did cyber-warfare finally invade the real world?

September 25, 2010 — 2 Comments

While there’s a lot of talk about cyber-warfare, most examples of it are pretty transparent attempts to censor criticism via relatively crude denial of service attacks, read e-mails of political dissidents, and scare those who own sites and forums trying to recruit new terrorists. Despite the sometimes hysterical fears of assaults through an ethernet cable, some of them so extreme they result in ridiculous legislation, there haven’t been any known attempts to take down critical infrastructure nodes by electronic means. Until now. Tech blogs are abuzz about a worm known as Stuxnet, a terrifying piece of malware that targets computers and software that monitor and control day to day activities of industrial complexes and spreads through infected USB drives, or vulnerabilities in Windows-based networks. Once it finds its intended target, it can override alarms critical for real-time monitoring and insert malicious commands of its own. If the age of cyber-warfare is finally here, this worm is its opening salvo and a sign of some very, very menacing things to come in the foreseeable future.

Stuxnet is a fairly complex worm, about half a megabyte in size and written in at least three languages to do its work: an assembly language used in industrial SCADA machines, C, which corresponds well with assembly languages allowing for faster command execution, and C++, an object-oriented version of C. The worm goes to work by taking advantage of how generously Windows systems parse autorun files and at first, presents a perfectly legitimate certificate for Realtek, which makes audio device drivers. Once the system thinks it’s really dealing with a perfectly legitimate file, Stuxnet pulls a switch and installs a malicious library instead. When it’s in a SCADA machine, it listens to the database queries being executed by a very particular software package, a software package called Siemens Step 7, used in power plants, pipelines, and nuclear complexes. Stuxnet seems to be primarily interested in mission-critical OB35 data blocks, required to manage processes that run at vey fast cycles, things like air compressors, centrifuges, and turbines. And at this point, I’m sure you already see where this is going. This is the kind of worm that could cripple real world targets.

The complexity of Stuxnet, the fact that it had a valid certificate, and used as many as four vulnerabilities which haven’t yet been patched, or so-called zero-day vulnerabilities, raised a lot of speculation and several security experts went on the record to say that Stuxnet may be the work of a government-funded lab. After this notion was first floated, some bloggers tried to connect the dots with a WikiLeaks report to come up with one hell of a conspiracy theory which sounds like a Hollywood blockbuster in the making. According to Threat Level, a rare tip from WikiLeaks’ repository mentions a huge accident at the Natanz nuclear facility in Iran. Where most of the Stuxnet infections were detected. After that accident, Iran lost some 800 uranium-enriching centrifuges, and the head of the nation’s nuclear program suddenly left his post. The alleged culprit? Israel. The proof? An obscure quote about the possibility of cyber-attack against Iranian nuclear plants attributed to a former cabinet minister in an Israeli newspaper. All this is at best circumstantial, especially since we don’t really know all the facts of the matter, but this is plenty for conspiracy theorists. In fact, they would probably consider this proof an airtight report since they’ve build elaborate world-domination plots on much, much less.

But is Stuxnet really the first salvo in a real world cyber-war? It was distributed in a scattershot pattern, drifting from infected USB drives, through vulnerable networks, and trying to make its way to a SCADA machine. This would be a great strategy to conceal the source of the attack, but it’s also very messy and doesn’t guarantee a successful infection of the intended target. And while Iran did bear the brunt of the outbreak with some 34,000 cases, Indonesia and India had roughly 10,000 and 5,000 infections respectively, suggesting that whoever or whatever spread Stuxnet had some ties to these nations. Israel would have little of value to gain by infecting a swarm of SCADA machines anywhere but Iran, and could be far more precise in delivering a worm. As far as we know, neither India nor Indonesia have any nuclear deals with Iran or ship it any vital components. Plus, a tip published on the web about a top secret accident at Natanz isn’t proof that a worm was responsible. All we know is that Stuxnet could potentially be used for industrial sabotage, or trigger an accident. not that it actually did it. Without looking at its source code, I couldn’t offer a qualified opinion on its full capabilities, and I would really rather not speculate without examining the worm firsthand.

Finally, we need to consider the charge that to make Stuxnet work would require a nation state’s resources. It is suspicious that it used four zero-day vulnerabilities and had Realtek’s authentication, something that would require its makers to have access to the company’s private key. It would also require that at least one person behind the worm really understood Step 7 and what calls it made to its database. But none of this points to a government entity per se. Private keys can be stolen, there are forums on dark web networks exchanging the newly discovered zero-day vulnerabilities, and if you want a manual on how to program SCADA machines, you can find in depth tutorials with a quick search. In fact, many developers rely on searches to find the right syntax for system-specific and esoteric commands when they get stuck, so I would be very surprised if these tutorials were hard to come by. Same goes with actual SCADA machines. You could certainly buy one or two and run a number of tests to make sure your worm is stable and behaves as it should. Yes, you would run up a bill for a few thousand dollars, but it’s certainly not a prohibitive investment for a small group of people.

So in other words, nothing in this screams about a need for government involvement. That said, Stuxnet does indicate that whoever built it knew a good deal about SCADA systems, understood low-level vulnerabilities in the targeted Windows systems, and had a decent budget. The very fact that it exists should be disconcerting, and points to potential acts of industrial sabotage, espionage, or both, on a level that hasn’t been seen so far. And I could certainly imagine a corporation in control of a Stuxnet strain sabotaging its competitor’s plants, and holding them hostage if it decides to play rough with a particularly reviled executive. Though why Iran had such a huge rate of infections is going to bug security experts for a very long time to come and I’m afraid that until a few intelligence agencies decide to come clean about Iran’s nuclear program, we’ll have little evidence to say anything decisive about it. Meanwhile, we should be looking for, and worrying about, Stuxnet 2.0…

Share
  • Pierce R. Butler

    I’d bet there are a lot of new “help wanted” notices going up along the border between industrial control programming and security software all of a sudden. Regardless of the who and why behind this particular malware, everybody in high-tech enterprises has just seen their overhead increase appreciably and permanently.

  • Nirovad Pravak

    Those control computers are very often left unpached with already obsolete operating systems; there are a couple of reasons for that:

    - OS patches and update very often deal with components the software uses for its operation; to be on the safe side, you’d need a lab environment setup for patch proofing that costs quite a lot of money.

    - the software was developed for exactly that version (and SP level) of OS and architecture (This year I came across a gas distribution control system running on an NT 4.0 cluster on DEC Alpha :( )

    - The “If it ain’t broken – don’t fix it!” approach to system maintenance

    Oh, and, did I mention that the operators of those centers are often bored to death? So bored they bring a few games with them on a thumbdrive?

    The thing with SCADA is that the software uses a hardcoded password for the ‘sa’ SQL database user. That password leaked on some russian forum, two years ago. Furthermore, it also deals with PLC’s that are controlled by the software, their setup and the reading it gets from them.

    This worm wasn’t programmed by some teenagers with loads of spare time; there must’ve been an entire team of engineers dedicated to the project of developing this… The development must have also been backed up by huge resources (secrecy, testbeds, etc.), the kinds of which only corporations or governments have. And IDF’s ‘cyber squads’ are the best in the world.

    No wonder this story is a conspiracy theorist wet dream…