Stuxnet almost certainly meant to hobble Iranian uranium

Paul Raven @ 17-11-2010

Remember all the hypothesising about what the Stuxnet worm was supposed to do, and who had designed it for such? Well, the expert verdicts are in, and it appears Stuxnet was designed to very subtly sabotage uranium centrifuges by varying their rotation speeds in a way that, while hard to notice for humans, would effectively negate the enrichment process they are designed to perform.

So Iran’s Bushehr plant was almost certainly the target (or one target among many); and while we don’t have (and may never have) any substantive proof as to exactly who decided that they wanted to spoke Ahmedinejad’s nuclear wheels on the sly, I think we all know how the odds would fall if you were to pop down to your local bookmakers*.

Regardless of who did it, Stuxnet represents the opening of a particularly well-stocked Pandora’s box: highly-specific sabotage targetting of embedded (and potentially critical)  industrial systems. As Bruce Sterling points out, anyone who hadn’t thought of it before has certainly thought of it now. All the recent hyperbole describing the antics of patriotic  DDoS skript-kiddiez as “cyberwar” is gonna look pretty facile when stuff like Stuxnet becomes commonplace… which, with the benefit of hindsight, may have been the entire point all along.

[ * I’ll take a £5 spread on the US and Israel, please. ]


Cyberwar that actually deserves the name

Paul Raven @ 24-09-2010

After a few years of grandstanding and chest-thumping about the dangers of cyberwar from the military complexes of the West, especially the US, we finally see something that actually looks like a covert act of digital warfare initiated at nation-state level (as opposed to the petty vandalism and independent street-gang-equivalent activity that has been heretofore labelled as cyberwar). And you know what? It might well have been the US military establishment that did it.

The story in question is the Stuxnet computer worm, which you’ve probably read about somewhere already. But just in case you’ve not, here’s the skinny: Stuxnet takes advantage of four different security holes in Microsoft Windows (which is far from out of the ordinary; if you’re gonna rob houses, go for the ones with no locks on the doors), which means it can spread very fast; it’s controlled and upgraded in a decentralised peer-to-peer fashion (also not new, as we saw the same thing in the big botnet worms of recent times), and has the added ability to jump onto removable media (thumb drives) to expand the infection vectors.

So far, so geeky. The weird bit is what Stuxnet actually does. Rather than setting up spam email farms or harvesting credit card numbers (the traditional remunerative ends of such software), it targets a very specific type of embedded industrial control software developed by Siemens… software that, according to Wired, is “installed in pipelines, nuclear plants, utility companies and manufacturing facilities to manage operations.” Furthermore, the configuration suggests a very specific sort of installation was the intended target, and that sabotage thereof was the intent; a German researcher theorises (admittedly without much in the way of evidence) that one of Iran’s nuclear plants was the target, and that the US or Israel are the likely nation-states-of-origin. It’s a sad thing to admit, but that’s all too believable a theory… which is doubtless why it’s getting so many mentions. Read, and read widely:

Of course, plausibility isn’t probability; perhaps Stuxnet was developed by a rival company wishing to discredit the safety of Siemens’ systems*. The web enables industrial espionage, so why not industrial sabotage? But it seems an odd angle to take; deft marketing does just as effective a job of discrediting market-leading tech without engaging in criminal activity, and a black-ops hacking project would be an odd way to spend an R&D budget that would be better spent on, y’know, building a better mousetrap. Sabotage is a political act, ideological warfare… and that’s a nation-state game, not a corporate one.

It’ll be interesting to see what more we hear about Stuxnet, if anything, but I suspect it marks the start of a new chapter of geopolitics and technologised warfare.

[ * The fact that said systems run on Windows machines should be indictment enough, to be honest. ]


Conficker: the new warfare

Paul Raven @ 15-06-2009

Remember the quasi-Millennial panic about the Conficker worm back in April? It turned out to be nowhere near as nasty and damaging a threat as it had been painted, but it was still unique in a number of ways – most notably in its own methodologies, and in the way the security and computer industries pulled together to defend against it. New Scientist tells the story:

… frenzied headlines were proclaiming the impending meltdown of the internet. But 1 April passed without event. This was not a total surprise. After all, it was just the first date on which the worm’s URL strategy could change – it was still up to its creators to flick the virtual switch. To the outside, it looked like a gigantic April Fool.

And indeed it may have been. In fact, the whole URL business was probably a red herring: using a centralised URL to release a worm upgrade – even one as painstakingly concealed as Conficker’s – is not a particularly sensible approach. It gives the authorities a specific target to counter-attack. From the second version onwards, Conficker had come with a much more efficient option: peer-to-peer (P2P) communication. This technology, widely used to trade pirated copies of software and films, allows software to reach out and exchange signals with copies of itself.

It’s an interesting story – one with a remarkably movie-like plot, albeit devoid of the vest-wearing tough guy heroes and big CGI explosions that you’d need to script in to sell it to Hollywood…

But what’s worth noting is that this is a new form of warfare, a bloodless and almost entirely computer-based iteration of fourth-generation insurgency that relies on subterfuge and networking to achieve its aims, and demonstrates complex strategic thinking on the part of its instigators. It’s good to see that the expertise exists to combat it, but you have to wonder what would happen if something similar was targetted specifically at a nation-state like the US, whose military brass have demonstrated a poor understanding of the web’s flat battlefield.

You can’t deploy tanks against this sort of threat; the game has changed.