Five months after the confirmation of army Lt. Gen. Keith Alexander to be the head of the Pentagon’s new Cyber Command, it would appear that the first evidence of active cyber warfare has appeared. Ars Techica summarizes emerging consensus.
Researchers have found that the highest concentration of Stuxnet infections is located in Iran. That discovery, coupled with the very high level of sophistication exhibited by the malware, has led some researchers to speculate that it was crafted by a major government body with the aim of disabling Iran's nuclear power plant.
This is not your normal malware. From security researcers at Symantec:
As we’ve explained in our recent
W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, [..] Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. [...] Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system.
This is an important advance for malicious software in the wild. This means that a windows virus is programmed with the engineering specifications of a certain number of embedded controllers and will cross-infect at the OS level. It goes from computer to computer looking for a system controlling an industrial process - and then copies itself onto the machinery's embedded circuitry. Symantec continues ..
By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.
German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware (says so, right on his site). He has posted a solid technological case to support his analysis.
Ralph's analysis
Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?
1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.
This thing was not made by some script kiddies redirecting your twitters to pr0n. Stuxnet couldn't have been engineered without access to the control specifications of the industrial equipment targeted. Langener's says that he planned to present further details and forensic evidence at the 2010 ACS Conference wrapping up tomorrow in Rockville, MD. These things aren't generally swarming with journalistic attention like DefCon, so it should be interesting to hear the summaries trickling out of that over the next few days as participants start discussing the conference.
To be clear, there is not any evidence to support an assertion that this is a Cyber Command operation. But this is certainly a good time to review Gen. Alexander's written responses (.pdf) to questions presented for his confirmation hearings - the good stuff starts around page 11.
Based on the unclassified portions there are a broad range of potential targets including (but likely not limited to): Military command & control networks (air defense networks, platforms, weapons), Power grids, Banks and other financial institutions, Transportation-related networks, and National telecommunications networks. Any such attack would be authorized by the SECDEF with the President providing supplemental rules of engagement. Also spelled out in these answers is a doctrine of pre-deployment and preparation of foreign networks for offensive operations. It doesn't take much reading-between the lines to infer American policy regarding militarization of cyberspace is as expansive as our policy regarding physical asset deployment (75 secret wars anyone?).
Based on our military doctrine, it can not be ruled out that this is an American operation. I think Langener is approaching his analysis exclusively from the point of view of a hacker. The truth is, however, we've moved beyond the era where hackers are necessarily calling the shots. I don't think he is grasping the implications that in "official life" the SECDEF has to plod down and have a top-secret meeting with the "Gang of 4" (or whatever) to authorize a hack-attack ... LOLWut?
If the worm was deployed yet not activated, it could be considered simply preparing a potential battlefield, there is waffle room within the doctirne to claim it is not an actual military attack. Such a posture would be far easier to sell and/or defend regarding hostile action against Iran. Based on the extensive tricks this exploit uses to hide itself (both on the PC and on the embedded PLC) It is also entirely possible that our policy makers, full of traditional overconfidence in our military, believed it would go undetected and never even considered that once on the open network, conclusions #5 and #6 from Langener's analysis become inevitable.
Or maybe it was Israel. And that's a whole different can of worms.
Anyhow. That's all I've got. This is an amazingly significant event, it will be interesting to see how much attention it gets.
No, wait. That isn't all I've got. Also too, also. Now that this is in the wild, the bad guys have a code prototype to copy and we should expect to see these types of things deployed in the not too distant future by actors who would have been otherwise unable to engineer it on their own. There. That's all I've got.
Comments
And this CS Monitor story on the cyber attack is worth a read if the topic interests you.
by kgb999 on Fri, 09/24/2010 - 12:43am
Fascinating stuff, kgb. Do keep on top of the story. If Cyber Command is behind this, it means that for some people at the Pentagon, the U.S. and Iran are already at war. Chilling thought.
by acanuck on Fri, 09/24/2010 - 2:26am
All your nukes are belong to us! Great article.
by Donal on Fri, 09/24/2010 - 9:09am
by artappraiser on Mon, 09/27/2010 - 3:00pm
Something like this could be our century's version of the 13th century Black Plague. We always think of a virus escaping a laboratory, but it will probably be a computer virus and the destruction it may cause would be unbelievable.
by David Seaton on Tue, 10/05/2010 - 8:22am