I think we have all been aware of cyber activity. We have generally been lead to believe that these so called cyber attacks have originated in China or Russia. The usual story line goes that these hackers are independents that are allegedly encouraged by their governments. In June however, I began following stories related to the cyber worm, called Stuxnet. Stuxnet has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something. At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.
The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required. It is a realization that has emerged only gradually.
Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away. But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?
By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous. This gives you an idea of how much infrastructure could be affected.
But it gets worse. Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, had concluded: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown. “Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”
Then came this from Tehran today.
TEHRAN: Iran’s nuclear agency is trying to combat a complex computer worm that has affected industrial sites throughout the country and is capable of taking over power plants, Iranian media reports said. Experts from the Atomic Energy Organization of Iran met this week to discuss how to remove the malicious computer code, or worm, the semi-official ISNA news agency reported Friday. The computer worm, dubbed Stuxnet, can take over systems that control the inner workings of industrial plants. Experts in Germany discovered the worm in July, and it has since shown up in a number of attacks – primarily in Iran, Indonesia, India and the US.
The ISNA report said the malware had spread throughout Iran, but did not name specific sites affected. Foreign media reports have speculated the worm was aimed at disrupting Iran’s first nuclear power plant, which is to go online in October in the southern port city of Bushehr. Iranian newspapers have reported on the computer worm hitting industries around the country in recent weeks, without giving details. Friday’s report also did not mention Bushehr.
The Russian-built plant will be internationally supervised, but world powers remain concerned that Iran wants to use its civil nuclear power program as a cover for making weapons. Iran denies such an aim and says its nuclear work is solely for peaceful purposes. While there have been no reports of damage or disruption at any Iranian nuclear facilities, Tuesday’s meeting signaled a high level of concern about the worm among Iran’s nuclear officials.
The destructive Stuxnet worm has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data. The United States is also tracking the worm, and the Department of Homeland Security is building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country.
But the US does not know who is behind it or its purpose, a top US cybersecurity official said Friday. “One of our hardest jobs is attribution and intent,” Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC), told reporters. “We’ve conducted analysis on the software itself,” McGurk said during a tour of the Department of Homeland Security facility outside Washington which is responsible for coordinating government cybersecurity operations.
It’s very difficult to say ‘This is what it was targeted to do,’” he said of Stuxnet. The worm has been found lurking on Siemens systems in India, Indonesia, Pakistan and elsewhere, but the heaviest infiltration appears to be in Iran, according to software security researchers. McGurk said Stuxnet had been found not only in power facilities but water purification or chemical plants which use the particular Siemens system it targets. “We haven’t seen any impacts or effects of what it does,” he said. “We know that it’s not doing anything specifically malicious right now.
McGurk said he could not say who is behind the worm. “It would be premature to speculate at this time,” he said. “We’re not looking for where it came from but trying to prevent the spread,” he said, adding that Siemens is “reaching out to their customer base” to deal with the infection. Stuxnet is able to recognize a specific facility’s control network and then destroy it, according to German computer security researcher Ralph Langner, who has been analyzing Stuxnet since it was discovered in June.
Stuxnet was tailored for Siemens supervisory control and data acquisition (SCADA) systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities. Langner suspected Stuxnet’s target was the Bushehr nuclear facility in Iran. Unspecified problems have been blamed for a delay in getting the facility fully operational.
Whether the Stuxnet computer worm was really a state cyber strike on Iran’s nuclear facilities or not, but hard-to-trace computer attacks look set to be a feature of 21st-century warfare. Western experts say the worm’s sophistication – and the fact that some 60 percent of computers infected looked to be in Iran – pointed to a government-backed attack. Some speculated Bushehr may have been targeted, perhaps by Israel.
But proving that is another thing altogether. Analysts say most major states – particularly China, Russia and the United States – have invested considerably in cyber warfare and defence in recent years, but details are inherently sketchy. “Attribution is extremely difficult in cyber attacks,” said Derek Reveron, a cyber warfare expert at the US Naval War College in Rhode Island. “Given how data moves around the world, determining the point of origin is difficult. Then there is the difficulty of determining if it was state-sponsored or not.
That, of course, is a key part of their appeal. Russia was widely blamed for cyber attacks on Estonia in 2007 after a dispute over a statue of a World War Two Russian soldier as well as Georgia during its 2008 war. But nothing was ever proven, and some pointed to “patriotic hackers” operating independently rather than government agencies themselves. What most experts do agree is that the increased reliance on computer systems for essential national infrastructure means such attacks are increasingly damaging. Lights could be turned off, streets turned to gridlock by targeting traffic light control systems, satellites blinded and warships left dead in the water.
Partly as a result, cyber warfare is seen as a particularly appealing option for countries that remain far outmatched by the conventional military might of the US. North Korea is seen as having particular advantages in any cyber confrontation – its own national computer infrastructure is so outdated that there would be little if anything for South Korea or US cyber warfare experts to counter-attack against. China’s “great firewall”, usually associated with censorship, is also believed to offer some defence against cyber attacks.
In his 2010 book “Cyber War”, former White House cybersecurity expert Richard Clarke sketches out a nightmare scenario in which online attacks bring the US to a standstill – and the experts can’t even tell which country attacked them. He says he believes the United States, China and others are already hacking into each other’s critical national systems, burying “logic bombs” and other attack software in the event they are needed – something he compares to the arms race and mechanisation that preceded World War One.
Invisibly, military units from over a score of nations are moving into a new battle space,” he writes. “Because the units are unseen, parliaments and publics have not noticed the movement of these forces… With attention divided elsewhere, we may be laying the groundwork for cyber war.” Even if such a doomsday scenario never unfolds, most experts believe hacking is already taking its place alongside air strikes and special forces as tools for limited military activity.
It may prove to be a useful tool in Syria in the long term, assuming Damascus pushes ahead with its suspected nuclear program and Hezbollah is so well armed – it already owns more rockets than most states – that Israel would think twice before launching air strikes … as it did in 2007,” said Maplecroft political risk analyst Anthony Skinner. However, there is no guarantee that a state subject to a cyber attack – even if was never able to categorically prove the source – might not retaliate in either a covert or open military way against those it is believed were responsible.
It’s not just about attacks. Experts say the main use of cyber capabilities by most countries is for hacking and spying, either for counterterrorism or commercial reasons. Authoritarian emerging states such as China and Russia are both frequently accused of using state spies to help government-linked businesses – and many analysts suspect Western countries have been guilty of the same as well. Few see that changing. “States will continue to develop more sophisticated asymmetric – and deniable – cyber and information attacks,” said Jonathan Wood, global issues analyst at Control Risks. “Some of these may be used for strategic and military aims, others for commercial or diplomatic espionage.
But so far, experts say cyber attacks have been limited to data theft or deletion. They have yet to come close to the physical damage of simply blowing something up the old-fashioned way. “To my knowledge, there is no case of a cyber attack leading to physical destruction,” said cyber warfare expert Reveron. “It is certainly possible and drives much thinking about cyber defence. But so far, there aren’t any cyber “super weapons”.” Unless Stuxnet is, of course, and we may never know.
So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.
Langner’s analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.
Could Stuxnet’s target be Iran’s Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?
Langner is quick to note that his views on Stuxnet’s target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr’s expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)
But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.
“This will all eventually come out and Stuxnet’s target will be known,” Langner says. “If Bushehr wasn’t the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that.”
To me, this is a real life fact that gives us a hint on how wars will be fought in the future. Whoever devised or deployed Stuxnet has redefined warfare by a single act. For the cost of writing some pretty kick butt code, a memory stick, and the cost of the logistics to get it loaded onto a Russian engineer’s computer may shut down Bushehr and avoid a military action with all of it’s costs, both in real terms and in global political capital. This is a story worth following.