dragons whitepaper updated
TRANSCRIPT
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 1/17
DRAGONS, TIGERS, PEARLS, AND YELLOWCAKE:
FOUR STUXNET TARGETING SCENARIOS
By Jeffrey Carr
16 November 2010
T A I A G L O B A L
Executive Cyber Protective Services
c o p y r i g h t 2 0 1 0 j e f f r e y c a r r a l l r i g h t s r e s e r v e d • h t t p s : / / t a i a g l o b a l . c o m • 3 6 0 3 0 1 - 1 7 1 6
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 2/17
Dragons, Tigers, Pearls, & Yellowcake:
Four Stuxnet Targeting Scenarios
“In the rush to examine a criminal’s behavior, it is not difficult to become distracted by
the dangling carrot of that criminal’s potential characteristics and forget about the
value of understanding his victims.” - Brent Turvey
“When a person commits a crime something is left behind at the scene of the crime that
was not present when the person arrived.” - Locard’s Principle of Exchange
Introduction1
The discovery of the Stuxnet worm has initiated a major shift in think ing by everyone
from Information Security engineers to government officials about how offensive cyber
operations are being conducted by State and Non-State actors. There’s been extensive
technical analysis2345 done on the malware’s code and several anti-virus companies
have released their sometimes conflicting data on infection statistics6, however a lot of
unknowns remain including the worm’s purpose, it’s target or targets, and who designed
it. In other words, we’ve found the weapon used to commit a crime but we don’t know
who the attackers are, nor the intended victims, nor the purpose of the attack. The goal
of this white paper is to demonstrate how investigating the victims of a cyber attack may
yield clues as to its purpose as well as the identity of those responsible. While this paper
!1
1 This white paper was written before it became clear that Iran’s fuel enrichment plant at Natanz and possibly other
Iranian installations were the target.
2 Siemens “Stuxnet Malware” official communication presented by Thomas Brandstetter at CIP Seminar 02 Nov 2010
3 Symantec “W32.Stuxnet Dossier” by N. Falliere, L O’Murchu, E Chien, Sep 2010
4 VirusBlokAda, “Trojan Spy 0485 and Malware Cryptor Win32 Inject.gen2 Review” by K. Oleg, U. Sergey, June 17,
2010
5 ESET “Stuxnet Under The Microscope” by A. Matrosov, E. Radionov, D. Harley, J. Malcho, Sept 2010
6 “Myrtus and Guava: the Epidemic, the Trends, and the Numbers”
http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 3/17
focuses upon the Stuxnet worm, the concept and different modalities of alternative
analysis7 may be applied to other cyber attacks as well.
Symantec, Kaspersky, and Microsoft have released infection rates numbering in the
thousands across dozens of countries however they were not all victims of the Stuxnet
worm. According to Liam O Murchu, Manager of Operations, Symantec Security Re-
sponse, only a small percentage of those infected hosts had the software configuration
that matched Stuxnet’s attack code8. Siemens AG has publicly stated9 that it’s aware of
only 15 victims of the Stuxnet worm, five of which are in Germany with others in the
U.S., the E.U., and Asia. Symantec’s W32.Stuxnet dossier featured one graph (see figure
1 below) of infected hosts that had Siemens Step 7 software installed, however, the fact
that S7 software is present doesn’t mean that that the Stuxnet worm is active. According
to Symantec’s latest update10, the worm targets a specific industrial process involving
frequency convertor drives (aka variable frequency drives) which are manufactured by Vacon PLC of Finland and Fararo Paya of Iran. Those drives are then issued commands
to operate in ways that will gradually cause the system to malfunction and ultimately
break down. According to Vacon’s website, the uses for these drives are quite varied but
include mining and mineral solutions.11
!2
7 Richards J. Heuer, “The Future of Alternative Analysis”, presentation from ODNI conference Jan 9-10, 2007:
8 Told to the author in a phone conversation on Nov 15, 2010
9 Cyber worm found at German industrial plants (http://www.thelocal.de/national/20101002-30225.html )
10 “Stuxnet: A Breakthrough”: http://www.symantec.com/connect/blogs/stuxnet-breakthrough
11 Vacon company website (Industrial Segments page): http://www.vacon.com/Default.aspx?id=469223
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 4/17
While it’s important to understand that there are only a small number of actual “vic-
tims” among the 100,000 or more hosts infected by the Stuxnet worm, no one has an
accurate count nor does anyone know precisely when this attack began. Regardless of
whose statistics you look at (Symantec, Microsoft, or Kaspersky), the majority of statesimpacted by Stuxnet are in Asia and Central Asia with outliers in Africa, South America
and North America. If you think of these states as multiple victims of the same unknown
threat actor, then clues as to who the actor is may be extrapolated from what the victims
have in common. For example, China, Russia, Kazakhstan, Uzbekistan, Kyrgyzstan, Ta-
jikistan, India, Pakistan, Iran, and Mongolia are all members of the Shanghai Coopera-
tion Organization (SCO), which is a Central Asia collective working in areas related to
commerce and security. Many of the affected states are also members of the Group of 15
(G15), which is the developing nations’ answer to the better known Group of 8 (G8).There are, of course, many relationships that exist between nations but the most impor-
tant relationship to be considered is what
makes them a potential target for the creators
of the Stuxnet worm. After studying this attack
for more than 3 months, I’ve identified four
possible targeting scenarios:
•Rare-Earth Metals Producing States
•Uranium-producing States
•Corporate Sabotage To Discredit Siemens AG
•Protecting the Malacca Straits (String of
Pearls)
!3
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 5/17
Attack Scenario #1: Rare-Earth Minerals Producing States
Peoples Republic of
China
India Brazil
Malaysia Australia United States
Canada South Africa Kazakhstan
Table 1: Rare earth producing States with Stuxnet infections highlighted
The top producing countries of rare earth minerals are China, India, Brazil, and Ma-
laysia12. The Peoples Republic of China provides 95% of the world’s demand for rare
earths while holding 35% of the world’s supply. 13 As a result, other nations are stepping
up their own mining production; the top 3 of which are India, Brazil, and Malaysia, andall of whom are on the Stuxnet list of affected nation states. Other rare earth producing-
states are Canada, Australia, United States., Kazakhstan, and South Africa; the last 3 of
which have reported Stuxnet infections.
Opportunity: As of November 2010, there are 251 individual active rare-earth projects
in different stages of development, run by 165 companies in 24 different countries out-
side of China 14.
Motive: sabotage competitors’ mining operations to further consolidate control overthe global supply of essential rare-earth metals.
Means: Target the most promising mining operations for attack. Here are a few possi-
bilities taken from the top 13 picks in the TMR Advanced Rare-Earth Projects Index 15:
• Bear Lodge (Bull Hill Zone) - Wyoming, USA : operated by Rare Element Re-sources Ltd. (TSX.V:RES, AMEX:REE);
!4
12
Global InfoMine Website: http://www.infomine.com/commodities/rareearth.asp13 Yale Global Online: “China’s Chokehold on Rare Earth Metals Raises Concerns”
http://yaleglobal.yale.edu/content/chinas-rare-earth-minerals
14 Value Metrics for 13 Advanced Rare Earth Projects:
http://www.resourceinvestor.com/News/2010/11/Pages/Comparative-Value-Metrics-for-13-Advanced-RareEarth-
Projects.aspx
15 Ibid
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 6/17
• Kutessay II – Chui, Kyrgyzstan : operated by Stans Energy Corp. (TSX.V:RUU);
• Mountain Pass – California, USA : operated by Molycorp Inc. (NYSE:MCP);
• Nechalacho (Thor Lake Basal Zone) – Northwest Territories, Canada : operated
by Avalon Rare Metals Inc. (TSX:AVL; OTCQX:AVARF);
• Steenkampskraal – Western Cape, South Africa : operated by Great WesternMinerals Group Ltd. (TSX.V:GWG, OTCBB:GWMGF) in association with RareEarth Extraction Co. ;
• Strange Lake (B Zone) – Quebec, Canada : operated by Quest Rare Minerals Ltd.(TSX.V:QRM);
• Zandkopsdrift – Northern Cape, South Africa : operated by Frontier Rare EarthsLtd. (TSX:FRO from 11/17/10 onwards);
• Zeus (Kipawa) – Quebec, Canada : operated by Matamec Explorations Inc.(TSC.V:MAT, PK:MTCEF).
Assessment
Although rare-earths are a probable candidate for future cyber attacks modeled after the
Stuxnet worm, it is highly unlikely to be the current target. Production by states other
than China is still in a very early stage and it may be 4 years or longer before new pro- jects go online.
!5
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 7/17
Attack Scenario #2: Uranium Producing States (Asia)
The list of states in Asia who are engaged in mining Uranium as well Uranium enrich-
ment and fuel fabrication closely aligns with the list of states reporting Stuxnet infec-
tions (highlighted) :
Peoples Republic of China India Kazakhstan
Republic of Korea Democratic Peoples Republic of
Korea
Kyrgyzstan
Mongolia Pakistan Russian Federation
Saudi Arabia Tajikistan Turkey
Iran Uzbekistan Vietnam
Table 2: Uranium mining and fuel enrichment data source: (http://www.wise-uranium.org)
Iran’s Natanz nuclear reactor has been mentioned in the press as a potential target
however according to the IAEA, 2008 was the year that the Fuel Enrichment Plant at
Natanz suffered a significant drop in performance. The cause for that drop is not known
but there is a lot of speculation ranging from incompetence to sabotage16. Whatever the
reason, it happened before the earliest Stuxnet sample was discovered (June, 2009).
Figure 2: Timeline from Symantec’s W32.Stuxnet dossier
Stuxnet has frequently been classified as a state or state-sponsored attack however start-
ing in 2009 there’s been a marked increase of anti-nuclear power protests in Germany,
Russia, Finland, and France by activist organizations like Ecodefense, ECOperestroika,
Greenpeace, the Green League, and Ydinverkosto, a movement in northern Finland
which opposes uranium mining and nuclear power. Finland is of particular interest
since one of the two frequency convertor drives that Stuxnet issues commands to is
made by a Finnish company, Vacon PLC. Some of the above-mentioned groups self-
!6
16 ISIS Report “Iran’s Gas Centrifuge Program: Taking Stock:
http://isis-online.org/isis-reports/detail/irans-gas-centrifuge-program-taking-stock/#9
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 8/17
identify as anarchists and are on various law enforcement watchlists for engaging in acts
of ecoterorism 17 Whether members of these groups have the requisite technical skill or
the funds to create Stuxnet or similar malware is a matter for the respective state agen-
cies to investigate.
Opportunity: Greenpeace is well-funded and has frequently conducted actions against
nuclear facilities of the type that Stuxnet may be targeting. It is not known whether any
members of Ydinverkosto are employed by Vacon or have contacts there.
Motive: Nuclear power plants, uranium mines, and Fuel Enrichment facilities are
popular targets for environmental activists as well as eco-terrorists. The use of a virus
like Stuxnet provides these groups with the ability to disrupt operations at targeted fa-
cilities with little to no risk to their members.
Means: Whether any of these groups have the resources or skill sets to develop, test,and launch this level of malware is unknown to the author at this time however Green-
peace France has been the victim of a cyber attack allegedly sponsored by French energy
company EDF (see Attack Scenario #3).
Assessment: More information is needed about the financial assets and technical ca-
pabilities of these environmental action groups before an accurate assessment can be
made however these actors may pose a credible threat to this sector in the next few
years.
Attack Scenario #3: Corporate Sabotage Against Siemens AG
The link that connects all of Stuxnet’s victims is that they are Siemens’ customers. This
fact raises the possibility that the threat actor responsible for the Stuxnet worm is a
competing company who would benefit by creating an aura of uncertainty or lack of
trust in Siemens products. The following is an incident which began in March, 2009 andmay not end until January, 2012 18 which falls within the three year lifespan of Stuxnet:
!7
17 EcoDefense and Repression in Russia: (Oct 19, 2010):
http://www.crimethinc.com/blog/2010/10/19/eco-defense-and-repression-in-russia/
18 Symantec’s timeline for Stuxnet lists June, 2009 as first Stuxnet sample seen and June 24, 2012 as the scheduled “kill
date” for the worm (W32.Stuxnet Dossier v 1.3, p.4)
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 9/17
• June, 2009 (earliest Stuxnet sample seen)
• June 24, 2012 (the date found in Stuxnet’s config file)
EU Commission Filing: Areva versus Siemens
On March 4, 2009, France 24 19 published a news story about French nuclear giant Areva
publicly accusing Siemens of breaching its non-compete clause with Areva when it
formed an alliance with Russian Federation-owned Rosatom to become “the world
leader in civilian nuclear technology” - a sector currently led by Areva and estimated to
be worth 1 trillion dollars.
On June 2, 2010, the European Commission launched an inquiry 20 into the anti-
compete clause in Siemens joint venture agreement with Areva - Areva NP
Figure 3: Graphic depicting Areva NP’s services (source: www.areva-np.com)
!8
19 France 24 International News (March 4, 2009):
http://www.france24.com/en/20090304-areva-says-siemens-venture-with-rosatom-breaches-contract
20 Antitrust: Commission opens an investigation into alleged restriction of competition between Areva and Siemens
(June 2, 2010):
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/655&format=HTML&aged=0&language=EN&gu
iLanguage=en
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 10/17
Opportunity: As former majority partner with Siemens in the joint venture Areva NP,
Areva has inside knowledge of Siemens operational instrumentation and control sys-
tems which it supplied for their nuclear power plant projects.
Motive: Siemens is seeking to take Areva’s place in a joint venture with Rosatom that
could be worth 1 trillion dollars. Should Siemens suffer a reputation or trust issue in the
global marketplace, it may convince Rosatom to reconsider its plans and stay with
Areva.
Means: Areva SA is the world’s largest nuclear energy company with 2009 revenues of
€14bn (+6.4%).21 The French government owns 90% of Areva.
Assessment: There is a low to moderate likelihood that Areva planned and launched
Stuxnet with the intention of de-railing the Siemens - Rosatom deal. In order for such a
plan to succeed there would have to be multiple reports of failures due to Siemens appli-cations, which have not occurred. Stuxnet has not harmed Siemens profits to date and
Rosatom’s interest in working with Siemens has not diminished over the past year or
more. Although there’s no evidence of Areva being involved in sponsoring cyber attacks
of any kind, there is a broader precedent of a French company engaging in those activi-
ties. Électricité de France (EDF) is the world’s largest utility company with €66.34 bil-
lion in revenues in 2009, operating a diverse portfolio of 120,000+ megawatts of gen-
eration capacity in Europe, Latin America, Asia, the Middle-East and Africa. EDF is be-
ing investigated by a French prosecutor for allegedly hiring Kargus Consultants to con-duct a cyber attack against the director of Greenpeace France in 2006 22.
Attack Scenario #4: The String of Pearls
The Peoples Republic of China (PRC) is actively involved in acquiring mining companies
or embarking on joint ventures with them to fulfill its increasing demand for energy re-
sources for which it has serious shortages (table 3).
!9
21 Areva Annual Report 2009: http://www.areva.com/EN/news-8247/annual-results-2009.html
22 Bloomberg “EDF Should Face Greenpeace Computer-Hacking Trial, French Prosecutor Says”:
http://www.bloomberg.com/news/2010-09-06/edf-should-face-greenpeace-computer-hacking-trial-french-prosecut
or-says.html
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 11/17
SER IOUS SHO RTA GE SHOR TAGE NO SHOR TAGE
Chromium Oil Titanium
Copper Uranium Sulfur
Zinc Iron
Cobalt Manganese
Platinum Group Elements Bauxite
Strontium Tin
Potassium Lead
Boron Nickel
Diamond Antimony
Gold
Table 3: Source: ResourceInvestor.com (Dec 10, 2009) 23
In addition to the minerals and metals above, China needs to import natural gas. Of the
three countries reporting the highest rates of Stuxnet-infected hosts (Iran, India, Indo-
nesia), Indonesia is the world’s largest exporter of Liquified Natural Gas (LNG) and coal
used in power stations, and it has the largest gold mine and recoverable copper
reserve.24
Iran’s oil exports to China jumped 30% in the last 9 months according to OPEC25. Rus-sia, Kazakhstan and other nations in the Commonwealth of Independent States (CIS)
export oil to China through the Atasu to Alashankou pipeline, financed by China’s popu-
lar loan-for-oil program.
Unlike Indonesia and Iran, India is China’s competitor for energy resources, particularly
oil for which it’s the world’s fourth largest consumer (China is currently in second place
after the U.S.). In fact, India is almost entirely dependent on external resources for its
growing energy needs. This puts India and China at odds over securing energy resources
as well as ensuring that key choke points like the Malacca straits remain open.
!10
23 ResourceInvestor.com
http://www.resourceinvestor.com/News/2009/12/Pages/Himfr-China-seriously-short-on-nine-kinds-of-mineral-re
sources.aspx
24 Ibid
25 Tehran Times (Nov 12, 2010): http://www.tehrantimes.com/index_View.asp?code=230364
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 12/17
China’s strategy to combat India’s own security interests in this region is one of engag-
ing in foreign development projects at key locations along the oil shipping lanes. Each
location is known as a “pearl”. Christopher J. Pehrson lists a few examples in a paper 26
that he wrote on this subject for the U.S. Army Strategic Studies Institute:
• Hainan Island - upgraded military facilities
• Woody Island - upgraded airstrip
• Chittagong, Bangladesh - constructed a container shipping facility
• Sittwe, Myanmar - constructed a deep water port
Apart from these examples, the states most often referred to as part of China’s String of
Pearls strategy are Pakistan, Sri Lanka, Myanmar, and Bangladesh. India has re-sponded by building its own alliances in that region and holding military exercises with
the Gulf Cooperation Council and Iran, among other contingencies.
Opportunity: The Chinese government is negotiating energy deals, joint ventures or
acquisitions with companies that are located along the Malacca Straits, which India is
trying to counter by making its own strategic alliances in some of the same countries.
Motive: China’s reliance on foreign sources to meet its energy needs increases every
year. It must continually succeed in acquiring assets as well as developing new resourceson foreign soil, yet avoid escalating military tensions with India, it’s chief competitor.
India has similar needs and motivations.
Means: Siemens has a strong presence in China. It was a global sponsor of China’s
World Shanghai Expo 2010. Its PLC SIMATIC Step 7 software targeted by Stuxnet is
used in the radial gate control of the largest electricity-generating plant in the world -
the Threee Gorges dam in Hubei province. There’s no question that China has the capa-
bility of developing and launching malware sufficient to the task and its highly likely
that its cyber capabilities exceed that evidenced by the creators of the Stuxnet worm.
!11
26 Pehrson, Christopher J. LCOL USA “ String of Pearls: Meeting the Challenge of China's Rising Power
Across the Asian Littoral” http://www.strategicstudiesinstitute.army.mil/pubs/display.cfm?pubid=721
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 13/17
Siemens also has a large presence in India with 18 manufacturing plants employing
17,000 people so finding individuals with the necessary skills to create malware on the
scale of Stuxnet would not be a problem.
Assessment: There is a low to moderate likelihood that Stuxnet’s creators had planned
to sabotage a competing state’s operations along the Straits of Malacca and other choke
points for strategic advantage in the uninterrupted flow of oil and other critical re-
sources.
SUMMARY:
There are numerous obstacles to building a case for attribution with any cyber attack. In
Stuxnet’s case, the obstacles may be insurmountable unless further details on Stuxnet’s
real or potential target sites are forthcoming. Symantec’s discovery that the malwareprovides instructions to two specific frequency converter drives has confirmed that
sabotage, not espionage, was the purpose of the attack. It also rules out processes that
don't require a frequency above 807hz or higher.27 According to the Vacon website, they
serve the following industrial segments: Water, Marine, Pulp and Paper, Building
Automation, Mining and Minerals, Solutions for MV Motors. Of those, the segment that
holds the most value for nation states who engage in cyber operations of one type or an-
other is Mining and Minerals, and that fact has helped inform the scenario choices that
the author researched for this paper.
State Sponsorship or Corporate Sponsorship?
The Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner
Communications, and Microsoft all point to a well-funded team of developers with cer-
tain unique skill sets and several months for development and testing. The obvious con-
clusion is that this team was sponsored by a nation state, however certain multi-national
corporations have the same or better resources than many governments. In some coun-
tries, the government has a controlling interest in their largest corporations such as
China’s “national champion” companies (i.e., Huawei) or France’s majority ownership of Areva (see Attack Scenario #3).
!12
27 “7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also
known as variable frequency drive) manufac- tured by Fararo Paya in Teheran, Iran. 9500h is assigned to
Vacon NX frequency converter drives manufactured by Vacon based in Finland.”, Symantec W32.Stuxnet
Dossier, p.35
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 14/17
A Target Worthy Of The Weapon That Was Built For It
While the goal of the creators of the Stuxnet worm remains a mystery, the time, money,
and skill that went into its creation provide some insight into its target; i.e., Predator
drones aren’t deployed to target shoplifters. Whatever Stuxnet was designed to attack,
one can infer that it’s a high value target worthy of the weapon that was created to sabo-
tage it. More work needs to be done searching for mechanical failures or accidents that
have occurred in the first half of 2010 in high value sectors that use frequency convertor
drives within the proscribed range. Means, Motive, and Opportunity combined with
technical analysis and critical thinking will, at the very least, expose a heretofore unseen
target that can be hardened before it becomes the inspiration for the next Stuxnet-
inspired attack team. Forward-looking security is the only real security there is.
!13
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 15/17
APPENDIX
Although this white paper was published in November, I wasn’t satisfied with any of the
above scenarios and continued my research for another 30 days which culminated with
my writing “Stuxnet’s Finnish-Chinese Connection” for Forbes Firewall on December 14,2010. The following is a condensed version of that article.
------------------
Reviewing The Evidence
• China has an intimate knowledge of Iran's centrifuges since they're of Chinese design.
• China has ready access to Siemens software since the company has 16 R&D centers
operating within China with 2300 employees working on over 1000 projects per year.
• China has better access than any other country to manufacturing plans for the Vacon
frequency converter drive made by Vacon’s Suzhou facility and specifically targeted by
the Stuxnet worm (along with an Iranian company’s drive). Furthermore, in March
2010, China's Customs ministry started an audit at Vacon's Suzhou facility and took
two employees into custody thereby providing further access to Vacon's manufacturing
specifications under cover of an active investigation.
• China has better access than any other country to RealTek's digital certificates throughit's Realsil office in Suzhou and, secondarily, to JMicron's office in Taiwan.
• China has direct access to Windows source code, which would explain how a malware
team could create 4 key zero day vulnerabilities for Windows when most hackers find
it challenging to develop even one.
• There were no instances of Stuxnet infections in the PRC until very late which never
made sense to me, particularly when Siemens software is pervasive throughout China's
power installations. Then, almost as an after-thought and over three months from thetime the virus was first discovered, Chinese media reported one million infections, and
here's where the evidence becomes really interesting.
• That report originated with a Chinese antivirus company called Rising International,
who we now know colluded with an official in Beijing's Public Security Bureau to make
!14
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 16/17
announcements encouraging Chinese citizens to download AV software from Rising
International (RI) to fight a new virus that RI had secretly created in its own lab. Con-
sidering this new information, RI's Stuxnet announcement sounds more like a CYA s-
trategy from the worm's originators than anything else.
China’s Motive
On April 13, 2010, Beijing reiterated its opposition to Iran's goal to develop nuclear
weapons capabilities while stating that sanctions against Iran would be counter-
productive. In other words, the PRC wanted to support its third largest supplier of oil
(after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop
its uranium fuel enrichment program. What better way to accomplish that goal than by
covertly creating a virus that will sabotage Natanz' centrifuges in a way that simulates
mechanical failure while overtly supporting the Iranian government by opposing sanc-tions pushed by the U.S. It's both simple and elegant. Even if the worm was discovered
before it accomplished its mission, who would blame China, Iran's strongest ally, when
the most obvious culprits would be Israel and the U.S.?
!15
8/6/2019 Dragons Whitepaper Updated
http://slidepdf.com/reader/full/dragons-whitepaper-updated 17/17
About Taia Global
Taia Global is a startup company founded by Jeffrey Carr, the author of Inside Cyber
Warfare, and a team of highly accomplished individuals who come from the technology
industry, the Intelligence community, and the Department of Defense.
Our company is based on the premise that an enterprise’s most critical data cannot be
protected in the same way as the enterprise’s network; that a corporation’s senior man-
agement are high value targets, particularly when they travel overseas; and that these
individuals require an entirely different security posture.
Taia Global provides physical and cyber security countermeasures to safeguard thecomputing assets of key executives and government officials while they travel overseas,
and by extension, protect the enterprise’s critical data against a common attack vector –
the exploitation of the senior executive’s trusted credentials on the network.
Contact Taia Global today for more information or to book a consultation.
Contact Information
Email: [email protected]
Website: https://taiaglobal.com
Digital Dao blog: http://jeffreycarr.com
!16