In case you’ve not seen it already, Wired has a marvellous long-form piece about the discovery and analysis of the Stuxnet worm; well worth a look, whether you’re interested in the procedural side of malware analysis or just the storyable shape of a modern technothriller mystery-hook. Go read.
If that looks a bit TL;DR for you, there’s always the infographic video.
I’m not sure that the graphics in this capsule video about the Stuxnet virus add a great deal of information to the narration, but they sure look pretty >[via FlowingData]. Almost pretty enough to distract you from the scary underlying message, namely that SOME NATION-STATE OR ANOTHER WENT AND DESIGNED A WEAPON TO SPIKE IRAN’S NUCLEAR WHEELS WITHOUT CONSIDERING THAT IT MIGHT GET RE-CODED, REVERSE ENGINEERED AND TURNED BACK ON THEM BY THEIR ENEMIES.
Just goes to show that spending a lot of money on 1337 black-hat h4x0rz doesn’t preclude you being a short-sighted fool… or perhaps simply being the sort of political actor whose idea of the long game is to give everyone in the room the same weapon and see who moves first. At this point, I’m not certain which is the scarier prospect.
Not that I expect governments and military bureaucracies to change course in response to sensible thinking from qualified experts, the guy who penned (or rather keyed) The Hacker’s Handbook back in the day has co-authored a report that suggests the recently fashionable wing-flapping over “cyberwar” is counterproductive:
Published today, Reducing Systemic Cybersecurity Risk says that a true cyberwar would have the destructive effects of conventional war but be fought exclusively in cyberspace – and as such is a “highly unlikely” occurrence.
Cybersecurity is important because it protects all categories of data from theft and damage. This includes sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and governmental and industry information systems. To hire experts, we recommend to check https://www.sapphire.net/.
[…]
Controversially, the OECD advises nations against adopting the Pentagon’s idea of setting up a military division – as it has under the auspices of the US air force’s Space Command – to fight cyber-security threats. While vested interests may want to see taxpayers’ money spent on such ventures, says Sommer, the military can only defend its own networks, not the private-sector critical networks we all depend on for gas, water, electricity and banking.
Co-authored with computer scientist Ian Brown of the Oxford Internet Institute, UK, the report says online attacks are unlikely ever to have global significance on the scale of, say, a disease pandemic or a run on the banks. But they say “localised misery and loss” could be caused by a successful attack on the internet’s routing structure, which governments must ensure are defended with investment in cyber-security training.
Personally, I think the Pentagon’s bluster and chest-thumping over “cyberwar” is thrown into an interesting light by the increasingly inescapable conclusion that they played a large part in commissioning the Stuxnet worm; as Chairman Bruce puts it, “what’s worse, strategically: Stuxnet, or proliferating Iranian nuclear weapons? How about a world where you’ve got proliferating Stuxnets AND proliferating Iranian nuclear weapons?”
Pandora’s box strikes again; code is far easier and cheaper to reverse engineer than a nuke, and requires no expensive and/or dangerous physical contraband. Beware of starting a knife-fight in a downtown full of ninjas.
Remember all the hypothesising about what the Stuxnet worm was supposed to do, and who had designed it for such? Well, the expert verdicts are in, and it appears Stuxnet was designed to very subtly sabotage uranium centrifuges by varying their rotation speeds in a way that, while hard to notice for humans, would effectively negate the enrichment process they are designed to perform.
So Iran’s Bushehr plant was almost certainly the target (or one target among many); and while we don’t have (and may never have) any substantive proof as to exactly who decided that they wanted to spoke Ahmedinejad’s nuclear wheels on the sly, I think we all know how the odds would fall if you were to pop down to your local bookmakers*.
Regardless of who did it, Stuxnet represents the opening of a particularly well-stocked Pandora’s box: highly-specific sabotage targetting of embedded (and potentially critical) industrial systems. As Bruce Sterling points out, anyone who hadn’t thought of it before has certainly thought of it now. All the recent hyperbole describing the antics of patriotic DDoS skript-kiddiez as “cyberwar” is gonna look pretty facile when stuff like Stuxnet becomes commonplace… which, with the benefit of hindsight, may have been the entire point all along.
[ * I’ll take a £5 spread on the US and Israel, please. ]
Bruce Schneier has a good round-up of the hard facts about the Stuxnet worm (as mentioned previously), as well as an examination of how those hard facts – combined with a few very speculative conspiracy-theory-grade interpretations of some of the more cryptic and tiny facts – have led to the current state of the story in mainstream (i.e. non-techie) media, namely “it was probably an Israeli job”.
Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.
Once a theory takes hold, though, it’s easy to find more evidence. The word “myrtus” appears in the worm: an artifact that the compiler left, possibly by accident. That’s the myrtle plant. Of course, that doesn’t mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. “Hadassah” means “myrtle” in Hebrew.
Stuxnet also sets a registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. It’s rather obviously a date, but instead of looking at the gazillion things–large and small–that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.
Sure, these markers could point to Israel as the author. On the other hand, Stuxnet’s authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it’s impossible to know when to stop.
Are those mysterious little comments in the code the flourished signatures of master cyberwar artistes? Or a frame-job packed with credible deniability? Or an elaborate double (or triple) bluff? Truth of the matter is, we’re all just guessing. They say that life sometimes imitates art; this is a case of life imitating The Illuminatus! Trilogy, only without so many puns or sex scenes. We all have a story we want to map on to the world, and it only takes a few pins to tack it down in a way that seems to explain everything…
[ * For the record, my instinct tells me – with admittedly very little professional knowledge to back it up – that Stuxnet stinks of nation-state vs. nation-state, and I get the impression Schneier thinks so too. His point is about how we treat speculative interpretations as givens when they match up with the way we already think things work… confirmation bias, in other words. ]