Cyberwar: About Stuxnet‏, the next generation of warfare?

Summary:  We begin our assessment of Stuxnet’s impact on the field of cyberwar.  As a case-study of what appears to be a highly effective state-sponsored attack, Stuxnet has pushed the reality of cyberwar to center stage.   This is the fourth in a series about cyberwar by FM co-author Marcus J. Ranum.

Stuxnet

Article deleted at author’s request.

(7)  For more information

(a)  About Stuxnet:

  1. Stuxnet Under the Microscope, ESET (a cyber security company).
  2. Recommended:  “The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability“, Congressional Research Service, 9 December 2010.
  3. Computer security: Is this the start of cyberwarfare?“, Sharon Weinberger, Nature, 8 June 2011 — “Last year’s Stuxnet virus attack represented a new kind of threat to critical infrastructure.”
  4. Stuxnet as Cyberwarfare: Applying the Law of War to the Virtual Battlefield“, John C. Richardson (JMR Portfolio Intelligence), 22 July 2011.
  5. Stuxnet: Cyber Conflict, Article 2(4), and the Continuum of Culpability“, Colin S. Crawford (Wake Forest U School of Law), 2011.

(b)  About cyberwar:

  1. “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats“, James A. Lewis, Center for Strategic and International Studies, December 2002.
  2. Meet Your New Commander-in-Geek“, Katherine Mangu-Ward, Reason, 26 May 2010 — “U.S. Cyber Command has no idea why it exists.”  But their fear-mongering PR is first-rate.
  3. China’s Emerging Cyber War Doctrine“, Gurmeet Kanwal, Journal of Defense Studies (Institute for Defense Studies and Analysis), July 2009.
  4. They cyber war threat has been grossly exaggerated, NPR, 8 June 2010 — Audio here.
  5. Tehran’s Lost Connection“, Geneive Abdo, Foreign Policy, 10 June 2010 — “Is the Iranian regime’s cyberwar with the United States real, or a paranoid delusion?” — Abdo expects to know if the US waged cyberwar against Iran, ignoring our long history of covert offensive operations.
  6. Reducing Systemic Cybersecurity Risk”, Peter Sommer (London School of Economics) and Ian Brown (Oxford), OECD, 14 January 2011.
  7. Cyberwar an exaggerated threat“, UPI, 17 January 2011 — Says Peter Sommer, now of the London School of Economics and author of the Hacker’s Handbook (1985) under the pseudonym Hugo Cornwall.
  8. Cyber war threat exaggerated claims security expert“, BBC, 16 February 2011 — Says Bruce Schneier, chief security officer for British Telecom.
  9. Don’t Believe Scare Stories about Cyber War“, John Horgan, Scientific American, 3 June 2011.

 

5 thoughts on “Cyberwar: About Stuxnet‏, the next generation of warfare?

  1. Son of Stuxnet?“, Blake Hounshell, Foreign Policy, 19 October 2011 — Excerpt:

    When an unknown entity, most likely some combination of Western and Israeli intelligence agencies, created Stuxnet, the mysterious computer worm widely thought to be targeted at Iran’s nuclear program, cybersecurity experts warned that a new digital threat had been unleashed, with potentially dangerous and wideranging consequences.

    …Now, tech researchers at Symantec and F-Secure have identified a new piece of malware they’re calling Duqu, and which they say is very similar to Stuxnet. …

  2. I think it’s important to point out that regular software engineers could produce a Stuxnet. In many ways Stuxnet is much less sophisticated malware than Zeus or some of the transaction-intercepting commercial malware being used to hijack funds transfers, today.

    What was sophisticated about Stuxnet and was significant evidence that the authors had uncommon information was that Stuxnet appeared to be designed with knowledge of the specific gas-centrifuge cascades that were being used at Natanz. While any experienced system programmer can eventually turn out pretty workable malware (and a good systems programmer can quickly turn out pretty impressive stuff indeed) most programmers don’t have a specific type of centrifuge to test against, nor do they know how many centrifuge programmable logic controllers to attempt to manipulate in a given centrifuge cascade.

    Let me try an analogy: if someone breaks into your house by throwing a brick through the window, that’s one thing. If someone breaks into your house, bypasses your security system, and immediately goes directy to your wall-safe that’s hidden behind your fireplace – then they had inside knowledge. In the case of Stuxnet it’s the attackers’ understanding of the target’s layout that’s the interesting fact, not the actual code of the malware. Whoever did it knew a lot about that one target, and that knowledge was not anything close to common.

  3. Stuxnet weapon has at least 4 cousins“, Reuters, 28 December 2011 — Excerpt:

    The Stuxnet virus that last year damaged Iran’s nuclear program was likely one of at least 5cyber weapons developed on a single platform whose roots trace back to 2007, according to new research from Russian computer security firm Kaspersky Lab. … Stuxnet has already been linked to another virus, the Duqu data-stealing trojan, but Kaspersky’s research suggests the cyber weapons program that targeted Iran may be far more sophisticated than previously known. Kaspersky’s director of global research & analysis,

    Costin Raiu, told Reuters on Wednesday that his team has gathered evidence that shows the same platform that was used to build Stuxnet and Duqu was also used to create at least 3 other pieces of malware. Raiu said the platform is comprised of a group of compatible software modules designed to fit together, each with different functions. Its developers can build new cyber weapons by simply adding and removing modules. “It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” he said.

    Kaspersky named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

    Researchers with Kaspersky have not found any new types of malware built on the Tilded platform, Raiu said, but they are fairly certain that they exist because shared components of Stuxnet and Duqu appear to be searching for their kin. When a machine becomes infected with Duqu or Stuxnet, the shared components on the platform search for two unique registry keys on the PC linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer, he said.

    Kaspersky recently discovered new shared components that search for at least 3 other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform, he added. Those modules handle tasks including delivering the malware to a PC, installing it, communicating with its operators, stealing data and replicating itself.

    … Kaspersky believes that Tilded traces back to at least 2007 because specific code installed by Duqu was compiled from a device running a Windows operating system on 31 August 2007.

  4. Equipment Maker Caught Installing Backdoor Account in Control System Code“, Wired, 25 April 2012 — Excerpt:

    A Canadian company that makes equipment and software for critical industrial control systems planted a backdoor login account in its flagship operating system, according to a security researcher, potentially allowing attackers to access the devices online.

    The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, “factory,” that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.

    Attackers can uncover the password for a device simply by inserting the MAC address, if known, into a simple Perl script that Clarke wrote. MAC addresses for some devices can be learned by doing a search with SHODAN, a search tool that allows users to find internet-connected devices, such as industrial control systems and their components, using simple search terms.

    Clarke, who is based in San Francisco, says he discovered the backdoor after purchasing two used RuggedCom devices – an RS900 switch and an RS400 serial server – on eBay for less than $100 and examining the firmware installed on them.

    … RuggedCom switches and servers are used in “mission-critical” communication networks that operate power grids and railway and traffic control systems as well as manufacturing facilities. RuggedCom asserts on its website that its products are “the product of choice for high-reliability, high-availability, mission-critical communications networks deployed in harsh environments around the world.”

    Clarke says he notified RuggedCom about his discovery in April 2011 and says the representative he spoke with acknowledged the existence of the backdoor. “They knew it was there,” he told Threat Level. “They stopped communicating with me after that.” The company failed to notify customers or otherwise address the serious security vulnerability introduced by the backdoor.

    … RuggedCom, which is based in Canada, was recently purchased by the German conglomerate Siemens. Siemens, itself, has been highly criticized for having a backdoor and hard-coded passwords in some of its industrial control system components. The Siemens vulnerabilities, in the company’s programmable logic controllers, would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures or lock out legitimate administrators.

    A hardcoded password in a Siemens database was used by the authors of the Stuxnet worm to attack industrial control systems used by Iran in its uranium enrichment program.

    Hardcoded passwords and backdoor accounts are just two of numerous security vulnerabilities and security design flaws that have existed for years in industrial control systems made by multiple manufacturers. The security of the devices came under closer scrutiny in 2010 after the Stuxnet worm was discovered on systems in Iran and elsewhere. Numerous researchers have been warning about the vulnerabilities for years. But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.

  5. ActivitiesPlanning the activities and will achieve better and higher
    results. Chilingo one of the smartphones and tablets.

    The game will provide excellent operating facility for High-end mobile games and see
    how far they would get bored. In addition to the players an effective vehicle for tapping into new challenges and also improve speed.
    Check out my games like wrestling, sports or casino, all of
    us would really like but I can criminal case cheats unify to the computer games are a
    lot of how-to topics here.

Leave a Reply