If you haven’t heard about the Stuxnet worm by now you probably soon will. The analysis of this recently identified ‘weaponised’ worm is the opening chapter of a fascinating John le Carré novel for the 21st century with political, diplomatic and practical implications for all concerned.
A little background:
One of the most sophisticated pieces of malware ever detected was probably targeting “high value” infrastructure in Iran, experts have told the BBC.Stuxnet’s complexity suggests it could only have been written by a “nation state”, some researchers have claimed. It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
It was first detected in June and has been intensely studied ever since.
Jonathan Fildes – Stuxnet worm ‘targeted high-value Iranian assets’ BBC 23 Sep 10
Unfortunately there is no specific forensic evidence that Iran was the target, although it seems the epicentre of infection. And clearly this is not the work of some hacker ‘sitting in the basement of his parents house:’
Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.Bruce Schneier – The Stuxnet Worm Schneier on Security 22 Sep 10
Holy Thumbdrive, Caped Crusader!
It’s tempting to go into details, the four, count ’em four, zero-day vulnerabilities which were discovered in every Windows operating system released since 2000 and exploited, the two digital certificates heisted from reputable hardware and software manufacturers and used to conceal the worm. Impressive stuff. One zero-day vulnerability would insure a hacker’s reputation for life. However the more interesting aspects of this ‘military grade’ malware concern its actual source and target:
The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.
“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.
Gregg Keizer – Is Stuxnet the ‘best’ malware ever? Computerworld 16 Sep 10
OK, a state actor, but whom? And given the distribution of this infection, who was the likely target? Perhaps that provides a clue, the only problem being there are fourteen-thousand to choose from:
We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.
Within the past 72 hours we’ve seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server. Here is a breakdown per country of the approximately 14,000 IP addresses obtained during the past 72 hours.
Vikram Thakur – W32.Stuxnet – Network Information Symantec 22 Jul 10
Oops. Pretty broad brush for a ‘precision, military-grade cyber missile’ but never mind, it really doesn’t do anything specifically nasty until it finds the right host. Whatever the target, however, if it was a competent cyberwarfare source one can only assume that it was applied long before it lit up the Web. Conventional wisdom tends to think its intended target was the Bushehr reactor in Iran, on some pretty thin causality:
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange — they are presently having some technical difficulties down there in Bushehr.Ralph Langer – Stuxnet is a directed attack — ‘hack of the century’ Langer2Business 13 Sep 10
Hmmm… That was enough to set off the BBC on the subject. But timing is everything. And the Russians seem capable of keeping Bushehr off the grid with good ol’ fashioned ‘five-year plan’ mismanagement as long as they want. And yet, the possibilities are tantalising:
…there is another theory that fits the available date much better: Stuxnet may have been targeted at the centrifuges at the uranium enrichment plant in Natanz. The chain of published indications supporting the theory starts with Stuxnet itself. According to people working on the Stuxnet analysis, it was meant to stop spreading in January 2009. Given the multi-stage nature of Stuxnet, the attacker must have assumed that it has reached its target by then, ready to strike.
On July 17, 2009 WikiLeaks posted a cryptic notice:
Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.
According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially .
Von Frank Rieger – Stuxnet: Targeting the Iranian enrichment centrifuges in Natanz? 23 Sep 10
Wow. Big line-up of potential suspects for that target but the US and Israel would have to be favourites. One assumes Siemens isn’t too impressed in any case, nor India or the Indonesians either. But it makes a certain amount of sense. Symantec reckons the ‘military grade’ version of Stuxnet didn’t appear until January of this year but they are just looking at the timestamps of digital certificates which may have come from other sources. Hard to say, but make no mistake, we have entered unbidden into the Fifth Domain of Warfare.
103 comments