Stuxnet: who is doing what to whom; and what are the implications?
Stuxnet is hardly breaking news; but at least we’ve now had time to consider what it is. And that’s what I’d like to discuss: both ‘what is Stuxnet?’, and also ‘what are the implications of Stuxnet?’ Rodney Joffe, Senior VP & Senior Technologist at Neustar, tried to help me understand; but I have to admit it’s not easy. In fact, it’s almost easier to describe what Stuxnet is not, rather than what it is. It is not your average malware. It’s not a typical trojan stealing you bank details or crashing your Windows. Rather is it a very advanced and highly targeted… well, what? It’s hard not to say ‘weapon’. And if that’s right, and Stuxnet is a cyberweapon, then we are talking cyberwar; we are talking about that thing that the alarmists have been predicting and others have been downplaying. And we would then have to ask ourselves: is this just the beginning.
I am not going to attempt a technical analysis of Stuxnet. Firstly, I couldn’t; and secondly Symantec has already done an excellent job here. Instead I’m going to pick out some of the interesting features of Stuxnet and ask one simple question: what does it all mean?
A targeted attack?
According to Symantec, nearly 60% of all known Stuxnet infections are in Iran. “Stuxnet has disproportionately affected Iranian Windows computers,” says Joffe. “What normally happens with malware is that it generally spreads around the well-populated countries with open internet connectivity. The last place you would expect to find it is in a place like Iran where there is censorship and very restricted internet access. But in this case Iran had a number of infections that were an order of magnitude greater than the next most infected country.” So we have to ask ourselves, is Iran specifically targeted by Stuxnet?
“Stuxnet is a piece of malware that affects Windows computers,” Joffe told me. “But when it infects a computer it looks for an application that is provided by Siemens called S7. This is used exclusively and specifically to program and manage Siemens’ PLCs that are found typically in industrial control systems; and Siemens makes a whole range of industrial controllers. If S7 is not installed, Stuxnet does nothing. If S7 is installed, Stuxnet hides itself within Windows and waits until a connection is made to the Siemens PLC. When that connection is made, Stuxnet looks to see which model is involved. Only if it is one of two CPU models, one of just two versions, will it execute its mission. Its mission is unusual. It instals a rootkit designed specifically for the PLC. It is not a Windows rootkit. It intercepts calls and returns data values ahead of the PLC itself – it communicates with the control system down the line. It also seems to modify about 10 or 15 of the 120 or so instructions or processes that the Siemens PLC actually does.” That sounds like targeted to me; but it doesn’t explain why Iran is the hotspot.
He then described one of the primary methods of propagation: by memory sticks that are manually connected to the ‘target’ computers; and, what’s more, have code “that will infect three computers and then remove itself from the stick.” This could be explained if firstly you were targeting a specific geographic area (like Bushehr?), and that furthermore you were trying to limit spread away from that geographic area and to remain beneath the radar. Far-fetched? Possibly; but Iran itself seems to think it was specifically targeted:
DEBKAfile’s intelligence sources report from Iran that dozens of Russian nuclear engineers, technicians and contractors are hurriedly departing Iran for home since local intelligence authorities began rounding up their compatriots as suspects of planting the Stuxnet malworm into their nuclear program.
Among them are the Russian personnel who built Iran’s first nuclear reactor at Bushehr which Tehran admits has been damaged by the virus.
Russian experts flee Iran’s dragnet for cyber worm smugglers
On balance, it seems reasonable to assume that Stuxnet was delivered if not specifically designed to target Iran’s nuclear development program.
But targeted by whom?
Joffe does not think that Stuxnet was developed by typical cyber criminals. Firstly the sheer sophistication of the malware points towards a team rather than an individual; and secondly, it doesn’t make sense for criminals to give up four zero-day vulnerabilities in one attack. “If you have a zero-day exploit that has not yet been patched, you basically have the keys to the kingdom until the software company gets a patch out. In this case, over the last couple of months, we have confirmed that Stuxnet uses at least four zero-days for spreading, and possibly another two. This is simply unprecedented in malware. The bad guys never, ever waste zero-days.” Using them all in one highly targeted attack is not the mindset of financially-driven criminals.
So who is doing what to whom?
It’s not a criminal gang working a blackmail scam. It’s hardly hacktivism. So what’s left? We’re almost inevitably drawn into a political act of cyberwarfare. But who’s doing it? Could it be
- the CIA attacking Iran’s nuclear programme?
- Mossad attacking Iran’s nuclear programme?
- China flexing its cyber muscles in an area that won’t draw attention to itself?
- MI6? and yes there are suggestions that Gareth Williams was involved in its development and deployment…
- France? only likely if there is a huge pro-France incentive somewhere
- the CIA attacking not Iran but the US cyberwar budget committees?
You know what? It doesn’t really matter. What Stuxnet tells us is that there are ways of getting at national infrastructures. There are ways at getting at industrial control systems that are isolated and not connected to the internet. Who fired this first cyberwar missile at whom is not important. The important point is that if it was us, then they can do it to us; and if it was them, then we need to be able to do it back at them. Stuxnet is heralding a new era in malware; and quite possibly the beginning of visible cyberwarfare.