Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/15/2010
04:30 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Stuxnet: An Amateur's Weapon

Stuxnet, a Trojan supposedly designed to attack Iran's nuclear program, is so technically advanced that it is said to be able to remotely explode a power plant without the controller noticing. Such an advanced weapon was developed by people with means. But whoever they are, they're amateurs.

Stuxnet, a Trojan supposedly designed to attack Iran's nuclear program, is so technically advanced that it is said to be able to remotely explode a power plant without the controller noticing. Such an advanced weapon was developed by people with means. But whoever they are, they're amateurs.In military operations there are two main parameters: to be balanced, maintaining operational covertness, and meeting operational goals.

For thieves to break into a secure facility, they'd first collect intelligence and build a set of tools to aid them. These tools are expensive, with years of research have gone into them. They'd also need to remain covert, or the operation could be compromised.

However, covertness can get in the way. Do you wait for a perfect date three years from now when a building is being renovated, or carry on to meet your operational goals when a cleaning crew might be in the building?

The same parameters apply with cyberattacks. From a technological standpoint, Stuxnet is very advanced and costly. It uses four vulnerabilities that hadn't been seen before to exploit computer systems for access. One of these enables an attacker to infect a computer by merely inserting a USB key.

This is perfect for attacking a nuclear facility, which isn't connected to the Internet. But operationally it means a person would have to be there physically to accomplish the mission: a spy, a rogue employee, or a commando team.

For such an operation, Stuxnet must not fail. There has to be clear intelligence about how the systems it attacks are built. Also, given the nature of these systems (industrial software that controls power plants, like SCADA systems), it would have to be developed in a replication of the target environment -- an immense cost to reconstruct and an effort in intelligence collection.

Such a tool would be used carefully to avoid the risk of discovery -- not just the specific operation, but of methods used, the technology developed, and past targets.

How then could a target-specific weapon such as Stuxnet be found in tens of thousands of computers worldwide, as vendors such as Microsoft report? It makes no operational sense to attack random computers, which would increase the likeliness of discovery and compromise the operation. Could this be a mistake? Unlikely, as a tool developed for such a specific job would not do anything other than it is told.

Why does Stuxnet infect computers randomly after it gains access to its target? Whatever it is looking for (perhaps a way to phone home?) should already be preplanned.

Further, Stuxnet remained active when, in 2009, one of the zero-day vulnerabilities was reported publicly and patched by Microsoft. Why would its operators risk the discovery of such a costly weapon by keeping it in the field when discovery is now a real risk?

And last but not least, who would have wanted to attack systems in, to name three target countries, Iran, the United States, and Germany, where, according to security vendors, many of the thousands of infections were discovered?

We simply can't tell from technical data alone who is behind it. We can, however, ask what damage has been done and who stood to gain from it.

If we are to believe media reports, then Iran's nuclear efforts have been delayed by three months. These reports are unsubstantiated, but taking them on their word, it doesn't seem likely that Israel or the United States would invest so much for such a small return. It is still within the realm of possibility that some nation-state was behind it, even Iran itself. While in democracies it's the exact opposite, in dictatorial countries most of the intelligence efforts are turned inward.

Another option is that this was a corporate rival of Siemens, the vendor whose SCADA systems Stuxnet targets. Siemens reported it has so far discovered 14 clients (read: power plants) that have been infected, a large portion of which are in Germany. Siemens suffered major PR damage as a result of Stuxnet.

It could also be criminals, with a goal as simple as ransoming these power plants. As unlikely as this scenario sounds, it is as sound a guess as any of the others.

Among the many guesses as to who built Stuxnet, fingers were also pointed at Israel. As an Israeli, I hope such sloppy work wasn't ours. Yes, Stuxnet is advanced, but no military or intelligence organization should be this careless. It is just too amateurish from an operational standpoint.

The plain truth is we don't know who is behind Stuxnet, and we, as experts, shouldn't be ashamed to admit that rather than making outlandish claims that create news. But whoever it was, they were clearly not experienced, even if they were well-funded.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.