Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:07 PM
Connect Directly

Stuxnet Heralds New Generation of Targeted Attacks

Power plants no longer considered immune to infection, and targeted attacks become more precise

"It caught the public's attention very quickly -- there were thousands of infections at the height of it," NitroSecurity's Knapp says. "If an attack was delivered more strategically, then it wouldn't draw that type of attention to itself" and be harder to detect, he says.

Symantec's Murchu, like other researchers, says just why Stuxnet spread beyond its targeted Siemens PLC system remains a mystery. "From looking at the code and the way it was written, and the techniques used in it, they didn't want this to spread ... It was to stay local to the company it was trying to infect," he says. "Somehow it did spread. It looks like they wanted to keep it low-key, and maybe it spread" somehow, he says.

Michael Sconzo, principal security consultant with NetWitness, concurs that the attackers letting the worm escape into the wild just doesn't add up. "Why invest all of that time and money buying zero-days and let it get out into the wild," Sconzo says. "If that and you steal a digital certificate, I would think that they would have been careful the worm didn't get out of hand."

Even so, the attack raises the bar for what has been seen thus far in targeted attacks. "Yesterday the world learned that all the stuff covered so far about zero-days, a rootkit, and a botnet wasn't what the [attackers] were trying to do. What they were doing was getting into the actual control software at the deepest level," Cigital's McGraw says.

A German researcher says the attack was likely aimed at an Iranian nuclear power plant. Ralph Langner said in a blog posting that the attack is "sabotage" and required much insider knowledge in order to pull off. "The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution," he wrote.

Researchers agree this was a highly coordinated attack that required various types of skill. "You needed people skilled in different areas to make this work: a person who writes code that affects PLCs is different from a person who infects USB drives. The skills needed to write this code is very different" for each, says Murchu.

It was likely a large project team, with a project manager, some quality assurance, and testing elements as well, he says. "They had to identify what type of hardware, PLCs, and then after that was established, creating the project to fit the target they were trying to attack. You get people who know SCADA and can test on PLCs," he says. "This was either an industrial funded group with deep pockets, or nation-state sponsored. But I am only speculating here."

Meanwhile, while the specific payload of Stuxnet is only aimed at the Siemens S7, the malware model is likely to be reused in some way and emulated in future targeted attacks, experts say. "We'll see more of these types of things in the future," says Marc Maiffret, chief technology officer at eEye Digital Security.

Next: What this means for the security of power plant and industrial control systems

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.