Stuxnet: Cyberwarfare’s Universal Adaptor?

By posted 14 Oct 2010 at 08:21AM

China

4

tags

Now that cyberwarfare is out of the bottle, will anyone agree to not use it? In the summer of 1945 in New Mexico, the Trinity test gave rise to the term ground zero. Could Stuxnet may be measured as a definitive ground zero in cyberwarfare comparable to Trinity?

Concerning Stuxnet’s latest rise in China, David Harley writes:

    • Strangely, I have yet to see much in the way of speculation as to who is “targeting” China, though the Chinese themselves claim that the infection has been spread by US servers.

My two part series in SC Magazine posits that the game has now completely changed. Today in SC Magazine I wrote:

    • In the same vein that three atomic bombs were built – one tested at Trinity, two dropped in Hiroshima and Nagasaki – I see Stuxnet as an operational test of a disruptive technology – malware – which has now been proven in the real world of cybersecurity.

My viewpoint is that the disruptive threat of Stuxnet is not found within the malware, it’s in the entire process and the proof of concept. This malware attack should be thought of as a template to an intelligence operation, not merely a scrap of software code.

Ralph Langner, famous for mapping the Stuxnet attack, has similar theories:

    • The biggest collateral damage, however, emerges from the cost of dealing with post-Stuxnet malware, which copies attack technology from Stuxnet.

As for the moral responsibility of the parties involved – that historic precedent of atomic weapon use may apply here as well. Just like the race for weaponized atomic energy has motivated nations and non-nation state entities, or ‘non-nation state actors’, cyberwarfare, having its Trinity Test, will most likely result in escalation.

Trinity had its ground zero in secrecy yet as I detail in the series, the ethical decision was made to go ahead and deploy atomic weapons operationally, not to simply demonstrate it in public for the Axis power still holding out.

Stuxnet may be measured as a definitive ground zero as well. According to limited information, both a centrifuge site in Natanz and the Bushehr reactor were affected to the point of damage. Also notable as a casualty, the Iranian Atomic Energy Organization resigned at the end of June / beginning of July.

Now that cyberwarfare is out of the bottle, will anyone agree to not use it? And would we believe that any agreement or treaty would possibly cover those non-nation state actors, such as terrorists and cybercriminals?

Related Articles:

  1. Stuxnet: Cyber warfare’s game-changer, Part One
  2. Stuxnet: Cyber warfare’s game-changer, Part Two
  3. Stuxnet should serve as wake-up call, say experts
  4. In a computer worm, a possible Biblical clue
  5. Stuxnet: Targeting the Iranian enrichment centrifuges in Natanz?
  6. Kinetic warfare vs. cyberwarfare

Related Articles

Tax Returns: Slovakian spyware campaign
Syndicasec in the Sin Bin: targeted espionage malware in action
Twitter beefs up security after wave of attacks on media sites
Computer viruses “are making a comeback”, says Microsoft
Financial Times becomes latest victim of Syrian Twitter hackers
  • RdS

    It's a good question, Charles – though you seem to know the answer.
    More than likely we'll witness most nations agreeing to "not use" cyberwarfare, albeit with a long list of provisos in reference to defensive measures, all of which will have no impact on the reality of government/military action. Structured attacks coordinated by teams of government cyber warriors could even be justified on a defensive level – which actually sounds like the basis of the Stuxnet scenario, if our info is accurate.
    What I would like to know is how accurate the incoming reports are from all nations in regards to their own domestic infections. Would a guilty government not cry wolf and claim the worm had caused mass disruption, so as to deflect suspicion? That seems like an an obvious tactic. Likewise, what's the comparable speed that each infected nation has contained these reported domestic incidents? Those figures could be a giveaway.

    • Charles Jeter

      @RdS

      Thanks for your comment!

      From your question:
      “What I would like to know is how accurate the incoming reports are from all nations in regards to their own domestic infections. Would a guilty government not cry wolf and claim the worm had caused mass disruption, so as to deflect suspicion? That seems like an an obvious tactic. Likewise, what’s the comparable speed that each infected nation has contained these reported domestic incidents? Those figures could be a giveaway.

      My speculation is that in order to find true accuracy, multiple levels of information / intelligence must be considered, most of which are outside the purview of you and I. The scenario provided here is sometimes referred to in certain media circles as a ‘False Flag’ operation and would be theoretically embraced by either of the doctrines of Maskirovka or Sun Tsu’s Art of War philosophies. Short version: Yep. You betcha. Lack of attribution definitely obscures whodunit.

      So the key issues we discussed previously here on the ThreatBlog under the Cyberwarfare category rapidly fall into play.

      First, attribution makes it attractive. Anyone can be the instigator, yet actually having proof of the reality depends on the credibility of the reporting party. Some polls say that 1/3 of North America believes 9.11 was an inside job. Other polls show that 2/3 of North America believes that Weapons of Mass Destruction in Iraq was an outright fabrication of the intelligence committees in the US. With those numbers showing those results from actual KINETIC and TANGIBLE elements, can you or I imagine how tough it would be to quantify zeroes and ones (binary data) which shut down or blow up SCADA controls?

      Second, what’s the proper level of response? How do our Rules of Engagement fit into this? When is it justifiable to, say, [fictional] drop a JDAM from a Stealth B-2 onto a Chinese hotel occupied by North Korean cyberwarriors? Where and when do kinetic responses fit into the cyberwarfare realm?

      And third, what are the realistic threats posed by an organized enemy – one who really wouldn’t mind seeing the US melt down because of a complete and utter power failure – regardless of the retributive cost?
      http://blog.eset.com/2010/04/15/cyberwarfare-and-music-its-all-tempo

      According to this US News and World Report article…
      Al Qaeda “also sabotaged other websites by launching denial-of-service attacks, such as one targeting the Israeli prime minister’s computer server,” court records show. The Israeli embassy in Washington had no comment on the information published in the court records. Denial of service attacks are common and relatively easy and cheap to coordinate. They aim to overload and temporarily disable websites for the duration of the attack. Al Qaeda’s interest in the tactic, however, has received little discussion and attention.
      So on one side you have markedly civilian technology experts stating that cyberwar is nonexistant, and on the other you have markedly military or government resources stating that cyberwar / cyberterrorism is a very real threat. The faces and names seem to stay consistent throughout administrations as well, offering a bipartisan flavor to it all.

  • sil

    You state: "My viewpoint is that the disruptive threat of Stuxnet is not found within the malware" yet you and others fail to comprehend the complexities involved with what you've discovered. In a typical C&C the operator can (and usually does) control the payloads. Often changing them as time goes on:

    Initial Attack –> contains exploit 1
    C&C modification –> update with exploit 2
    C&C modification –> update with exploit 3
    C&C modification –> update with exploit 4

    And so on. Because of the fact that there is a C&C involved, you could have caught it during a stage when a "swap" took place and no disruptive threat was visible. That's just for starters. Far too many of you guys (especially in the AntiVirus world) seem to custom tailor your findings to whatever fits your "chain of thought." For example, the arguments of "state sponsorship", "guava" and "myrtus." These have been argued, debated, misunderstood and abused to custom write the story the author wants to convey.

    My RTU's seems more plausible because RTU is a common term in SCADA environments. Guava for all you know could be someone's favorite fruit with no real relationship. The absolute TRUTH here is that no one knows anything other than opinions on what one is seeing. No one knows who created Stuxnet, no one knows why. So here is a theory to ponder:

    Disgruntled SCADA worker with intimate knowledge of PLC's deploys a backdoor to retain access in case he ever got the boot. He is familiar with WinCC but not familiar with "hacking techniques" he pieces together an application to allow him to keep his backdoor. Upon creation, he loses his laptop and someone picks up the code and runs with it. "Nifty application. Might be worth some money" said the cracker. Cracker spreads the code, criminal organizations seek to capitalize, a legend/rumor is born.

    You also state: "Now that cyberwarfare is out of the bottle, will anyone agree to not use it? And would we believe that any agreement or treaty would possibly cover those non-nation state actors, such as terrorists and cybercriminals?"

    What makes you think cyberwarfare HASN'T been out of the bottle for sometime. There are plenty of methods to deliver payloads much worse and much more covert than Stuxnet. These are currently evident with botnets such as Crimepack and Zeus. It's not at all complicated to switch up the payload. It all depends on what the target is and who is targeting what. It doesn't necessarily have to be a "state versus state" thing you and others seem to forget that where there is money, there will be evil. Money I believe was the underlying goal of Stuxnet (think crypto-extortion:

    • Charles Jeter

      Hi sil, thanks for your comment.

      By ‘you could have caught it’ I’m assuming you’re talking about ESET. I don’t know the status of how that would have occured since I’m not in the virus lab and most of that discussion would end up being proprietary anyway.

      I can comment on the scenario you presented about the SCADA worker being disgruntled. Good thinking, let’s take it a few steps further: I figure that there’s nothing that states what you say couldn’t be true, however the methodology of the SCADA worker selling his or her exploit may have left some significant tracks. Losing a laptop gets even more complicated in that if the laptop were absconded with and the right person was able to filter through what likely would be a third to a full terabyte of the stuff we all run around with on our laptops, then that person would have had to market the exploit, once again leaving significant tracks. When a cracker spreads the code, that definitely leaves significant tracks. As for the argument of this all happening behind some virtual Iron Curtain of impenetrable l33t security by the bad guys, I’m not figuring that to be a higher probability than other scenarios. So that’s actually a more complex explanation than a specific organization having the resources to do each task required because they’re specialized. Again, it’s all hypothetical so the attribution issue once again makes it attractive for anyone with large goals to use – be it a state-sponsored actor or a non-state actor.

      As for theory to proof of cyberwarfare, looking into the links I put into this article will bring that discussion to a conclusion in favor of been there – done that. You and I agree that cyberwarfare has been out of the bottle since at least 1982 when the now-public Farewell Dossier case actually exploded a Siberian Gas Pipeline through “the most monumental non-nuclear explosion and fire ever seen from space” (Secretary of Air Force, 1982).
      See http://www.scmagazineus.com/from-sci-fi-to-stuxnet-exploding-gas-pipelines-and-the-farewell-dossier/article/180051/

      So – nothing has to be a state vs state issue. It merely has to have the resources associated with a highly effective, highly covert intelligence operation. Money being the underlying goal of Stuxnet – well, I welcome the debate on that in depth – post a link to a blog you write here, and we can have that debate.

      Thanks again for your comments, I appreciate your passion and technical insight! Keep ‘em coming!

Follow Us

FacebookYoutubeTwitterLinkedInGoogle+RSS

Automatically receive new posts via email:

Delivered by FeedBurner

11 articles related to:
Hot Topic

Linux malware

07 May 2013
11
Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected
06 May 2013
10
Linux Apache malware: Why it matters to you and your business
02 May 2013
9
The stealthiness of Linux/Cdorked: a clarification
26 Apr 2013
8
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
24 Jan 2013
7
Linux/SSHDoor.A Backdoored SSH daemon that steals passwords
View more
Popular articles Tags
.ASIA domain name scams still going strong
Close call with a Caribbean cruise line scam
DNSChanger temporary’ DNS servers go dark soon: is your computer really fixed?
Java zero day = time to disable Java, in your browser at least
AMMYY warning against tech support Scams
ESET Virus Radar

Archives

Select month
Copyright © 2013 ESET, All Rights Reserved.