Information Warfare: There Are Others


September 20, 2012: As Internet security companies continue to dissect major league Cyber War weapons (Stuxnet, Duqu, and Flame) uncovered in the last two years they find this espionage and sabotage software has a seemingly endless supply of surprises. Among the recent finds is evidence that these programs, and several that are as yet undiscovered (there is simply evidence that "there are others"), have been in action for six years or more. These high-end cyber weapons were designed to keep their activities hidden and they did that for several years. But some of these cyber weapons had errors that allowed them to spread farther than intended. That brought the cyber weapons to the attention of cyber security professionals, who began the arduous process of taking stuff like Stuxnet, Duqu, and Flame apart. This has left many Internet security experts wondering what other stuff has been developed and turned loose since the stuff they know about was put into action.

Three months ago American and Israeli officials admitted that the industrial grade Cyber War weapons used against Iran in the last few years were indeed joint U.S.-Israel operations. Few other details were released, although many more rumors are now circulating. The U.S. and Israel were long suspected of being responsible for these "weapons grade" computer worms. Both nations had the motive to use, means to build, and opportunity to unleash these powerful Cyber War weapons against Iran and others that support terrorism.

The U.S. Department of Defense had long sought permission to go on the offensive using Cyber War weapons. But the U.S. government regularly and publicly declined to talk about whether or not permission was granted to retaliate against constant attacks from China and other sources. The silence was mainly in response to fears that there could be legal repercussions and that weapons used might get out of control and cause a lot of damage to innocent parties. When you have nothing good to say, it's best to say nothing.

Iran turned out to be another matter. Although not a serious Cyber War threat to the United States, Iran was trying to build nuclear weapons and apparently Israel had already been looking into using a Cyber War weapon to interfere with that. Given the nature of these weapons, which work best if the enemy doesn't even know they exist, don't expect many details to be released about this Cyber War program. What is known is that some of the Cyber War weapons unleashed on Iran were designed to concentrate only on very specific targets. So far only three weapons that we know of have been used. One (Stuxnet) was designed to do damage to one specific facility, the plant where Iran produced nuclear fuel for power plants and atomic weapons. That one worked. The others (Duqu, Flame, and unidentified ones) were intelligence collection programs. They also apparently succeeded, remaining hidden for years and having lots of opportunity to collect enormous quantities of valuable data. It's estimated that Duqu and Flame gathered so much data (hundreds of terrabytes at least) that data mining programs were able to extract enormous amounts of useful information from the patterns found in so much data. How these advantages were exploited will be classified for some time, but the impact could have been considerable if opportunities were seized.

Flame was designed to stay hidden and collect information from the computers it got into. It apparently did both, for up to six years (or more), in Iran, Lebanon, the Palestinian West Bank, and, to a lesser extent, other Moslem countries in the region. Like the earlier Stuxnet (2009) and Duqu (2011), Flame has all the signs of being designed and created by professional programmers and software engineers. Most malware (hacker software) is created by talented and, often, undisciplined amateurs and usually displays a lack of discipline and organization. Professional programmers create more capable and reliable software. That describes Stuxnet, Duqu, and Flame. The U.S. and Israel spent big bucks to craft these Cyber War weapons and get them to their targets. Both nations have access to the best programming talent on the planet and already have organizations that can recruit and supervise highly secret software development.

It appeared that Stuxnet and Duqu were but two of five or more Cyber War weapons developed (up to five years ago) from the same platform. Flame was apparently not related to Stuxnet and Duqu and also appears to have several other variants that have not yet been seen. The basic Flame platform appears to have been built to accept numerous additional software modules, giving each variant different capabilities. Some of the modules made use of specific computer features, like a microphone, wireless communication, or the camera. Flame appears to be a very different design from Stuxnet and Duqu but also spreads via a USB memory stick or the Internet.

Flame hides its presence very well and has a very effective self-destruct feature that erases all evidence of its presence. In the six years Flame has been around it has gotten into thousands of PCs and collected large quantities of data. In contrast, Duqu was being used to probe industrial computer systems and send information back about how these systems are built and operate. When Duqu was first discovered the server it was sending its data to was eventually found in India and disabled. Duqu appeared to shut down last December. No one knows if this is because Duqu had finished its work or was feeling cramped by all the attention. Flame is still operating.

For over two years now hundreds of capable programmers have been taking Stuxnet, Flame, and Duqu apart and openly discussing the results. While these programs are "government property", once they are turned loose they belong to everyone. The public discussion on the Internet has provided a bonanza of useful criticism of how the programs were put together, often describing in detail how flaws could be fixed or features improved. But even when such details were not provided, the programmers picking apart these programs usually mentioned what tools or techniques were needed to make the code more effective.

On the down side, this public autopsy of this stuff makes the inner workings of the software, and all the improvements, available to anyone. The dissection of these high grade programs has provided criminal hacker gangs with bits of useful new software to use. Security professionals now have a much clearer idea of how this kind of weapon works and this can make future attempts to use similar weapons more difficult. This means that criminals using bits of this high grade code will be easier to detect.

Weapons like Stuxnet and Duqu are nothing new; for nearly a decade Cyber War and criminal hackers have planted programs ("malware") in computer networks belonging to corporations or government agencies. These programs (called "Trojan horses" or "zombies") are under the control of the people who plant them and can later be used to steal, modify, destroy data, or shut down the computer systems the zombies are on. You infect new PCs and turn them into zombies by using freshly discovered and exploitable defects in software that runs on the Internet. These flaws enable a hacker to get into other people's networks. Called "Zero Day Exploits" (ZDEs) in the right hands these flaws can enable criminals to pull off a large online heist or simply maintain secret control over someone's computer. Flame was apparently using high-quality (and very expensive) ZDEs and possibly receiving new ones as well.

Stuxnet was believed to have been released in late 2009, and thousands of computers were infected as the worm sought out its Iranian target. Initial dissection of Stuxnet indicated that it was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water, sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet and is making Iranian officials nervous about other Stuxnet-type attacks having been made on them. Although Iran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to the centrifuges nor how long the malware was doing its thing before it was discovered and removed. But all this accounts for the unexplained slowdown in Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage because Stuxnet also had a "call home" capability.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky and because there are no visuals. It is computer code and arcane geekery that gets it to its target. The earlier attacks, especially Stuxnet, Duqu, and Flame, spread in a very controlled fashion, sometimes via agents who got an infected USB memory stick into an enemy facility. Even if some copies of these programs get out onto Internet connected PCs, they do not spread far. Worms and viruses designed to spread can go worldwide and infest millions of PCs within hours.

Despite all the secrecy, this stuff is very real and the pros are impressed by Stuxnet, Duqu, and Flame, even if the rest of us have not got much of a clue. The demonstrated capabilities of these Cyber War weapons usher in a new age in Internet based warfare. Amateur hour is over and the big dogs are in play. Actually, the Cyber War offensive by the U.S. and Israel appears to have been underway for years, using their stealth to remain hidden. There are probably more than three of these stealthy Cyber War applications in use and most of us will never hear about it until, and if, other such programs are discovered and their presence made public.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close