Information Warfare: Stuxnet Autopsy Fascinates And Frightens

Archives

January 29, 2011: Stuxnet, a computer worm (a computer program that constantly tries to copy itself to other computers) was designed as a weapons grade cyber weapon, and all the attention it is getting now is helping to make similar weapons even more effective. Hundreds of capable programmers have been taking Stuxnet apart, and openly discussing the results. While Stuxnet was probably created as a highly classified government project (Israel and the U.S., in a joint effort, are the most likely suspects), no one has taken credit for it. Thus Stuxnet belongs to no one, and everyone. The public discussion on the Internet has provided a bonanza of useful criticism of how Stuxnet was put together, often describing in detail how flaws could be fixed or features improved. But even when such details were not provided, the programmers picking apart Stuxnet usually mentioned what tools or techniques were needed to make the code more effective.

On the down side, this public autopsy of Stuxnet makes the inner workings of the worm software, and all the improvements, available to anyone. Then again, security professionals now have a much clearer idea of how this kind of weapon works, and this can make future attempts to use a Stuxnet-type weapon more difficult.

Weapons like Stuxnet are nothing new. For nearly a decade, cyberwar and criminal hackers have planted programs ("malware") in computer networks belonging to corporations or government agencies. These programs (called "Trojan horses" or "zombies") are under the control of the people who plant them, and can later be used to steal, modify or destroy, data or shut down the computer systems the zombies are on. You infect new PCs as zombies by using freshly discovered, and exploitable, defects in software that runs on the Internet. These flaws enable a hacker to get into other people's networks. Called "Zero Day Exploits" (ZDEs), in the right hands, these flaws can enable criminals to pull off a large online heist, or simply maintain secret control over someone's computer. Stuxnet contained four ZDEs, two of them that were unknown, indicating that whoever built Stuxnet had considerable resources. ZDEs are difficult to find, and can be sold on the black market for over $10,000. The fact that Stuxnet was built to sabotage an industrial facility, spotlights another growing problem; the vulnerability of industrial facilities. The developers of systems control software have been warned about the increased attempts to penetrate their defenses. In addition to terrorists, there is the threat of criminals trying to extort money from utilities or factories with compromised systems, or simply sniff around and sell data on vulnerabilities to Cyber War organizations. But in the case of Stuxnet, the target was Iran's nuclear weapons operation, although some hackers dissecting Stuxnet could now build software for use in blackmail schemes.

Stuxnet was designed to shut down a key part of Iran's nuclear weapons program, by damaging the gas centrifuges used to enrich uranium to weapons grade material. Iran eventually admitted that this damage occurred, and recent Western estimates of how soon Iran would have a nuclear weapon have been extended by several years. So, one can presume that Stuxnet was a success.

Early on, Stuxnet was blamed on Israel or the United States. It was only discovered in mid-2010. It was believed to have been released in late 2009, and millions of computers have been infected as the worm sought out its Iranian target. Initial dissection of Stuxnet indicated that it was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water, sanitation) plants. Eventually, further analysis revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet, and is making Iranian officials nervous about other Stuxnet-type attacks having been made on them. Although Iran eventually admitted that Stuxnet did damage, they would not reveal details of when Stuxnet got to the centrifuges, and how long the malware was doing its thing before it was discovered. But all this accounts for the unexplained slowdown in Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage, because Stuxnet also had a "call home" capability.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky, and because there are no visuals. It's computer code and arcane geekery that gets it to its target. But the stuff is real, and the pros are impressed by Stuxnet, even if the rest of us have not got much of a clue.