What Stuxnet's Exposure As An American Weapon Means For Cyberwar

Two years of theories and speculation in the cybersecurity research community were confirmed Friday morning: Stuxnet was indeed the first known digital attack launched by a government to destroy another country’s physical infrastructure. And the government that launched it was ours.

As revealed in an extensive report from an upcoming book by New York Times‘ Washington correspondent David Sanger, the Stuxnet malware that has fascinated cybersecurity researchers since in was discovered in the fall of 2010 was in fact built by U.S. and Israel government agencies and deployed to disrupt Iranian nuclear enrichment facilities. It seems to have worked: One thousand of Iran’s 5,000 enrichment centrifuges were temporarily put out of commission by the malware, and some sources within the Obama administration told the Times that Iran’s nuclear ambitions may have been set back by as much as 18 months to two years.

But even in 2010, the Obama administration knew that the potential exposure of the program, which it codenamed “Olympic Games,” would spell trouble.

“Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade,” Sanger writes. “He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.”

That acknowledgement has now arrived, thanks in part to a bug in Stuxnet that caused it to spread far beyond its intended targets and to catch the eye of antivirus researchers, and in part due to Sanger’s own excellent reporting that ties the malware directly to Washington. So will the public confirmation of America’s role as a cyberwarfare aggressor lead to the escalation of the digital arms race that Obama feared?

Jeffrey Carr, author of Inside Cyberwarfare and chief executive of cybersecurity consultancy Taia Global, believes it will. ”This is a gift to Iran,” says Carr of the Times‘ revelations. “I think it will give a reason–an excuse–for other countries to ramp up their offensive cyber capabilities. Certainly it gives Iran an excuse to take steps to retaliate in exchange for what’s occurred. It’s a really unfortunate disclosure.”

After all, the original advantage of using a digital attack to sabotage Iran’s nuclear facilities instead of a physical one, Carr says, was to keep the operation secret and allow deniability if it were discovered. “The whole point of a secret operation is that it stays secret and doesn’t blow back on the country that launched it,” says Carr. “Now there’s really no doubt left. It’s really damning.”

According to the Times‘ story, in fact, much of Stuxnet’s effectiveness came from the mystery it created for the Iranians. The malware generated malfunctions in the centrifuges of the Natanz enrichment plant at random intervals over months, using different errors every time, and rendering them undetectable to the diagnostic systems in the control room. The Iranians became so paranoid about their own hardware, according to Sanger, that they assigned staff to physically watch the centrifuges. ““The intent was that the failures should make them feel they were stupid, which is what happened,” one source said.In the Iranians’ confusion, the plant workers closed down entire sections of the facility and fired workers. With so many details of Stuxnet’s workings–and its origins–now revealed, it’s unlikely the next digital weapon will have the same effect.

But the exposure of American involvement in Stuxnet shouldn’t be blamed on the Times, says Mikko Hypponen, a malware analyst who closely analyzed Stuxnet since its discovery in 2010. American fingerprints were all over Stuxnet since antivirus researchers first saw the malware disseminating out of the Middle East and infecting their clients’ machines. “All the other governments must have already assumed it was the United States or the Israelis,” says Hypponen. “We’re already in this arms race, and there’s nothing we can do to stop it now.”

As early as the fall of 2010, researchers like Ralph Langner and a team at antivirus firm Symantec had already reverse engineered Stuxnet to show that it specifically targeted centrifuges at enrichment facilities like Bushehr and Natanz, leaving little doubt of who created it. And if independent researchers like Langner were able to come to that conclusion, it’s likely foreign intelligence services and others had already confirmed U.S. and Israeli involvement.

The real importance of confirming Stuxnet’s American origin may be more introspective, says Bruce Schneier, a well-known cybersecurity guru and author: Now we know beyond a doubt that the potential for a physical cyberattack, so often portrayed as a foreign (and specifically Chinese) threat, actually starts at home. “Every country is engaging in the cyber war arms race,” says Schneier,  ”This isn’t one of our finer moments. But it’s the truth. It’s icky. But it’s good to get the truth out.”

As Richard Clarke outlined in his 2010 book, Cyberwar, the U.S. military is likely the most powerful offensive force in cyberspace, ahead of both Russia and China. Defense against foreign attacks rather than offense is where the U.S. lags–Clarke argued that even North Korea is less vulnerable than the U.S. to cyberattack, given its lack of automation and Internet connectivity. And as a story inTechnology Review points out, Stuxnet’s traits have already shown up several other malware samples that have hit American targets, implying that the Obama administration has been more focused on using its new weapons than in considering the consequences once that destructive code proliferated in the wild.

With U.S. critical infrastructure still vulnerable to the same sort of attacks that Stuxnet used, the confirmation of the first military malware may be a valuable one: that America shouldn’t be driving forward a cyberwar where every digitized nation suffers, and the U.S. has perhaps the most to lose. “These guys are playing war in cyberspace, and they’re doing stuff that affects our networks,” says Schneier. “When countires attack each other in cyberspace, we’re all in the blast radius.”

Read David Sanger’s full New York Times‘ story on Stuxnet here.

(Sources - http://www.forbes.com)

Stuxnet, Duqu Date Back To 2007, Researcher Says

Two pieces of malware likely were developed by the same team on the same platform along with similar variants, according to Kaspersky Lab.

By Elizabeth Montalbano InformationWeek
December 29, 2011 01:22 PM

The origins of the dangerous Stuxnet computer virus that targeted Iran's nuclear power program last year could date back as far as 2007, according to new research. Researchers have dubbed the platform "Tilded" because its authors tend to use file names which start with "~d," said Alexander Gostav, head of Kapersky's Global Research and Analysis Team, in a blog post

Stuxnet and the related Duqu virus discovered earlier this year share a similar architecture and may have been developed by the same team of developers--along with other pieces of malware--several years ago, according to a security researcher at Kapersky Lab.

"There were a number of projects involving programs based on the 'Tilded' platform throughout the period 2007-2011," Gostav said. "Stuxnet and Duqu are two of them--there could have been others, which for now remain unknown."

Researchers discovered the connections between the pieces of malware and their origins by examining their drivers, he said.

Gostav warned that the Tilded platform is continuing to develop and more modifications of the viruses are likely to be a threat in the future.

Stuxnet was first discovered in June 2010 when it attacked software and equipment used by various organizations facilitating and overseeing Iran's nuclear program.

The virus was especially worrisome for researchers because of its unprecedented complexity; it contains more than 4,000 functions, which is comparable to the code in some commercial software.

Researchers at the Budapest University of Technology and Economics' CrySyS lab discovered Duqu this past September, saying the malware appears to have been designed to steal industrial control design documents.

After examining Duqu, researchers at Symantec said it was nearly identical to Stuxnet. Both viruses attack Microsoft Windows systems using a zero-day vulnerability, which tries to exploit application vulnerabilities that haven't been discovered yet.

Superworms like Stuxnet and Duqu--which seem to have been created to target the critical infrastructure and control systems of particular countries--are of great concern for federal cybersecurity officials who are working to prevent such dangerous threats to the U.S. power grid and other essential facilities.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenge, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

(Source - http://informationweek.com)

Iran detects Duqu virus in Governmental System.

Iran said Sunday that it detected Duqu computer virus, which security players have debated is based on Stuxnet, believed to be aimed at sabotaging Islamic Republic's nuclear sites, according to a report.

Gholamreza Jalali, head of Iran's civil defense organization, told Islamic Republic News Agency (IRNA) news agency that computers at all main sites at risk were being checked and Iran had developed an antivirus software to fight the virus.

"We are in the initial phase of fighting the Duqu virus," Jalali said. "The final report that says which organizations the virus has spread to and what its impacts are has not been completed yet. All the organizations and centers that could be susceptible to being contaiminated are being controlled."

Word on the Duqu computer virus surfaced in October when security vendor, Symantec, said it found a virus which code was similar to Stuxnet, the cyberweapon discovered last year. While Stuxnet was aimed at crippling industrial control systems, security players said Duqu seemed to be designed to gather data so future attacks would be easier to launch.

"Duqu is essentially the precurson to a future Stuxnet-like attack," Symantec said in a report last month, adding that instead of being designed to sabotage an industral control system, the new virus could gain remote access capabilities.

Iran also said in April that it had been targeted by a second computer virus, which it called "Stars". It was not clear if Stars and Duqu were related but Jalali had described Duqu as the third virus to hit Iran.

(Source - http://www.zdnetasia.com)