What is Stuxnet doing, who is to blame and what has been learned from it?

Opinion by Dan Raywood

A survey on the Stuxnet worm that is currently being run by McAfee has so far determined that 58 per cent of people believe that it 'was an insider job'.

A survey on the Stuxnet worm that is currently being run by McAfee has so far determined that 58 per cent of people believe that it ‘was an insider job'.

It is around six weeks since SC Magazine first looked at the worm and what it actually was. Since then it has come up in many conversations as evidence of the advancement of malware and as a major threat, but at the same time there has been conflicting views on how serious it remains to be.

Kaspersky Lab claimed at the end of September that it had ‘not seen enough evidence to identify the attackers or the intended target' but it could confirm that it is a one-of-a-kind, sophisticated malware attack backed by a well-funded, highly skilled attack team with intimate knowledge of SCADA technology.

It claimed that it believed that this type of attack could only be conducted with nation-state support and backing. Eugene Kaspersky, co-founder and chief executive officer of Kaspersky Lab, called this the turning point to cyber terrorism.

He said: “This malicious program was not designed to steal money, send spam or grab personal data. This piece of malware was designed to sabotage plants, to damage industrial systems. I am afraid this is the beginning of a new world.  Twenty years ago we were faced with cyber vandals, ten years ago we were faced with cyber criminals, I am afraid now it is a new era of cyber wars and cyber terrorism.”

It also said that Stuxnet is a working and fearsome prototype of a cyber weapon that will lead to the creation of a new arms race in the world.

This view was supported by Alan Bentley, SVP international at Lumension, who called Stuxnet ‘one of the most complex pieces of malware ever detected and the first known to target real-world infrastructure such as water plants, power stations and industrial units'.

He said: “The worrying thing about Stuxnet is that mischief or financial reward wasn't its purpose, it was aimed right at the heart of a critical infrastructure. Government organisations across the world need to think carefully about how they are protecting their power stations, water plants and industrial units, from malicious attack. Traditional security technologies that are on the look out for already identified malicious code, will fail during such sophisticated attacks.

“Stuxnet isn't just another piece of malware. It is the most refined piece of malware ever discovered. It exploited four previously unknown and unpatched vulnerabilities in Windows. That said, the attack could have been stopped in its tracks at the very beginning. Step one of the infiltration was via a USB port and there is the technology called device and application control that when used, prevents unauthorised applications from uploading and executing.”

There is general acknowledgement in the information security community that malware is evolving. Francis deSouza, SVP of Symantec's security group, said that modern malware such as Stuxnet was evidence of several man years of work and a collection of skills that were involved in putting it together. The next stage seems to be on where it is going and where it came from.

Graham Cluley, senior technology consultant at Sophos, warned against finger pointing without proof when proportioning blame, claiming that it was more appropriate (if the claims are true) to call this a state-sponsored cyber attack rather than cyber terrorism.

He said: “I think we will see more and more attacks which will be blamed on state-sponsored cyber attacks in the future. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student.”

F-Secure's chief research officer Mikko Hypponen told SC Magazine: “We have never found out who wrote it, who was the target and was it successful or not? It could have been written in summer 2009 and there is no way for us to know. It could be 100 per cent successful and we might not know about it. The Stuxnet binary is out and we will see how it works and modifies.”

Talking to SC Magazine, after he originally explained the threat, Patrick Fitzgerald from Symantec's threat response centre, said that a paper was written ahead of the Virus Bulletin conference detailing the threat and an internal group called ‘Deepsight' was created within Symantec, but he had not seen anything new released.

Asked if there was any change, he said: “The study is telling us that there is still something there so there are many different options but nothing new. There were two update instances in September: connection to the command and control centre (C&C) and via P2P. We closed down the C&C and expected something with the P2P but nothing happened, nothing updated itself, we still haven't seen any other version and I think it will be around for a while.

“It is ahead of anything we have seen before, technologies used never seen before especially when you put the machinery version in. The creator would need to know SCADA, as it is very complex. I don't expect an update, given that there is a lot of effort that has gone into it. I don't think any more will happen.”

I suspect the next headlines written about Stuxnet will be on how to efficiently remove the worm followed by more finger pointing on who was behind it. While it is a remarkable piece of malware in all senses, its short lifespan will leave a legacy of what others will learn from it.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events