Stuxnet: a Glimpse into the Future of Malware and its Interplay with Cyber Warfare
When national security and economic security becomes inseparable.
In the last years we have been witnessing a geometric growth of cyber criminal activities. Over the five years period, from 2002, the number of threats increased by 1514%. In 2007, the year-on-year threat growth rate was 185%. According to Symantec Internet Security Threat Report of the same year, "the increase in threats can be mainly attributed to an increase in new Trojans... [of which] ... the initial stage may be installed by a Web page that exploits a browser vulnerability".
The Stuxnet worm provides a first tangible glimpse into the future of software security, malware, and its interplay with cyber warfare. It differs from the malicious code observed in the last years by information security professionals in a threefold way.
First, it attacks a physical process and not a computing system only. Stuxnet resides on the process controller by injecting code directly into its Ladder Logic (LL). In 500KB, digitally signed by stolen keys, it combines a rootkit functionality, the PLC infection logic, and theability to exploit three Microsoft 0days, giving elevation of privilege.
Traditionally regarded as a topic for the reverse wishful thinking of security paranoids, malware attacks on process control systems have been definitely demonstrated by Stuxnet.
Does this event has a precedent? Maybe. It definitely does, for those who do not believe the 1982 sabotage of the Уренгой-Сургут-Челябинск (Urengoy-Surgut-Chelyabinsk) pipeline to be an hoax. According to the "Farewell Dossier", Soviet where in need, for the creation of the trans-Siberian pipeline, of a supervisory control software for the pipeline's pumps, turbines, and valves. The U.S. National Security Council allegedly decided to "help the Soviets with their shopping" and let them steal the software from a Canadian oil company. U.S. agents were sent to embed a logic bomb into the control software. In the summer of 1982, the logic bomb triggered. The deliberate malfunction of the pipeline produced pressures far beyond those the pipeline's joints and welds were ready to accept, causing a huge explosion in a remote Siberian area.
Second, Stuxnet is tightly targeted. The geography of the infection tell us of an attack seemingly targeted towards a physical process control systems in Iran, such as the Bushehr nuclear plant or the Natanzuranium centrifuges, and not aimed at infecting the largest number of victims around the world. The worm, though, infected systems also in India, Pakistan and Indonesia.
Third, attachable storage appears to be the main vector used by Stuxnet for spreading. This makes this piece of malware -- that has also network spreading capabilities -- only apparently similar to its forefathers in the pre-Web era. The rationale behind this design choice for Stuxnet might have probably to do with the need to stay hidden from corporate malware detection systems.
As such, the attack seems to be the result of a well trained, equipped and funded team that combines a wide spectrum of skills and abilities, ranging from intelligence gathering, to software security, to control system expertise on the target product by Siemens. A team probably sanctioned by a government that desired to exploit an adversary's system.
This should not come to a surprise. The last years have seen not only a growth of cyber criminal activities, but also a parallel growth of state-sponsored cyber espionage and cyber warfare programs - who had perhaps their forerunners almost 30 years ago. In a world where, as stated by U.S. Secretary of State Christopher Warren, the "national security is a inseparable from economic security" - E. Poteat, "The Attack on America's Intellectual Property, Espionage After the Cold War" - we should expect to see an increasing number of initiatives targeted towards the industrial fabric of adversary nations.
To date, according to a report by Kenneth Knapp ("Cyber-Warfare Threatens Corporations: Expansion into Commercial Environments", Information System Journal, Spring 2006), more than 30 countries are believed to have cyber warfare programs. Also Iran and India are believed to have one.