by JohnnyFishfinger » Sun Oct 03, 2010 11:44 am
The Stuxnet outbreak
A worm in the centrifuge
An unusually sophisticated cyber-weapon is mysterious but important
Sep 30th 2010
IT SOUNDS like the plot of an airport thriller or a James Bond film. A crack team of experts, assembled by a shadowy government agency, develops a cyber-weapon designed to shut down a rogue country’s nuclear programme. The software uses previously unknown tricks to worm its way into industrial control systems undetected, searching for a particular configuration that matches its target—at which point it wreaks havoc by reprogramming the system, closing valves and shutting down pipelines.
This is not fiction, but fact. A new software “worm” called Stuxnet (its name is derived from keywords buried in the code) seems to have been developed to attack a specific nuclear facility in Iran. Its sophistication suggests that it is the work of a well-financed team working for a government, rather than a group of rogue hackers trying to steal secrets or cause trouble. America and Israel are the obvious suspects. But Stuxnet’s origins and effects are unknown.
Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm in Belarus. The next month Siemens, a German industrial giant, warned customers that their “supervisory control and data acquisition” (SCADA) management systems, which control valves, pipelines and industrial equipment, were vulnerable to the worm. It targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows.
For security reasons SCADA systems are not usually connected to the internet. But Stuxnet can spread via infected memory sticks plugged into a computer’s USB port. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet, and then to contact a server in Denmark or Malaysia for instructions. (Analysis of traffic to these servers is continuing, and may offer the best chance of casting light on Stuxnet’s purpose and origins.) If it cannot find WinCC, it tries to copy itself on to other USB devices. It can also spread across local networks via shared folders and print spoolers.
Initially, Stuxnet seemed to be designed for industrial espionage or to allow hackers to blackmail companies by threatening to shut down vital systems. But its unusual characteristics suggest another explanation. WinCC is a rather obscure SCADA system. Hackers hoping to target as many companies as possible would have focused on more popular systems. And Stuxnet searches for a particular configuration of industrial equipment as it spreads. It launches an attack only when it finds a match. “The bad news is that the virus is targeting a specific process or plant,” says Wieland Simon of Siemens. “The good news is that most industrial processes are not the target of the virus.” (Siemens says it knows of 15 plants around the world that were infected by Stuxnet, but their operations were unaffected as they were not the intended target.)
Another odd feature is that Stuxnet uses two compromised security certificates (stolen from firms in Taiwan) and a previously unknown security hole in Windows to launch itself automatically from a memory stick. The use of such “zero-day vulnerabilities” by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. These holes are so valuable that hackers would not normally use four of them in a single attack. Whoever created Stuxnet did just that to boost its chances. They also had detailed knowledge of Siemens’s industrial-production processes and control systems, and access to the target plant’s blueprints. In short, Stuxnet was the work neither of amateur hackers nor of cybercriminals, but of a well- financed team. “Behind this virus there are experts,” says Mr Simon. “They need money and know-how.”
So what was the target? Microsoft said in August that Stuxnet had infected more than 45,000 computers. Symantec, a computer-security firm, found that 60% of the infected machines were in Iran, 18% in Indonesia and 8% in India. That could be a coincidence. But if Stuxnet was aimed at Iran, one possible target is the Bushehr nuclear reactor. This week Iranian officials confirmed that Stuxnet had infected computers at Bushehr, but said that no damage to major systems had been done. Bushehr has been dogged by problems for years and its opening was recently delayed once again. Given that history, the latest hitch may not have been Stuxnet’s work.
A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack.
Last year Scott Borg of the United States Cyber-Consequences Unit, a think-tank, said that Israel might prefer to mount a cyber-attack rather than a military strike on Iran’s nuclear facilities. That could involve disrupting sensitive equipment such as centrifuges, he said, using malware introduced via infected memory sticks.
His observation now looks astonishingly prescient. “Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed,” he says. Israel certainly has the ability to create Stuxnet, he adds, and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is “Israel’s obvious weapon of choice”. Some have even noted keywords in Stuxnet’s code drawn from the Bible’s Book of Esther—in which the Jews fight back to foil a plot to exterminate them.
Cyberwar
The meaning of Stuxnet
A sophisticated “cyber-missile” highlights the potential—and limitations—of cyberwar
Sep 30th 2010
IT HAS been described as “amazing”, “groundbreaking” and “impressive” by computer-security specialists. The Stuxnet worm, a piece of software that infects industrial-control systems, is remarkable in many ways. Its unusual complexity suggests that it is the work of a team of well-funded experts, probably with the backing of a national government, rather than rogue hackers or cyber-criminals (see article). It is designed to infect a particular configuration of a particular type of industrial-control system—in other words, to disrupt the operation of a specific process or plant. The Stuxnet outbreak has been concentrated in Iran, which suggests that a nuclear facility in that country was the intended target.
This is, in short, a new kind of cyber-attack. Unlike the efforts to disrupt internet access in Estonia or Georgia (blamed on Russia), or the attacks to break into American systems to steal secrets (blamed on China), this was a weapon aimed at a specific target—it has been called a “cyber-missile”. One or more governments (the prime suspects are Israel and America) were probably behind it. After years of speculation about the potential for this sort of attack, Stuxnet is a worked example of cyberwar’s potential—and its limitations.
Much of the discussion of cyberwar has focused on the potential for a “digital Pearl Harbour”, in which a country’s power grids and other critical infrastructure are disabled by attackers. Many such systems are isolated from the internet for security reasons. Stuxnet, which exploits flaws in Microsoft Windows to spread on to stand-alone systems via USB memory sticks, shows they are more vulnerable than most people thought. The outbreak emphasises the importance of securing industrial-control systems properly, with both software (open-source code can be more easily checked for security holes) and appropriate policies (banning the use of memory sticks). “Smart” electricity grids, which couple critical infrastructure to the internet, must be secured carefully.
Stuxnet is also illuminating in another way: it reveals the potential for cyber-weapons that target specific systems, rather than simply trying to cause as much mayhem as possible. It infected several plants in Germany, for example, but did no harm because they were not the target it was looking for. Such specificity, along with the deniability and difficulty of tracing a cyber-weapon, has obvious appeal to governments that would like to disable a particular target while avoiding a direct military attack—and firms interested in sabotaging their rivals.
Cyberwar is not declared
But the worm also highlights the limitations of cyber-attacks. Iran admits that some computers at its Bushehr nuclear plant were infected, but says no damage was done. The target may have been the centrifuges at its nuclear refinery at Natanz. Last year the number of working centrifuges at Natanz dropped, though it is unclear whether this was the result of Stuxnet. Even if it was, the attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.
Stuxnet may have failed to do the damage its designers intended, but it has succeeded in undermining the widespread assumption that the West would be the victim rather than the progenitor of a cyber-attack. It has also illustrated the murkiness of this sort of warfare. It is rarely clear who is attacking whom. It is hard to tell whether a strike has been successful, or indeed has happened at all. This, it seems, is what cyberwar looks like. Get used to it.
Leaders