facilities are

popular targets for environmental activists as well as eco-terrorists. The use of a virus

like Stuxnet provides these groups with the ability to disrupt operations at targeted fa-

cilities with little to no risk to their members.

Means: Whether any of these groups have the resources or skill sets to develop, test,and launch this level of malware is unknown to the author at this time however Green-

peace France has been the victim of a cyber attack allegedly sponsored by French energy 

company EDF (see Attack Scenario #3).

 Assessment: More information is needed about the financial assets and technical ca-

pabilities of these environmental action groups before an accurate assessment can be

made however these actors may pose a credible threat to this sector in the next few 

 years.

 Attack Scenario #3: Corporate Sabotage Against Siemens AG

The link that connects all of Stuxnet’s victims is that they are Siemens’ customers. This

fact raises the possibility that the threat actor responsible for the Stuxnet worm is a

competing company who would benefit by creating an aura of uncertainty or lack of 

trust in Siemens products. The following is an incident which began in March, 2009 andmay not end until January, 2012 18 which falls within the three year lifespan of Stuxnet:

!7

17 EcoDefense and Repression in Russia: (Oct 19, 2010):

http://www.crimethinc.com/blog/2010/10/19/eco-defense-and-repression-in-russia/

18 Symantec’s timeline for Stuxnet lists June, 2009 as first Stuxnet sample seen and June 24, 2012 as the scheduled “kill

date” for the worm (W32.Stuxnet Dossier v 1.3, p.4)

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 9/17

• June, 2009 (earliest Stuxnet sample seen)

• June 24, 2012 (the date found in Stuxnet’s config file)

EU Commission Filing: Areva versus Siemens

On March 4, 2009, France 24 19 published a news story about French nuclear giant Areva

publicly accusing Siemens of breaching its non-compete clause with Areva when it

formed an alliance with Russian Federation-owned Rosatom to become “the world

leader in civilian nuclear technology” - a sector currently led by Areva and estimated to

 be worth 1 trillion dollars.

On June 2, 2010, the European Commission launched an inquiry 20 into the anti-

compete clause in Siemens joint venture agreement with Areva - Areva NP

 Figure 3: Graphic depicting Areva NP’s services (source: www.areva-np.com)

!8

19 France 24 International News (March 4, 2009):

http://www.france24.com/en/20090304-areva-says-siemens-venture-with-rosatom-breaches-contract

20 Antitrust: Commission opens an investigation into alleged restriction of competition between Areva and Siemens

(June 2, 2010):

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/655&format=HTML&aged=0&language=EN&gu

iLanguage=en

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 10/17

Opportunity: As former majority partner with Siemens in the joint venture Areva NP,

 Areva has inside knowledge of Siemens operational instrumentation and control sys-

tems which it supplied for their nuclear power plant projects.

Motive: Siemens is seeking to take Areva’s place in a joint venture with Rosatom that

could be worth 1 trillion dollars. Should Siemens suffer a reputation or trust issue in the

global marketplace, it may convince Rosatom to reconsider its plans and stay with

 Areva.

Means: Areva SA is the world’s largest nuclear energy company with 2009 revenues of 

€14bn (+6.4%).21 The French government owns 90% of Areva.

 Assessment: There is a low to moderate likelihood that Areva planned and launched

Stuxnet with the intention of de-railing the Siemens - Rosatom deal. In order for such a

plan to succeed there would have to be multiple reports of failures due to Siemens appli-cations, which have not occurred. Stuxnet has not harmed Siemens profits to date and

Rosatom’s interest in working with Siemens has not diminished over the past year or

more. Although there’s no evidence of Areva being involved in sponsoring cyber attacks

of any kind, there is a broader precedent of a French company engaging in those activi-

ties. Électricité de France (EDF) is the world’s largest utility company with €66.34 bil-

lion in revenues in 2009, operating a diverse portfolio of 120,000+ megawatts of gen-

eration capacity in Europe, Latin America, Asia, the Middle-East and Africa. EDF is be-

ing investigated by a French prosecutor for allegedly hiring Kargus Consultants to con-duct a cyber attack against the director of Greenpeace France in 2006 22.

 Attack Scenario #4: The String of Pearls

The Peoples Republic of China (PRC) is actively involved in acquiring mining companies

or embarking on joint ventures with them to fulfill its increasing demand for energy re-

sources for which it has serious shortages (table 3).

!9

21 Areva Annual Report 2009: http://www.areva.com/EN/news-8247/annual-results-2009.html

22 Bloomberg “EDF Should Face Greenpeace Computer-Hacking Trial, French Prosecutor Says”:

http://www.bloomberg.com/news/2010-09-06/edf-should-face-greenpeace-computer-hacking-trial-french-prosecut

or-says.html

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 11/17

SER IOUS SHO RTA GE SHOR TAGE NO SHOR TAGE

Chromium Oil Titanium

Copper Uranium Sulfur

Zinc Iron

Cobalt Manganese

Platinum Group Elements Bauxite

Strontium Tin

Potassium Lead

Boron Nickel

Diamond Antimony  

Gold

Table 3: Source: ResourceInvestor.com (Dec 10, 2009) 23

In addition to the minerals and metals above, China needs to import natural gas. Of the

three countries reporting the highest rates of Stuxnet-infected hosts (Iran, India, Indo-

nesia), Indonesia is the world’s largest exporter of Liquified Natural Gas (LNG) and coal

used in power stations, and it has the largest gold mine and recoverable copper

reserve.24 

Iran’s oil exports to China jumped 30% in the last 9 months according to OPEC25. Rus-sia, Kazakhstan and other nations in the Commonwealth of Independent States (CIS)

export oil to China through the Atasu to Alashankou pipeline, financed by China’s popu-

lar loan-for-oil program.

Unlike Indonesia and Iran, India is China’s competitor for energy resources, particularly 

oil for which it’s the world’s fourth largest consumer (China is currently in second place

after the U.S.). In fact, India is almost entirely dependent on external resources for its

growing energy needs. This puts India and China at odds over securing energy resources

as well as ensuring that key choke points like the Malacca straits remain open.

!10

23 ResourceInvestor.com

http://www.resourceinvestor.com/News/2009/12/Pages/Himfr-China-seriously-short-on-nine-kinds-of-mineral-re

sources.aspx

24 Ibid

25 Tehran Times (Nov 12, 2010): http://www.tehrantimes.com/index_View.asp?code=230364

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 12/17

China’s strategy to combat India’s own security interests in this region is one of engag-

ing in foreign development projects at key locations along the oil shipping lanes. Each

location is known as a “pearl”. Christopher J. Pehrson lists a few examples in a paper 26 

that he wrote on this subject for the U.S. Army Strategic Studies Institute:

• Hainan Island - upgraded military facilities

•  Woody Island - upgraded airstrip

• Chittagong, Bangladesh - constructed a container shipping facility 

• Sittwe, Myanmar - constructed a deep water port

 Apart from these examples, the states most often referred to as part of China’s String of 

Pearls strategy are Pakistan, Sri Lanka, Myanmar, and Bangladesh. India has re-sponded by building its own alliances in that region and holding military exercises with

the Gulf Cooperation Council and Iran, among other contingencies.

Opportunity: The Chinese government is negotiating energy deals, joint ventures or

acquisitions with companies that are located along the Malacca Straits, which India is

trying to counter by making its own strategic alliances in some of the same countries.

Motive: China’s reliance on foreign sources to meet its energy needs increases every 

 year. It must continually succeed in acquiring assets as well as developing new resourceson foreign soil, yet avoid escalating military tensions with India, it’s chief competitor.

India has similar needs and motivations.

Means: Siemens has a strong presence in China. It was a global sponsor of China’s

 World Shanghai Expo 2010. Its PLC SIMATIC Step 7 software targeted by Stuxnet is

used in the radial gate control of the largest electricity-generating plant in the world -

the Threee Gorges dam in Hubei province. There’s no question that China has the capa-

 bility of developing and launching malware sufficient to the task and its highly likely 

that its cyber capabilities exceed that evidenced by the creators of the Stuxnet worm.

!11

26 Pehrson, Christopher J. LCOL USA “ String of Pearls: Meeting the Challenge of China's Rising Power 

 Across the Asian Littoral” http://www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubid=721

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 13/17

Siemens also has a large presence in India with 18 manufacturing plants employing

17,000 people so finding individuals with the necessary skills to create malware on the

scale of Stuxnet would not be a problem.

 Assessment: There is a low to moderate likelihood that Stuxnet’s creators had planned

to sabotage a competing state’s operations along the Straits of Malacca and other choke

points for strategic advantage in the uninterrupted flow of oil and other critical re-

sources.

SUMMARY:

There are numerous obstacles to building a case for attribution with any cyber attack. In

Stuxnet’s case, the obstacles may be insurmountable unless further details on Stuxnet’s

real or potential target sites are forthcoming. Symantec’s discovery that the malwareprovides instructions to two specific frequency converter drives has confirmed that

sabotage, not espionage, was the purpose of the attack. It also rules out processes that

don't require a frequency above 807hz or higher.27 According to the Vacon website, they 

serve the following industrial segments: Water, Marine, Pulp and Paper, Building

 Automation, Mining and Minerals, Solutions for MV Motors. Of those, the segment that

holds the most value for nation states who engage in cyber operations of one type or an-

other is Mining and Minerals, and that fact has helped inform the scenario choices that

the author researched for this paper.

State Sponsorship or Corporate Sponsorship?

The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner

Communications, and Microsoft all point to a well-funded team of developers with cer-

tain unique skill sets and several months for development and testing. The obvious con-

clusion is that this team was sponsored by a nation state, however certain multi-national

corporations have the same or better resources than many governments. In some coun-

tries, the government has a controlling interest in their largest corporations such as

China’s “national champion” companies (i.e., Huawei) or France’s majority ownership of  Areva (see Attack Scenario #3).

!12

27 “7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also

known as variable frequency drive) manufac- tured by Fararo Paya in Teheran, Iran. 9500h is assigned to

Vacon NX frequency converter drives manufactured by Vacon based in Finland.”, Symantec W32.Stuxnet

Dossier, p.35

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 14/17

 A Target Worthy Of The Weapon That Was Built For It

 While the goal of the creators of the Stuxnet worm remains a mystery, the time, money,

and skill that went into its creation provide some insight into its target; i.e., Predator

drones aren’t deployed to target shoplifters. Whatever Stuxnet was designed to attack,

one can infer that it’s a high value target worthy of the weapon that was created to sabo-

tage it. More work needs to be done searching for mechanical failures or accidents that

have occurred in the first half of 2010 in high value sectors that use frequency convertor

drives within the proscribed range. Means, Motive, and Opportunity combined with

technical analysis and critical thinking will, at the very least, expose a heretofore unseen

target that can be hardened before it becomes the inspiration for the next Stuxnet-

inspired attack team. Forward-looking security is the only real security there is.

!13

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 15/17

 APPENDIX

 Although this white paper was published in November, I wasn’t satisfied with any of the

above scenarios and continued my research for another 30 days which culminated with

my writing “Stuxnet’s Finnish-Chinese Connection” for Forbes Firewall on December 14,2010. The following is a condensed version of that article.

------------------

Reviewing The Evidence

• China has an intimate knowledge of Iran's centrifuges since they're of Chinese design.

• China has ready access to Siemens software since the company has 16 R&D centers

operating within China with 2300 employees working on over 1000 projects per year.

• China has better access than any other country to manufacturing plans for the Vacon

frequency converter drive made by Vacon’s Suzhou facility and specifically targeted by 

the Stuxnet worm (along with an Iranian company’s drive). Furthermore, in March

2010, China's Customs ministry started an audit at Vacon's Suzhou facility and took 

two employees into custody thereby providing further access to Vacon's manufacturing

specifications under cover of an active investigation.

• China has better access than any other country to RealTek's digital certificates throughit's Realsil office in Suzhou and, secondarily, to JMicron's office in Taiwan.

• China has direct access to Windows source code, which would explain how a malware 

team could create 4 key zero day vulnerabilities for Windows when most hackers find 

it challenging to develop even one.

• There were no instances of Stuxnet infections in the PRC until very late which never

made sense to me, particularly when Siemens software is pervasive throughout China's

power installations. Then, almost as an after-thought and over three months from thetime the virus was first discovered, Chinese media reported one million infections, and

here's where the evidence becomes really interesting.

• That report originated with a Chinese antivirus company called Rising International,

 who we now know colluded with an official in Beijing's Public Security Bureau to make

!14

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 16/17

announcements encouraging Chinese citizens to download AV software from Rising

International (RI) to fight a new virus that RI had secretly created in its own lab. Con-

sidering this new information, RI's Stuxnet announcement sounds more like a CYA s-

trategy from the worm's originators than anything else.

China’s Motive

On April 13, 2010, Beijing reiterated its opposition to Iran's goal to develop nuclear

 weapons capabilities while stating that sanctions against Iran would be counter-

productive. In other words, the PRC wanted to support its third largest supplier of oil

(after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop

its uranium fuel enrichment program. What better way to accomplish that goal than by 

covertly creating a virus that will sabotage Natanz' centrifuges in a way that simulates

mechanical failure while overtly supporting the Iranian government by opposing sanc-tions pushed by the U.S. It's both simple and elegant. Even if the worm was discovered

 before it accomplished its mission, who would blame China, Iran's strongest ally, when

the most obvious culprits would be Israel and the U.S.?

!15

8/6/2019 Dragons Whitepaper Updated

http://slidepdf.com/reader/full/dragons-whitepaper-updated 17/17

 About Taia Global

Taia Global is a startup company founded by Jeffrey Carr, the author of Inside Cyber

 Warfare, and a team of highly accomplished individuals who come from the technology 

industry, the Intelligence community, and the Department of Defense.

Our company is based on the premise that an enterprise’s most critical data cannot be

protected in the same way as the enterprise’s network; that a corporation’s senior man-

agement are high value targets, particularly when they travel overseas; and that these

individuals require an entirely different security posture.

Taia Global provides physical and cyber security countermeasures to safeguard thecomputing assets of key executives and government officials while they travel overseas,

and by extension, protect the enterprise’s critical data against a common attack vector –

the exploitation of the senior executive’s trusted credentials on the network.

Contact Taia Global today for more information or to book a consultation.

Contact Information

Email: info@taiaglobal.com

 Website: https://taiaglobal.com

Digital Dao blog: http://jeffreycarr.com

!16