Menu
homeInstructions

Federal danger service. A virus is worse than a bomb. How hackers destroyed a nuclear plant in Iran

In recent days, all the world's media suddenly remembered the WIN32/Stuxnet worm, discovered back in June of this year. By computer standards, a three-month period is like several years in ordinary life. Even slow Microsoft managed to release a patch that closed one of the four vulnerabilities present in Windows and used by the malware. True, not for all versions of the operating system, but only for Vista and “Seven,” while 2000 and XP remained Stuxnet-unstable, and all hope is only for third-party antivirus programs. Which will still be needed, since the rest of the vulnerabilities are alive and well.

And suddenly Stuxnet appeared in the headlines of news resources again. It turns out that this is not just another “worm,” albeit a rather intricately written one (half a megabyte of encrypted code that uses several programming languages, from C/C++ to assembly), but a digital spy-saboteur. He sneaks into industrial facilities where Siemens hardware and software systems are used, gains access to the Siemens WinCC system, which is responsible for data collection and operational dispatch control of production, and through it tries to reprogram logic controllers (PLC).

Are you scared already? Wait, this is just the beginning! Stuxnet is not designed for some kind of beer bottling workshop. His main target is the Iranian nuclear power plant in the city of Bushehr! Allegedly, all the evil power of the worm is tailored to its configuration, and either it has already managed to seriously screw up the Iranians, since they have not been able to start the station since August, or it has quietly flashed the controllers, and when the nuclear power plant starts working, it will give the command to explode. And then...

Let me quote several opinions of knowledgeable people. Thus, Evgeny Kaspersky in his blog calls Stuxnet “a masterpiece of malware engineering” and, in turn, cites excerpts from the material of Alexander Gostev, according to whom we are talking about a “weapon of industrial sabotage.” It was made, of course, by the Israeli Mossad in order to stop the operation of the Bushehr nuclear power plant.

Hardware and software systemsSiemens are used in very different industries. Okay, if we are talking about casting iron...

... but imagine how the hearts of hundreds of thousands of men will tremble if a worm damages a beer production line?

ESET analysts are a little less emotional. They are not sure that the target of Stuxnet is the BNPP, but they pay tribute to the quality of the code and the beauty of the idea. “Win32/Stuxnet was developed by a group of highly qualified specialists who are well versed in the weak points of modern information security tools. The worm is designed to remain undetected for as long as possible. The malware uses several serious remote code execution vulnerabilities as distribution mechanisms, some of which remain unpatched today. The cost of such vulnerabilities on the black market can reach 10 thousand euros each. And the cost of the vulnerability in the processing of LNK/PIF files (MS10-046), which allows the worm to spread through external media, is even higher.”

The caveat about external media is very important. As we understand, the control systems of factories and nuclear power plants do not have access to the Internet, so Stuxnet can infect flash drives and use them to gain access to closed networks. Security services? Yes, they, of course, work, and sometimes very effectively. However, along with the banal human factor (read: sloppiness), there are quite cunning ways to disguise flash drives. For example, a carefully bribed employee can bring a mouse with built-in flash memory into the workplace and replace it with a government-issued one. You may ask, why then do you need distribution over the Internet at all? So, after all, to divert attention, so that the same heads of the security service are not looking for an enemy in the team, but confidently nod at accidental penetration from the outside. Meanwhile, to make the worm easier to operate, some Win32/Stuxnet components were signed with legal digital certificates from JMicron and Realtek. As a result, until the certificates were revoked, Stuxnet was able to bypass a large number of implementations of HIPS (Host Intrusion Prevention System) technology.

ESET also provides a wonderful table with the geography of recorded infections with the virus, which, on the one hand, confirms Gostev’s hints, and on the other, makes conspiracy theorists even more actively write comments in forums and blogs. It’s no joke, the infection is affecting the largest developing countries, and to complete the picture, the only thing missing from the table is China instead of Indonesia.

Are you already scared, like Evgeny Kaspersky? Wait. Let's take a breath.

First, you need to understand why manufacturers of cyber threat protection products talk about Stuxnet with such pleasure. Yes, of course, they want to save our little planet. But this is also a new giant market. Not only Siemens produces control and monitoring equipment for a wide variety of industries, from nuclear power plants to beer bottling shops. In addition to the Germans, there are also Americans, Japanese, and so on and so forth. Such complexes are, to put it mildly, not cheap, and if each one can be attached with its own protective product... Yes, yes, you understood me correctly.

Secondly, despite all the beauty of the version about the Mossad, you should not believe in it. If many man-months or even man-years were really spent on the worm, as experts claim, then such a completion of the operation is a colossal failure. The combination of lack of results and publicity is a terrible combination for any intelligence officer. Usually, to solve problems of obtaining information and sabotage, they resort to the age-old recruitment, and the Mossad has extensive experience of this kind of work in Arab countries. No, one can, of course, assume that the program was written specifically for silent implementation by one of the nuclear power plant employees, and when something went wrong, the worm was launched onto the Internet to cover up the agent. But this is if Stuxnet was definitely prepared for Bushehr, which there are many doubts about. About them - in the next paragraph.

Thirdly, as we found out, to automate power plants (including in Bushehr), licensed Siemens equipment is used, which differs from traditional PLCs in about the same way as a combat fighter differs from a hang glider. The scope of PLC is, at best, the automation of a brewery or a gas/oil pumping station. It remains completely unclear - what kind of PLC Stuxnet is going to change in Bushehr?

Finally, fourthly. Pay attention to Win32 in the full name of the virus. Not a single serious plant, let alone a nuclear power plant, will allow the Microsoft operating system to control truly important processes. Systems of the *nix family (in particular, QNX) reign there, and a virus from the Windows camp is absolutely harmless for them. So the sensation comes from a series of tales about a secretary who was afraid of getting a virus from her computer. True, the most severe authors of horror stories clarify that Windows PLC does not control, but under them there are tools for reprogramming controllers, and this is what Stuxnet uses. This is a little more scary, but in serious production no one has canceled the Big Switches, which are responsible for really important things. They can be pulled exclusively by hand, because it is much more reliable. And safer. If the computer is allowed near them, it won’t be today or tomorrow. And at a nuclear power plant, most likely, never at all.

I don’t want to force my opinion on the reader, but so far Stuxnet smacks of unfair competition. Where does this hatred towards Siemens solutions come from? Who was not too lazy to spend so much effort and time on a big fat worm, which, by and large, cannot do any mischief, but leaves an extremely unpleasant aftertaste. Look, investors in new factories with power plants will think about it and buy a complex from another manufacturer. When we are talking about hundreds of millions and even billions of dollars, it is not a pity to spend a couple of million on black PR.

So it’s a weapon, but it’s unlikely to lead to real explosions. Unless there are explosions of indignation at the next visit to the store or receiving an electricity bill. All these industrial wars are ultimately being fought at the expense of us, the consumers.

Hundreds of conspiracy theorists were offended when writing this article.

“I don’t know what weapons will be used to fight in the third world war, but in the fourth they will use stones and clubs.”
Albert Einstein
At the end of September it became known that the Stuxnet virus caused serious damage to the Iranian nuclear program. Using operating system vulnerabilities and the notorious “human factor,” Stuxnet successfully destroyed 1,368 of the 5,000 centrifuges at the Natanz uranium enrichment plant, and also disrupted the launch of the Bushehr nuclear power plant. Customer – unknown. The perpetrator is a negligent Siemens employee who inserted an infected flash drive into a workstation. The damage caused to Iran's nuclear facilities is comparable to the damage caused by an attack by the Israeli Air Force.
The world is talking about new generation wars. Cyber ​​attacks could be ideal tools for the next wars - they are fast, effective in their destructiveness and, as a rule, anonymous. Today, states are urgently agreeing on a joint strategy to counter cyber threats. What will be tomorrow? Unfortunately, the most realistic answer to this question still remains Einstein’s sad aphorism.
Iran is helpless against the techno-threat
The editorial pages of the world press are filled with gloomy prophecies about the advent of an era of technological wars. Experts from various fields are struggling to solve the solution to Stuxnet, a virus that affected Iran’s nuclear facilities, from IT security to linguistics and anthropology. Stuxnet was discovered by antivirus laboratories quite a long time ago, but the world learned about the true scale of the infection at the end of September, when it became known about the delay in the launch of Iran's first Bushehr nuclear power plant. Although Ali Akbar Salehi, head of the Atomic Energy Organization of Iran, said that the delay in launching the nuclear power plant had nothing to do with the virus, Mark Fitzpatrick, an employee of the International Institute for Strategic Studies, noted that this sounds “not very serious”, and Iran is inclined to hush up the real problems at the nuclear power plant. After some time, Mahmoud Jafari, manager of the project department of the station in Bushehr, “let it slip”. According to him, Stuxnet "infected several computers, but did not cause any damage to the station's main operating system." Sapienti sat. Iran's nuclear facilities at Natanz were also severely damaged: 1,368 of the 5,000 centrifuges were disabled as a result of Stuxnet. When Mahmoud Ahmadinejad was directly asked after the UN General Assembly session about the technological problems with the nuclear program, he just shrugged his shoulders and said nothing. Let us note that, according to the New York Times, the damage caused by the virus in Iran is comparable, perhaps, to an attack by the Israeli Air Force.
Author! Author!
For obvious reasons, Stuxnet's developers prefer to keep a low profile, but it is clear that the complexity of the virus is unprecedented. The creation of such a project requires huge intellectual and financial investments, which means that only government-scale structures can do it. All experts agree that the virus is not the result of the efforts of a “group of enthusiasts.” Laurent Eslau, head of security systems at Symantec, estimates that at least six to ten people worked on the creation of Stuxnet over the course of six to nine months. Frank Rieger, technical director of GSMK, supports his colleague - according to him, the virus was created by a team of ten experienced programmers, and the development took about six months. Rieger also names the estimated cost of creating Stuxnet: it is at least $3 million. Evgeny Kaspersky, CEO of Kaspersky Lab, speaks about the military purposes of the virus: “Stuxnet does not steal money, does not send spam and does not steal confidential information. This malware was created to control production processes, to literally manage huge production capacities. In the recent past, we fought against cyber criminals and online hooligans, now, I’m afraid, the time of cyber terrorism, cyber weapons and cyber wars is coming.” Tillmann Werner, a member of the Honeynet Project, a community of Internet security experts, is confident that lone hackers are not capable of this. “Stuxnet is so advanced from a technical point of view that we must assume that government experts were involved in the development of the malware, or that they at least provided some assistance in its creation,” Werner said.

In the process of analyzing Stuxnet, some media outlets concluded that Israel was behind the creation of the virus. The first to speak about Israel's involvement in the attack on Iran was John Markoff, a journalist for the New York Times, reporting that analysts especially noted the name of one of the code fragments “myrtus” (“myrtle”). Translated into Hebrew, “myrtle” sounds like “adas,” which, in turn, is consonant with the name “Adassah,” belonging to Esther (Esther), the heroine of Jewish history who saved her people from destruction in the Persian Empire. Drawing an analogy with ancient Persia, on whose territory modern Iran is located, some analysts believe that Israel left a “calling card” in the virus code. However, according to a number of experts, this version does not stand up to criticism and resembles the plot of a cheap detective story - too primitive a “handwriting” for a project of this scale.

At the same time, it should be emphasized that last summer (remember, the spread of Stuxnet began in 2009), the WikiLeaks resource reported a serious nuclear accident in Natanz. Soon after, it became known that the head of the Atomic Energy Organization of Iran, Gholam Reza Aghazadeh, resigned without explanation. Around the same time, statements by Israeli politicians and military personnel appeared in the media about a possible confrontation with Iran on the technological front. In addition, Israel adjusted the projected date for Iran to obtain an atomic bomb, pushing it back to 2014, and the mandate of Meir Dagan, head of the Mossad, was extended for his participation in unnamed “important projects.”

Human factor
The history of the initial infection, which marked the beginning of the spread of the virus, is noteworthy. It is obvious that automated control systems of this level are not connected to the Network. An expert from the NATO Cyber ​​Center in Estonia, Kenneth Geers, suggested at one of the security conferences that the success of the Stuxnet attack depended solely on contacts with the right people and... basic USB drives. “You could pay someone to launch a Trojan into a closed system, or you could replace a flash drive that was intended for internal use only,” Gears muses. “It’s enough to insert an infected flash drive into a standard USB connector on your computer, and Stuxnet will immediately automatically jump to the operating system, and no anti-virus programs or other protection measures will interfere with it.” And indeed, the “weak link” turned out to be the human factor - Stuxnet was entered into the system via a regular USB drive, which was carelessly inserted into the workstation by a careless employee. It is noteworthy that after statements by Iranian Intelligence Minister Heydar Moslehi about the detention of “nuclear spies” (they turned out to be completely uninvolved Russian technicians), Siemens management admitted that the virus was introduced by company employees, emphasizing the unintentional nature of the infection. It should be noted that Stuxnet only affects a specific type of Siemens controller, namely SIMATIC S7, which, according to the IAEA, is used by Iran.
Cyberwar. Battlefield - Earth?
At the Virus Bulletin 2010 conference in Vancouver, Canada, a brief presentation by Liam O Murchu, one of Symantec's leading IT security experts, caught the public's attention. An analyst conducted an experiment that explained the dangers of a cyber threat better than hundreds of formal reports. O Merchu installed an air pump on stage running an operating system manufactured by Siemens, infected the workstation controlling the pump with the Stuxnet virus and launched the process into action. The pump quickly inflated the balloon, but the process did not stop - the balloon inflated until it burst. “Imagine that this is not a balloon, but an Iranian nuclear power plant,” the expert said, putting an end to the question of the “seriousness” of cyber wars.

O Merchu's colleagues fully share his concerns. Trend Micro researcher Paul Ferguson said that with the creation of Stuxnet, a full-fledged cyber weapon appeared in the world, which goes beyond traditional destructive schemes (theft of credit card numbers, etc.) and can lead to serious accidents in very dangerous industrial facilities. Ferguson emphasizes that analysts will now “literally intimidate the government into taking serious security measures.”

Indeed, the head of the newly created US Cyber ​​Staff at the Pentagon, General Keith Alexander, speaking before Congress, publicly stated that the threat of cyber warfare has been growing rapidly over the past few years. Alexander recalled two cyber attacks on entire states - on Estonia (in 2007, after the dismantling of the Bronze Soldier) and on Georgia (in 2008, during the war with Russia).

Estonian President Toomas Hendrik Ilves in an interview with the Berliner Zeitung raises the issue of cyber threats at the highest level. The Estonian President emphasizes: NATO’s decision to locate the Cyber ​​Security Center in Tallinn (remember, it opened in May 2008) is due to the fact that Estonia is one of the most computerized countries in Europe, as well as the first state to suffer a full-scale cyber attack in 2007. After the attack paralyzed the entire country's infrastructure, Estonian Defense Minister Jaak Aaviksoo even demanded that NATO equate these cyber attacks with military actions. The president is making similar points today: “The Stuxnet virus demonstrated how seriously we must take cybersecurity, since with the help of such products vital infrastructure can be destroyed. In the case of Iran, the virus appeared to be aimed at its nuclear program, but similar viruses could destroy our computer-driven economy. This should be discussed in NATO: if a missile destroys a power plant, paragraph 5 comes into force. But what to do in the event of a computer virus attack?” - asks Toomas Hendrik Ilves. The president’s proposal is in line with current trends: “Both the EU and NATO must develop a common policy, including legal norms, that will become the basis for collective defense against threats in cyberspace,” the head of state believes.

First Deputy Secretary of Defense William J. Lynn fully agrees with Toomas Hendrik Ilves. In an interview with Radio Liberty, Lynn tried to answer the question raised by Ilves: “If the attack affected significant elements of our economy, we should probably consider it an attack. But if the hack resulted in data theft, then it may not be an attack. Between these two extremes there are many other options. To formulate a clear policy line, we must decide where the line lies between hacking and attack, or between espionage and data theft. I believe that there is a discussion on this topic both within and outside the government, and I don’t think that this discussion has already been exhausted.”

In addition, the key point of William Lynn's speech was the public announcement of the five principles on which the new cybersecurity strategy of the United States is based. We quote the US Deputy Secretary of Defense without cuts:
“The first of these principles is that we must recognize cyberspace for what it has already become - a new war zone. Just like land, sea, air and space, we must view cyberspace as a domain of our operations that we will protect and extend our military doctrine to. That's what drove us to create a unified Cyber ​​Command within Strategic Command.

The second principle, which I have already mentioned, is that defense must be active. It should include two generally accepted lines of passive defense - in fact, this is ordinary hygiene: install patches on time, update your anti-virus programs, improve your protection tools. We also need a second line of defense, which is used by private companies: intrusion detectors, security monitoring programs. All of these tools will probably help you repel about 80 percent of attacks. The remaining 20 percent is a very rough estimate - sophisticated attacks that cannot be prevented or stopped by patching holes. A much more active arsenal is needed. We need tools that can identify and block malicious code. You need programs that will identify and pursue malicious elements within your own network that have intruded into it. Once you have found them, you should be able to block them from communicating with the external network. In other words, it is more like a war of maneuver than a Maginot Line.

The third principle of a cybersecurity strategy is the protection of civilian infrastructure.

Fourth, the United States and its allies must take collective defense measures. Important decisions in this regard will be made at the upcoming NATO summit in Lisbon.

Finally, the fifth principle is that the United States must remain at the forefront of software development.”

The reaction of Dmitry Rogozin, Russia's permanent representative to NATO, to the processes taking place in the Alliance is very noteworthy. Apparently, Russia is extremely concerned about the upcoming NATO summit in Lisbon, which will take place on November 20, because it is there that it is planned to clarify the dilemma of whether an attack on the military and government computer networks of a NATO member is considered a reason to invoke Article 5 of the Washington Treaty and respond with a collective military strike. Rogozin, in his characteristic style, writes: “We will finally find out whether it is permissible for NATO to hit hackers’ apartments with a nuclear bomb or whether it is assumed that cyber war will not go beyond the boundaries of cyberspace. I have great reason to doubt the latter scenario. Literally before our eyes, a huge scandal is unfolding in Western periodicals in connection with the spread of a computer worm called Stuxnet. I was used to reading and sending SMS in Latin, so I immediately read the name of the virus as a Russian verb in the future tense: “stukhnet”. Rest assured, something will definitely go bad or fall off for someone, especially those who started this virus. As we know, whoever sows the wind will reap the whirlwind.” Without daring to comment on Mr. Rogozin’s literary and creative research, we note that Russia was blamed for the two largest hacker attacks on entire states (Estonia and Georgia) - perhaps this is what caused such a violent reaction from the impressionable plenipotentiary.

Thus, against the backdrop of the hysteria provoked by Stuxnet, a number of states announced the need to formulate a joint policy to prevent cyber attacks. Will this lead to the desired result, even if we assume that some document will be developed (and signed) regulating the use of destructive technologies? IT Business week this seems extremely doubtful, the temptations offered by high technologies are too great: anonymity, security (for an attacker), an unprecedented cost/effectiveness ratio. This means that Stuxnet was only the first sign of the era of techno-social revolution, which began not at all as dreamed.

Tags: Add tags

Before the world had time to really deal with the formidable Stuxnet worm, which was clearly developed with the help of government intelligence services, DUQU appeared on the Internet, using the same source code. According to Bird Kiwi, a thoroughly modified heir has every chance of surpassing his parent, but what exactly will his goal be?

During the Second World War, such an incident occurred once. The American intelligence service OSS, which was very young at that time (which later became the CIA), at the request of its English colleagues, began stealing Spain’s cryptographic keys. The British really needed to regularly read the encrypted diplomatic correspondence of General Franco, as one of Hitler’s main allies in Europe, but they could not open the Spanish ciphers using analytical methods.

The theft of crypto keys occurred in a completely trivial manner. On the right night, hacking experts from OSS entered the Spanish embassy in Washington and copied the next set of keys needed by the British. True, since the kits changed every month, night visits to the embassy also had to be made monthly. And so, at the end of the fourth of these visits, American intelligence officers were arrested by the US FBI...

Of course, this did not happen by accident or due to a misunderstanding. It’s just that the head of the FBI, Edgar Hoover, who also became the country’s chief counterintelligence officer during the war, was absolutely sure that this kind of secret business on American territory could only take place with his knowledge and under his control. And since the chief of foreign intelligence, William Donovan, not only did not consult with Hoover about the operations in the Spanish embassy, ​​but did not consider it necessary to inform him at all, the FBI director decided to properly teach the presumptuous spies from the related department a lesson.

However, nothing worthwhile came out of this lesson. An enraged Donovan (also known as Wild Bill) ordered his employees to collect severe dirt on Hoover. And when one was obtained, all intelligence problems with the FBI began to be solved easily and simply - using an elementary method called “cynical and merciless blackmail.” But that's a completely different story...

Threat Alerts

We remember this funny episode today for this reason. At the end of October, several US government departments responsible for certain aspects of the country's national security issued information bulletins warning about a new computer threat - a malicious program called DUQU (read this letter combination in the English-speaking environment as "dew-q", but for Russian language would be much more natural simply “duku”).

Against the backdrop of a gigantic amount of various malicious codes that constantly appear on computers and networks, the DUQU program stands out as especially dangerous because it bears undeniable family resemblance and common origin with the famous “worm of worms” called Stuxnet. Let us remember that last year it simply amazed the antivirus industry and the online public as a whole with its unprecedented complexity and sophistication. Specifically for Iran, Stuxnet became a problem that seriously slowed down progress in uranium enrichment and the national nuclear program as a whole.

And although there is no documentary, or even more so official, evidence of this, almost no one among experts doubts that the creation of the Stuxnet code was carried out in secret laboratories of state intelligence services. Moreover, there is a sufficient amount of evidence that clearly points to the intelligence of the states that had a hand in it, namely the United States and Israel.

In other words, the following facts of our strange life are evident. A new, very sophisticated spy program is being announced on the computers of many different countries, its key features clearly being developed with the participation of US intelligence. And in response, American security agencies like DHS (Department of Homeland Security) and ICS-CERT (Industrial Control Systems Cyber ​​Threat Response) are sending out documents on how this elusive scourge should be countered (if you strip away all the long-winded recommendations, it turns out that , in general, nothing, except for regular updates of standard antiviruses).

On the one hand, of course, it would be strange if there was no reaction at all, given the extremely nervous attitude of society towards the emergence of Stuxnet. On the other hand, it is completely unclear how some state structures are able to actually protect from others - more powerful, effective and secret ones.

Naturally, no one has ready answers to such questions. But in order to better understand the essence of the problem and the scale of the emerging threat, it makes sense to take a closer look at the history of Dooku’s appearance and the design features of this interesting program.

History of the DUQU phenomenon

Although the first official publication about the identification of a new malicious program bearing the well-known signs of Stuxnet was a report by the antivirus firm Symantec on October 17 of this year, the real story of the discovery of DUQU by the antivirus community began a month and a half earlier.

Moreover, the main role was played by Hungarian researchers and the Spanish antivirus project VirusTotal. VirusTotal.com is a web service, once organized by the Hispasec company from Malaga, where a “total analysis” of suspicious files sent here is carried out using a variety of different antivirus engines. The output provides a list of identification names assigned to this malicious code by different companies (if, of course, such a code has already been identified by someone earlier). Now VirusTotal is like a joint venture of the entire antivirus community. At the moment, the number of anti-virus programs pooled together is 43, and any new identified sample of pest code is promptly sent to all companies and laboratories participating in the service.

It was here that DUQU’s “first date” with the antivirus community took place, when on September 1, 2011, an unknown source from Hungary sent VirusTotal a suspicious file called ~DN1.tmp for scanning. The most well-known antivirus programs did not see anything suspicious in this file, but two less popular engines, BitDefender and AVIRA (more precisely, four antivirus programs running on them), detected it as a malicious spyware Trojan. Shortly after this initial detection, the file was added to the databases of many antivirus companies. However, absolutely nothing remarkable happened in connection with this further - just the usual replenishment of the base.

Then, on September 9, and again, it seems, another, now “real” DUQU file was sent from Hungary for scanning to Virustotal. Why this particular driver file should be considered a “more real” main module of DUQU than the previous Trojan will be explained in more detail in the next section, devoted to the multi-module structure of this program. Here it is only important to note that during the initial scan, none of the 43 antivirus programs participating in the Virustotal project detected this file as malicious.

This is a very remarkable fact, indicating how professionally and carefully the authors of the DUQU program do their spy work. As subsequent study will show, it is this main module of DUQU that bears in its code a clear and undeniable similarity with the Stuxnet code (the first Trojan file had nothing in common with it), but at the same time the authors of the new program managed to change the code to such an extent that it absolutely successfully passed tests for [non-detection] when analyzed by all more or less popular antivirus tools in the world...

Signs of files accumulated in the Virustotal databases indicate that the same driver module, but under a different name and under the brand of a different manufacturer, was once again submitted for scanning to Virustotal on September 18. And again, apparently, from Hungary. And again, as was the case with the first driver, no malicious code was discovered until October 18, when Symantec’s official report was finally published. After which everyone’s eyes, as they say, suddenly opened.

The Symantec report itself seems to be a very remarkable document, clearly reflecting the rather “slippery” nature of both the antivirus business and information security activities in general in the difficult realities of our world.

On the one hand, the report clearly states that DUQU bears an obvious family resemblance to Stuxnet (according to analysts, the authors of both programs clearly used the same source code when creating and compiling them). On the other hand, the American company Symantec carefully avoids any mention of the fact that the most obvious author of Stuxnet is the US intelligence services. Moreover, the Symantec document was accompanied by an even more extensive analytical report obtained from another “foreign laboratory with strong international ties”, which, in fact, revealed both DUQU and its similarities to Stuxnet. However, the name and state affiliation of this remarkable laboratory “are not disclosed at her request.”

Finally, another “terrible secret” hidden in the Symantec report is the real name of the Taiwanese company, the digital signature of which confirms the authenticity of the DUQU driver file. It was this feature of the spyware that was, in fact, one of the main reasons why all 43 anti-virus tests did not identify the file as malicious. Exactly the same feature - authentic digital certificates stolen from their rightful owners - was also a proprietary feature for ensuring Stuxnet invisibility.

But this secret, however, was revealed very quickly when the Finnish antivirus company F-Secure, using the DUQU model it had, identified this Taiwanese company as C-Media Electronics Incorporation. The strange silence about this fact in the Symantec report is most likely explained by the fact that the certificate for C-Media was issued by the VeriSign certification service - and its owner is... Symantec. This certificate was valid until August 2012, but VeriSign revoked it immediately, as soon as Symantec began studying the malware.

received from colleagues.

As soon as there was a buzz in the press about the newly-minted “DUQU, son of Stuxnet”, and the mystery of its discoverer began to give rise to all sorts of irresponsible speculation, the authors of the original report nevertheless decided to come out of the shadows. A few days later, on October 21, a very short press release appeared on the website of CrySyS, the Hungarian “Cryptography and System Security Laboratory at the Budapest University of Technology and Economics” with official confirmation of their direct participation in history:

“Our laboratory participated in the detection of the DUQU malware as part of international cooperation. In the process of in-depth familiarization with the functionality of this program, we found that this threat is almost identical to Stuxnet. After careful analysis of the samples, we have prepared a detailed report on the DUQU program, which has received this name from us. We immediately provided the original report to the competent authorities... But we cannot disclose any additional information specifically about this case.”

In other words, the Hungarian researchers were resolutely unwilling to disclose information on whose specific computers they found samples of this spyware (based on the dates of compilation of the code received from the Hungarians, Symantec concluded that attacks using this program have been carried out since at least December 2010 -th. That is, just five months after the Stuxnet worm was discovered).

A similar scenario with silence about where infections were detected began to be repeated further, when antivirus companies began to announce that files with signs of DUQU had been found, in addition to two cases in Hungary, also in Austria, Great Britain, Indonesia, Iran, Sudan... Most likely, a list countries continues to grow to this day. But what exactly is the profile of organizations and enterprises affected by DUQU, no one, firstly, discloses. And, secondly, those who even know something specific cannot discern any system. Apparently, the targets for introducing spyware are chosen purely individually and according to some special principles, known only to those who plant this code in the machines.

And, what is most interesting, it is almost always possible to detect only the fact that the system has been infected by the main DUQU module, but the spy Trojan detected at the very beginning is nowhere else to be seen. In order to understand the probable meaning of what is happening, it’s time to consider how this DUQU works from the inside.

DUQU device and its features

Already at the very initial stage of identifying DUQU, which was accompanied by the publication of the names of various files related to this program in one way or another, quite serious confusion arose. And that's what it's connected to.

The modular structure of DUQU assumes the presence of at least three types of significantly different programs, practically unrelated to each other functionally. Firstly, there must certainly be a so-called installer file that delivers the main DUQU module to the victim machine (the main module itself does not have such a function, but, interestingly, on none of the machines infected with DUQU there is anything similar to a file- The installer has not yet been identified). Secondly, the main DUQU module itself, which also has a distinct composite design from its own component modules (the Trojan functions they perform will be discussed below). And thirdly, the actual malicious program for spying and stealing information in an infected system. In different sources it is called either “advanced keylogger” or “information stealer”, but the essence does not change. By the way, this module works completely independently of the two already mentioned, which ensured its inconspicuous implementation into the computer.

Whatever they say in Iran, Stuxnet was able to greatly slow down the development of this country’s nuclear program. What is DUQU training for now?

Everything that is said in the press and anti-virus research reports regarding the close relationship between DUQU and Stuxnet refers only to the main module (not involved in information theft). But at the same time, the very name DUQU, which the combined program received from the Hungarians, comes from the characteristic name of files like ~Dqx.tmp, where the keylogger module temporarily stores the data collected in the infected system. In other words, the characteristic DQ prefix in the names of detected files actually has almost nothing to do with the operation of the main DUQU module. We can say that the relationship between the main module and the keylogger is established based on the fact that both of them are detected on the same machine, and the main module is functionally capable of loading any other components into the machine from the network.

What is this main module? It usually contains three main components:

1. A driver that embeds its DLL into system processes;

2. An encrypted DLL file (with a PNF system extension), which also has an additional module and secretly works through the network with a remote command and control server

3. Setup configuration file (also encrypted).

Like the previously studied Stuxnet, the main module of DUQU uses a very sophisticated and in many ways unique technology to hide its components in RAM, and not on the machine’s hard drive, in order to effectively evade detection by antivirus tools. Both programs, DUQU and Stuxnet, use a special kernel driver that decrypts the desired encrypted files and embeds them into already running processes. This kind of "injection" into working memory is actually a very effective way to avoid detection, because there are no disk accesses. Namely, it is the latter that antiviruses usually respond to.

In addition to these methods of achieving system invisibility, the first variants of the DUQU program examined were configured to run for 36 days, after which the main module automatically removes itself from the infected system. From the analysis of subsequent samples, it became clear that this period of operation is not strictly defined, so that in other cases self-destruction can occur earlier or later.

About a year ago, based on the results of an analysis of Stuxnet by Kaspersky Lab experts, it was concluded that the program actually consists of two different parts - a carrier platform and an independent separate module responsible for working with the PLC, i.e. programmable logic controllers for sabotage control of industrial processes.

In fact, Stuxnet in the form of code embodied something like a real-life combat missile, where there is a launch vehicle module (the worm itself) and its warhead (that is, the PLC module). Based on this design, it was then assumed that the part of Stuxnet responsible for spreading and infecting the system could be used again and again with a variety of “warheads.”

Now, observing what is happening around DUQU, we can conclude that approximately the same scenario is unfolding here. The only exception is that no “warhead” has yet been discovered on DUQU. The only thing that was sometimes possible to detect was only a relatively harmless spy-keylogger for preliminary “reconnaissance on the ground.” However, by its very nature, this program is capable of delivering any “warhead” to an infected system and launching it against any target.

Unlike Stuxnet, which indiscriminately infected a large number of machines while looking for a very specific system, DUQU has been observed by antivirus experts to selectively infect a very small number of very specific systems around the world. But for each of the systems, DUQU can use significantly different modules - with different names, different file lengths and different check-sum values.

Another characteristic feature of DUQU is that the code here does not have the function of reproduction or self-distribution. In other words, a malicious program is not a computer worm or virus in the generally accepted sense of these terms. On the other hand, to this day it has not been possible to find an installer module (dropper) on any of the infected systems, that is, it remains unclear by what mechanisms the main DUQU module is introduced into the system. This means that it is unknown whether this installer is self-replicating and what security vulnerabilities it exploits. At the moment, this is considered to be the main missing link in the whole puzzle. Because it is the file that is believed to be the key to successfully solving the DUQU riddle and finding an effective antidote.

The already known (very dismal) results of the general fight against threats like Stuxnet, which are actually capable of disabling industrial enterprises and critical infrastructures, involuntarily suggest that with countering threats like DUQU, approximately the same thing will ultimately happen.

To more clearly and clearly illustrate what the protection of industrial control computer systems has now come down to, we can quote a recent blog entry by Ralph Langner, a now widely known specialist in this field, who at one time was the first to understand the “warhead stuffing” of Stuxnet.

In late September, Langner had the opportunity to take part in the WeissCon industrial conference, where a certain Marty Edwards, the current head of the ICS-CERT structure, within the US government responsible for computer security of industrial control systems, spoke. The essence of this official's amazing report was to present their department's new approach to how they now need to look at vulnerabilities - by eliminating everything that does not look like a bug (a software defect) that can be fixed by the product vendor.

In other words, Langner explains, from now on you simply will not see any recommendations or warnings from ICS-CERT regarding the “features” of programs that can potentially be used for attacks.

This approach, according to the expert, in the most radical way - by about 90% - reduces the number of vulnerabilities, since the vast majority of the so-called security “moments” that the industry faces are not programming bugs, but design defects of the system.

Before the Stuxnet storm hit, the official name for a vulnerability was: “A defect or weakness in a system's design, implementation, operation, or management that could be exploited to violate the system's security policy.” Well, now, Langner sneers, life has become much safer for all of us, because many problems suddenly just up and disappeared. There are only programming bugs left. And if until recently the security of industrial control systems was a very difficult matter, now everything has become easy and simple. At least for the ICS-CERT organization. Well, for the rest, Langner concludes bitterly, things didn’t get better, because in the end it didn’t matter at all - they attacked your system through a “bug” or “feature.” The consequences will remain unpleasant and sometimes catastrophic.

Returning to DUQU, it must be emphasized that analysts from antivirus companies who published details about this program were most struck by the further behavior of its unknown creators. After such wide publicity, it would seem that they should have quietly disappeared from view or at least hidden for a while. But nothing of the kind happened. The very next day after publication, more and more new DUQU modules with completely new compilation dates and many completely new external features began to be detected.

In other words, the spies clearly demonstrated that they intend to continue doing this work, no matter what the computer security structures do.

Almost like in the days of Wild Bill and J. Edgar Hoover.

Description

On July 9, 2010, specialists from the Belarusian anti-virus company VirusBlokada discovered malicious software (malware) in Iran, which was named Stuxnet. Antivirus companies do not have a consensus on exactly when Stuxnet appeared; according to some sources, it was spreading as early as January 2009. Distinctive features:

  • Stuxnet contains several modules written using several development environments and programming languages;
  • to bypass anti-virus protection mechanisms, some malware modules (drivers) had a digital signature made using certificates from Realtek and JMicron (presumably stolen);
  • Several distribution methods - via USB-Flash drives and over the network. In the 2009 version, the widely used method of launching through autorun.inf was used (which, as a rule, is disabled for security reasons), in the 2010 version it was replaced by a more effective one - using the shortcut processing vulnerability MS10-046 (zero-day at that time ). For distribution through the network, vulnerabilities MS08-067 (previously used in 2009 by Kido malware, which led to massive infections) and MS10-061 (zero-day at that time) were used;
  • to ensure operation, privileges were elevated to the level of system administrator by using two local vulnerabilities (zero-day at that time) MS10-073 (Windows 2000 and XP) and MS10-092 (Windows Vista, including the x64 version), thus it was normal launch of malware from under limited accounts is provided;
  • Stuxnet organizes its own peer-to-peer (P2P) network to synchronize and update its copies;
  • there is functionality that allows you to send information found on the computer to remote control servers;
  • The unusual payload is a disruption to the normal operation of Siemens' SIMATIC automation system, which is commonly used in various industrial process control systems.
Impact on Siemens SIMATIC system

An information security specialist from Germany, Ralf Langner, published an analysis of Stuxnet's actions regarding SIMATIC on his own website in September 2010.

SIMATIC WinCC (Windows Control Center) is software for creating a human-machine interface, part of the SIMATIC family of automation systems. It runs under operating systems of the Microsoft Windows NT family and uses the Microsoft SQL Server 2000 database (starting from version 6.0). WinCC interfaces with STEP 7.

SIMATIC STEP 7 – software for the development of automation systems based on programmable logic controllers (PLC) SIMATIC S7-300/S7-400/M7/C7 and WinAC.

If Stuxnet determines that it is running on an engineering station, it replaces the part of STEP7 responsible for flashing code into the PLC. The moment the engineer connects to the controller, if Stuxnet recognizes a suitable hardware configuration, it modifies the code sent to the PLC. Researchers found that the attackers were interested in 6ES7-417 and 6ES7-315-2 controllers, as well as industrial networks of the Profibus-DP standard. Modified STEP7, when trying to read modified program blocks, the PLC displays them in their original form (rootkit component to hide the fact of modification).

Stuxnet identifies the target system by checking data block DB 890. This occurs periodically every five seconds in the WinCC environment.

If the condition is met, Stuxnet modifies the OB 35 module during transmission from the Simatic Manager to the PLC. Module OB 35 is called into the PLC every 100 ms by timer, where the Stuxnet interceptor checks the return code of function FC 1874. If the return code from FC 1874 is DEADF007, the original contents of OB 35 are not executed.

Stuxnet code in the PLC allows:

  • listen to the Profibus-DP network (via which PLCs communicate) and generate their own packets, and the data for these packets can be updated from the engineering station;
  • read the PLC inputs and control its outputs; sensors and actuators (AM) are connected to them, respectively, while for targeted action you need to know specifically which sensors/AM are connected to which inputs/outputs;
  • synchronize their copies among infected PLCs via the Profibus-DP network (PLCs cannot be infected from each other, the executable code of the controllers cannot be rewritten on the fly, only data, this is a limitation of Siemens controllers).
Stuxnet also tries to connect to the WinCC database using the “default password”.

Siemens confirms that the virus targets a specific technological configuration. In total, the company reported 15 workplace cases, mostly in Germany. In not a single case did Stuxnet penetrate the PLC because the parameters did not match. However, this did not affect the operation of the equipment, and in all cases Stuxnet was neutralized.

conclusions

These facts allow us to draw the following conclusions:

  • Stuxnet is a carefully designed malware that was developed by a group of specialists in various fields;
  • no facts of distribution via the Internet have been identified, only via USB-Flash and via the network - these signs are typical for implementation in a closed system that does not have a direct connection to public networks;
  • The functionality of disrupting the normal operation of the Siemens WinCC industrial process control system (computer sabotage tool) implies that the Stuxnet developers had a hardware and software system for testing that was identical to the one on which the attack was planned. In addition, they were focused on a specific purpose (use of data from recruited personnel within the organization);
  • development of this scale requires significant funding - payment for a group of programmers, organization of theft of digital certificates, purchase or development of 4 zero-day vulnerabilities, access to a deployed Siemens WinCC system.
All these indirect signs may indicate the involvement of law enforcement agencies or intelligence services of any states in the development of Stuxnet. The main function of malware - distribution and autonomous operation in a closed system with subsequent sabotage of the production process control system - is not typical of “traditional” cybercriminals, who usually pursue the goal of “monetizing” profits (the ultimate goal is money) and, as a rule, use malware developed single programmers. It is for these reasons that Stuxnet is called a cyber weapon.

Versions

Experts believe that Stuxnet could have been developed for use against the Bushehr nuclear power plant in Iran. Israel and the United States could be potential developers. The version is based on the following facts:

  • Iran is one of the regions most affected by Stuxnet. Judging by the dynamics of infection data, around May-June 2010, Iran was the leader in the number of infections;
  • The Bushehr Nuclear Power Plant (NPP) is one of the most important military targets in Iran;
  • Nuclear power plants began to be built back in the 1970s. Siemens took part in the construction. In 1979, Siemens stopped working in this country (due to the revolution). Siemens subsequently returned to Iran and it was one of its largest markets. In January 2010, Siemens again announced the termination of cooperation with Iran. However, in the summer it was caught supplying components to Bushehr. Whether Siemens software is used at the nuclear power plant to control processes is officially unknown. In one of the computer screenshots posted on the Internet, allegedly taken inside a nuclear power plant, you can see the Siemens WinCC control system;
  • participation in the construction of nuclear power plants by the Russian company Atomstroyexport, which has projects in India, as well as the traditional neglect of information security issues by Russian companies, which could lead to the spread of Stuxnet in India;
  • Israel is one of the countries most interested in disrupting the functioning of the Bushehr nuclear power plant. Iran is suspected that at this station, under the guise of nuclear fuel, reserves will be produced for the production of its own nuclear weapons, which most likely could be used against Israel;
  • Israel is among the countries with highly trained information technology specialists capable of using them for both attacks and espionage.
Another version of the target of the attack is the uranium enrichment plant in Natanz (Iran). This version is indirectly confirmed by the following facts:
  • the uranium enrichment facility at Natanz, a heavily fortified and hidden deep underground facility, poses much greater risks in terms of nuclear weapons production than the Bushehr nuclear power plant, according to experts;
  • In July 2009, a source connected to Iran's nuclear program confidentially reported a serious nuclear accident that had occurred shortly before at Natanz. Later, according to Iranian media reports and the British BBC, Gholamreza Aghazadeh, head of the Iranian Atomic Energy Organization (IAEO), resigned. At the same time, according to official data provided by the IAEO to regulatory agencies, the number of functioning centrifuges in Natanz has dropped significantly (by several thousand), which could be a consequence of the impact of Stuxnet.
Afterword

In the USA in June 2012, a book was published entitled “Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power”, according to which Stuxnet was developed in the USA with the participation of Israeli specialists and precisely with the goal of neutralizing Iran’s nuclear program. The author, The New York Times journalist David Sanger, claims that Stuxnet was developed during the presidency of George W. Bush. At first it was a distribution program. spyware, thanks to which it was possible to gain insight into the equipment of the Iranian uranium enrichment center in Natanz. After this, functionality was developed that affected the software that controls uranium purification centrifuges.

Just last year, David Sanger and two of his colleagues published an article in the New York Times claiming that Stuxnet was indeed the work of American and Israeli intelligence agencies and that they were testing it at the secret Israeli Dimona center in the Negev Desert. Officially, Israel refuses to admit that it has its own nuclear program, but the authors of the article refer to certain knowledgeable experts in the intelligence and military fields who confirm that there are centrifuges in Dimona that are almost identical to those in Natanz. Stuxnet's ability to disable them was tested, among other things, on them.

According to The Wall Street Journal, the FBI is investigating an information leak that revealed the government's involvement in cyberattacks on Iran's nuclear facilities.

Many experts are skeptical about this information. They consider it another “stuffing” of information on the eve of the US presidential elections.

Detailed sources of information about Stuxnet:

Symantec Analytical Report

I am a professional programmer and a physicist by training, so everything stated in this article is not speculation, I can do it all myself, with my own hands. And I have much more information on the topic than I can present on this non-core information platform for me.
So if you object on the forum, think about who you are objecting to.
This is not “from the pass”, where I look like an amateur, I am a professional in this topic, so listen with respect.


Let's start from a hundred years ago

In 1905, when a military column was passing across the “Egyptian” bridge in St. Petersburg, it collapsed due to a strong “swing,” as they called it then. Now we would say because of resonance.

The main version is that the bridge structure could not withstand too rhythmic vibrations from the coordinated step of the military, which is why a resonance occurred in it. This version was included in the school physics curriculum as a clear example of resonance.

In addition, a new military command to “go out of step” was introduced; it is given to a combat column before entering any bridge.

History is also instructive in the sense that when faced with an unknown phenomenon, the military quickly figured it out and took adequate measures to prevent it in the future.

We would like such thoughtfulness and efficiency now.

Accident at the Sayano-Shushenskaya hydroelectric power station

In modern Russia, a hundred years later, a similar catastrophe occurred. As a result of the accident of power unit No. 2 of the Sayano-Shushenskaya hydroelectric power station on August 17, 2009, the turbine hall was destroyed and the operation of the hydroelectric power station was completely stopped; the accident claimed 75 human lives (not a single person died on the bridge).

Officially, the cause of the accident in the act of the commission to investigate the circumstances of the accident is formulated as follows:

Due to the repeated occurrence of additional variable loads on the hydraulic unit associated with transitions through the non-recommended zone, fatigue damage to the hydraulic unit attachment points, including the turbine cover, formed and developed. The destruction of the studs caused by dynamic loads led to the tearing of the turbine cover and depressurization of the water supply path of the hydraulic unit.

If translated into understandable language, the power unit (a hydraulic turbine connected to an electric generator) collapsed due to prolonged operation in load areas where resonances of the electromechanical system are present.

A hundred years ago, experts figured out the situation and drew conclusions that everyone still follows; the command to “upset the step” will never be canceled by anyone.

But at the present time, the reasons have not been figured out and no conclusions have been drawn.

The area of ​​resonances in the document is vaguely called the “not recommended zone”. The officials did not even have the courage to call everything by their proper names, let alone draw conclusions. Meanwhile, events developed further.

Stuxnet virus

Stuxnet was the first computer virus to harm physical objects. Because of it, many centrifuges at Iranian nuclear facilities failed in 2010. A cyber attack on Iran's uranium enrichment plant at Netenz delayed the development of Iran's nuclear program for several years.

Military analysts acknowledge that Stuxnet has become a new milestone in the development of cyber weapons. It has moved from virtual space into reality, since an attack of such a virus affects not informational but physical, real-life objects.

The destruction of centrifuges by the Stuxnet virus was carried out using the resonance method of the electromechanical structure of the centrifuge. I’ll explain it in simple terms: a gas centrifuge has a rapidly rotating shaft (20-50 thousand revolutions per minute), which rotates an electric motor. The electric motor is controlled by a controller; if this controller is reprogrammed so that it periodically changes the rotation speed of the centrifuge shaft (professionals call it “frequency beat”), then at certain “beat” frequencies the system will go into resonance and the bearings of the shaft axis and the centrifuge housing itself will collapse.

Moreover, this will look like a normal breakdown not related to the operation of the electronics and programs of the electric motor control controller. First, the vibration will increase, then the nuts securing the housing parts begin to unscrew, then the bearings break and the system eventually jams and loses its tightness.

The Stuxnet virus, when it entered the facility, did just that, reprogramming the Simatic S7 electric motor control controller in such a way that it outputs voltage with a beat frequency that is a multiple of the resonant frequencies of the rotating centrifuge shaft.

The process of increasing the resonance amplitude can last for hours, if not days, so for the maintenance personnel it looked like a design defect in the centrifuge itself.

The Iranians never realized that their centrifuges were being destroyed by a virus until programmers from Belarus discovered the virus itself and figured out its functional load. Only after this did the Stuxnet virus gain worldwide fame and Iran admitted that its nuclear facility had been deliberately attacked for at least a year by this very cyber weapon.

What happened at the Sayano-Shushenskaya hydroelectric power station

The accident at the second hydraulic unit of the Sayano-Shushenskaya hydroelectric power station occurred due to resonance, as it happened at the beginning of the twentieth century in St. Petersburg, as it happened a year later in Iran. Moreover, it can be argued that the equipment was deliberately introduced into resonance, using methods implemented in the Stuxnet virus.

The fact is that at the time of the accident the unit was controlled automatically. Manual control for constant power delivery was disabled and the unit operated in load ripple compensation mode for the power systems of Western Siberia.

When commissioning equipment, resonant frequencies are checked and the acceptance certificates indicate the modes in which operation of the equipment is prohibited.

In March 2009, Ukrainian specialists took these most important parameters from the second unit (during a scheduled repair). It is unknown where and into what hands this data fell, but one can guess.

Having this data, it is not at all difficult to pump up the unit system through the GARM control microcontroller so that it gradually, in a few hours, drives the turbo unit with an electric generator on the same shaft into the resonance zone.

After that, the studs on the housing that held the turbine cover began to loosen due to vibrations, which was the immediate cause of the disaster.

The operation of the turbine and generator is automatically controlled by a special system called the group control system for active and reactive power (GRAPM).

The electronic part of the GRARM control cabinet is made on the basis of a PC-compatible microcomputer from Fastwell

This system was activated at the time of the accident on the second unit. The system was installed and put into operation in early 2009, shortly before the accident. This system was developed and installed by PromAvtomatika based on imported equipment.

Naturally, they didn’t think about any Information Security at that time; this system had direct access to the Internet, the resonant frequencies of the unit were known.

I think there is no need to explain further, what happened happened...

Colleagues from Israel and the United States successfully tested cyber weapons to destroy infrastructure facilities in practice, after which, of course, it is necessary to create a special branch of the military to use it, which the United States did in the same 2009 by organizing the Cyber ​​Command with a staff of 10,000 people.

Cyber ​​weapons

In the third millennium, computer viruses also became weapons and were called “Cyberweapons”; moreover, in many countries these weapons are separated into a separate branch of the military, the general name of which, thanks to the light hand of the Americans, became the name “Cyber ​​Command”.

The commander of these armed forces received a completely fantastic name; believe it or not, in the USA they call him “Cyber ​​Tsar”, and it is the Russian word that is used for the official name of the American commander.

This weapon has already been used in the undeclared war of the United States and Israel against Iran. Most likely, it was also used in Russia, at the Sayano-Shushenskaya hydroelectric power station, and there is a trace of it in the accident at the Indian project for leasing nuclear submarines.

The same St. Petersburg company appeared there again; it was the developer of fire extinguishing equipment, which, as a result of spontaneous operation, led to the death of people during sea trials... but that's a separate topic.