Cyberwar. No, Really. Cyberwar!
by wjw on September 27, 2010
So even Bruce Schneier, who is often dismissive of the Security Armageddon of the Week, is alarmed about the Stuxnet Worm:
The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.
“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.
Security experts say Stuxnet attacked the software in specialized industrial control equipment made by Siemens by exploiting a previously unknown hole in the Windows operating system.
The malware is the first such attack on critical industrial infrastructure that sits at the foundation of modern economies.
It also displays an array of novel tactics — like an ability to steal design documents or even sabotage equipment in a factory — that suggest its creators are much more sophisticated than hackers whose work has been seen before. The malware casts a spotlight on several security weaknesses.
Eric Chien, the technical director of Symantec Security Response, a security software maker that has studied Stuxnet, said it appeared that the malware was created to attack an Iranian industrial facility. Security experts say that it was most likely staged by a government or government-backed group, in light of the significant expertise and resources required to create it. The specific facility that was in Stuxnet’s crosshairs is not known, though speculation has centered on gas and nuclear installations.
The Times goes on to say: . . . malware experts say it could have been designed to trigger such Hollywood-style bedlam as overloaded turbines, exploding pipelines and nuclear centrifuges spinning so fast that they break.
Stuxnet uses security flaws in Windows to enter and control Siemens software systems, specifically something called Organizational Block 35. It’s the first piece of malware ever to contain its own PLC rootkit. It can also be updated peer-to-peer, as (for example) the botnet I invented for This Is Not a Game. Stuxnet is an awesome piece of work.
And oddly enough, Iran’s Bushehr nuclear reactor suffered some unexplained delays last year, after the worm was released. Wikileaks reported there was a serious accident.
Iran Daily reported: “An electronic war has been launched against Iran… This computer worm is designed to transfer data about production lines from our industrial plants to locations outside Iran.”
Colossally malefic as Stuxnet is, however, did its designers actually intend for it to spread around the world via infected USB memory drives? Because it’s now all over the place, infecting places like telephone systems in Greece, and security professionals all over the world are trying reverse-engineering it.
Which means that the first known state-sponsored cyberwar tool may soon be in everyone’s hands. Won’t that make for an interesting world?
In fact it will make it more like the world in my novel Deep State, which will be out in February, and which also features an awesome cyberwar tool doing some major Frankenstein blowback upon its creators.
Sometimes I wish the Zeitgeist would stop rummaging around in my head for its ideas, but I’ll settle for its waiting for the book to actually appear. After that, Herr Z can do whatever it likes.
It’s not really groundbreaking in what it can do: The interesting thing is how: It uses four different vulnerabilities and two stolen, or something, certificates. “Ordinary criminals” would be expected to use this for four+ attacks. That’s what is meant with “resources”, so even if lots of people learn to do what this does, they won’t be able to replicate it to use against an other target.
What we should think about is that the people behind this could have another set of vulnerabilities they know about which they haven’t made public so no security patches have been issued. Maybe they even have used them but not been discovered!
First off, if someone is using a desktop OS to run mission critical software that can result in the loss of human life, they deserve to get their system slagged. If you are running something like a power plant, start with the most minimal distro of Linux or BSD you can get your hands on. Strip out anything you are not using, then only add what you must. Every function, thread or process you are running is a potential exploit.
If you must connect this device to the internet, (This is something like saying, “If you must drop a 600 pound anvil on your head”) Don’t connect it directly to the internet. Connect it to a gateway who’s only job is to keep a list of IP addresses, only let your device talk to those computers, then encrypt the communications. IP spoofing could be a bit of a threat but there is a way around that (If I were to tell you guys, the military would purchase every copy of this website and shred it.)
Don’t load your OS or software from an HD. Don’t store it in RAM. Keep them both in ROM. Require a hardware key to reflash the ROM.
Don’t forget to calculate hashes several ways when you boot.
Perhaps it was designed (or speed ‘evolved’) by a, as yet undetected, rogue AI … ?
Oh dear – I’ve been reading too much SF!
I don’t think the Iranian nuclear sites were connected to the Internet. The worm seems to have got in on contaminated USB drives, probably delivered by the Russian contractor who oversaw construction (and whose own web site is loaded with malware they seem disinclined to remove).
But yes, Windows. My god.
Based on what may be an obscure reference to the Book of Esther, some people are now theorizing that Stuxnet originated in Israel. http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?_r=1&th&emc=th
Seems like reading the tea leaves to me.
Judging by the people hit first and worst (Iranians) it probably was either Israeli or American in origin.
According to what I’ve heard, the Iranians have suffered heavy damage; physical damage to plant, and loss of data as whole reams of the most secret stuff were stripped out and transferred. Naturally they’re trying to keep the extent quiet, but the Bushire reactor seems to have been put on emergency shutdown, and the Iranian secret police are arresting Russians left and right, while others (mostly technicians and engineers) flee the country.
And the Iranians have managed to do bupkis about it. They’ve confessed that all their attempts have just made things worse; mutating versions of the worm are still spreading on their computers and on already infected ones it pops up again to re-damage areas they thought were cleaned.
Couldn’t have happened to a nicer bunch of people. I hope they get containment breaches and similar goodies.
Comments on this entry are closed.