The right eloquence needs no bell to call the people together and no constable to keep them. ~ Emerson

Thursday, October 7, 2010

Can of Worms

Stuxnet Is the First Bullet in a Completely New Type of Cyber-Warfare

You have the biggest-ever worm loose in the net and it automatically sabotages any attempt to monitor it . . . There's never been a worm with that tough a head or that long a tail!
– John Brunner, The Shockwave Rider, 1975

When somebody establishes a new paradigm in warfare, we tend to notice. The atomic bombs exploded over Japan at the end of World War II were highly conspicuous. And we all watched terrorists drive two jet planes into the World Trade Center. Yet most of us are largely unaware that someone fired the first bullet in cyber-warfare, true cyber-warfare, over the past year. The slug in question is an ingenious and nasty piece of computer code, called Stuxnet.

The Stuxnet worm enters networks
through an infected USB flash drive
Stuxnet is a type of malware known as a worm. Unlike, its more celebrated cousin, the computer virus, a computer worm need not attach itself to another existing program. Instead, it can run independently, including replication and distribution of itself to multiple locations within a network. Traditionally, hackers use worms to gather information or steal data from systems. Alternatively, they may simply make a nuisance of themselves by eating up bandwidth and slowing down network traffic.

A computer security firm based in Belarus discovered Stuxnet in June 2010. Extensive investigations of the code by the U.S. firm Symantec suggest initial deployment was as much as a year earlier. It is unusual for a worm to stay hidden for so long. Yet this was only the first of many unusual things about Stuxnet.

The worm runs on the Microsoft Windows operating system. It enters a network from an infected USB flash drive connected to one of the system’s computers. It then uses four previously unknown flaws in the Microsoft code to propagate. Unlike other worms, it is highly selective, seeking out Siemens’s Simatic WinCC/PCS 7 Supervisory Control and Data Acquisition software – specialized code for running programmable logic controllers (PLCs) within factories. PLCs monitor, adjust, and run complicated machinery.

Stuxnet is even more discriminating, possessing the ability to identify which networks it infects with great precision. It appears to be looking for particular systems to destroy at specific times in specific ways. Once it infects a network, it performs a check every five seconds to determine if the system meets its parameters for launching an attack.

It embeds itself within the PLC software, reprograms it, and hides its changes, making it the first PLC rootkit ever developed. Stuxnet sets certain address in memory to specific values but the effect of such changes depends on the nature of the machinery controlled by the infected PLC. It might render the equipment in question non-functional but it also might force a kind of overload that would cause machine components to break down or even explode.

Stuxnet is both unusually large and complex for typical malware. Its ability to stay hidden for so long was due to its use of authentic cryptographic certification keys, stolen from the Taiwanese semiconductor manufacturers RealTek and JMicron, to validate itself within networks.

The Symantec researchers and other experts are convinced these factors point not to a lone hacker but a top-notch, well-funded team of programmers, sponsored by a national government. They are also convinced Iran’s burgeoning nuclear program was Stuxnet’s primary target, particularly the Bushehr Nuclear Power Plant or, most likely, the Natanz uranium enrichment facility.

Reports abound that Iran began having tremendous difficulty running their centrifuges at Natanz, causing a sudden fifteen percent reduction in production, about the time of Stuxnet’s activation. Other anonymous sources leaked word of a more serious nuclear accident at Natanz. Stuxnet could reprogram the PLCs running centrifuge arrays to exceed RPM safety limits or shut down lubrication or cooling systems. Centrifuges can easily explode if they become unstable.

Iran has over sixty percent of the worldwide documented Stuxnet infections. Even Iranian officials admit to thirty thousand infected computers. However, not everyone agrees with Iran as a primary target. Stuxnet showed up in India, Indonesia and Russia before reaching Iran. Eric Chien, technical director of Symantec Security Response, concedes the incidence of infection within Iran could merely indicate that country is less diligent about using security software to protect its systems.

The researchers are also convinced Israel’s Unit 8200 cyber-warfare operation is the source of Stuxnet. In addition to Iran as the target, they base this conclusion on a discovery recently reported in the New York Times. Myrtus, Latin for “myrtle” is the name of one of the files comprising the Stuxnet code. In the Old Testament Book of Esther, Queen Esther’s original Hebrew name was reportedly Hadassah, the Hebrew word for “myrtle.” The Book of Esther is the story how captive Jews in the Persian (i.e. Iranian) court used subterfuge to preempt a plot against the nation of Israel.

The theory of Israel as culprit gained endorsement from Yossi Melman, who covers intelligence for the Israeli newspaper Haaretz, as well as Richard Falkenrath, former Senior Director for Policy and Plans within the Office of Homeland Security.

Other experts disagree, citing the U.S. and NATO as more likely culprits. They dismiss the “myrtle” connection or label it a red herring, designed to lead researchers astray. John Pescatore, Vice-President for Internet Security at Gartner Group posits a large corporation or even citizens’ interest group could have funded Stuxnet to discredit Siemens’s software rather than attack specific governments. The Christian Science Monitor notes “myrtus” could simply be an acronym for something like “my remote terminal units.”

What everyone agrees upon is the seriousness of this software. An entire session, entitled Stuxnet – An In-Depth Look, headlined at the Virus Bulletin Conference in Vancouver Canada last week. European digital security company Kaspersky Labs released a statement describing Stuxnet as “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.” Rodney Joffe, senior technologist at Neustar, calls Stuxnet a “precision guided cybermunition.”

“In the worst case, we would have seen power plants explode or dams burst,” said Derek Reveron, a technology specialist at the Naval War College. If a piece of software capable of turning any nuclear power station into Three Mile Island or Chernobyl is not worrisome enough, there is also the danger of blowback. Now that it is in the public domain, variants on Stuxnet could reappear in even more dangerous forms. Cyber-criminals typically do not worry about collateral damage from their attacks because only virtual harm results.

The ability of Stuxnet to affect physical equipment in the real world changes all that. Imagine the PLCs that drive ATMs re-programmed to distribute money to waiting criminals at certain places/times. Imagine a version of Stuxnet that controlled alarm systems, access controls, and doors, giving criminals egress to bank vaults or foreign spies seemingly valid admission to top-secret U.S. facilities.  The F-Secure Corporation’s blog reports the BP Deepwater Horizon drilling platform in the Gulf of Mexico included some Siemens PLC systems. It is conceivable that a Stuxnet-infected controller rendered the supposedly infallible blowout preventer non-responsive, resulting in the fatal explosion and massive oil spill that followed.

Stuxnet is truly the first bullet in a completely new type of cyber-warfare. However, describing it as a mere “bullet” is like calling a nuclear warhead, “just another bomb” or the jetliners that brought down the Twin Towers, “just another couple of 747s.” Science fiction once again has become science fact. Stuxnet is big. It really does change everything about the potential of Internet terrorism.

Once you open a can of worms, the only way to re-can them is to use a larger can.
– Zymurgy's First Law of Evolving System Dynamics

No comments: