Stuxnet a precision, military-grade cyber missile

The Stuxnet malware has infiltrated industrial computer systems worldwide. Now, cyber security sleuths say it’s a search-and-destroy weapon meant to hit a single target. One expert suggests it may be after Iran’s Bushehr nuclear power plant.

CSM

By Mark Clayton

 

Cyber security experts say they have identified the world’s first known
cyber super weapon designed specifically to destroy a real-world target –
a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study
since its detection in June. As more has become known about it, alarm
about its capabilities and purpose have grown. Some top cyber security
experts now say Stuxnet’s arrival heralds something blindingly new: a
cyber weapon created to cross from the digital realm to the physical
world – to destroy something.

At least one expert who has
extensively studied the malicious software, or malware, suggests Stuxnet
may have already attacked its target – and that it may have been Iran’s
Bushehr nuclear power plant, which much of the world condemns as a
nuclear weapons threat.

The appearance of Stuxnet created a ripple of amazement
among computer security experts. Too large, too encrypted, too complex
to be immediately understood, it employed amazing new tricks, like
taking control of a computer system without the user taking any action
or clicking any button other than inserting an infected memory stick.
Experts say it took a massive expenditure of time, money, and software
engineering talent to identify and exploit such vulnerabilities in
industrial control software systems.

Unlike most malware, Stuxnet
is not intended to help someone make money or steal proprietary data.
Industrial control systems experts now have concluded, after nearly four
months spent reverse engineering Stuxnet, that the world faces a new
breed of malware that could become a template for attackers wishing to
launch digital strikes at physical targets worldwide. Internet link not
required.

“Until a few days ago, people did not believe a directed
attack like this was possible,” Ralph Langner, a German cyber-security
researcher, told the Monitor in an interview. He was slated to present
his findings at a conference of industrial control system security
experts Tuesday in Rockville, Md. “What Stuxnet represents is a future
in which people with the funds will be able to buy an attack like this
on the black market. This is now a valid concern.”

A gradual dawning of Stuxnet’s purpose

It is a realization that has emerged only gradually.

Stuxnet
surfaced in June and, by July, was identified as a hypersophisticated
piece of malware probably created by a team working for a nation state,
say cyber security experts. Its name is derived from some of the
filenames in the malware. It is the first malware known to target and
infiltrate industrial supervisory control and data acquisition (SCADA)
software used to run chemical plants and factories as well as electric
power plants and transmission systems worldwide. That much the experts
discovered right away.

But what was the motive of the people who created it? Was Stuxnet
intended to steal industrial secrets – pressure, temperature, valve, or
other settings –and communicate that proprietary data over the Internet
to cyber thieves?

By August, researchers had found something more
disturbing: Stuxnet appeared to be able to take control of the automated
factory control systems it had infected – and do whatever it was
programmed to do with them. That was mischievous and dangerous.

But
it gets worse. Since reverse engineering chunks of Stuxnet’s massive
code, senior US cyber security experts confirm what Mr. Langner, the
German researcher, told the Monitor: Stuxnet is essentially a precision,
military-grade cyber missile deployed early last year to seek out and
destroy one real-world target of high importance – a target still
unknown.

“Stuxnet is a 100-percent-directed cyber attack aimed at destroying an
industrial process in the physical world,” says Langner, who last week
became the first to publicly detail Stuxnet’s destructive purpose and
its authors’ malicious intent. “This is not about espionage, as some
have said. This is a 100 percent sabotage attack.”

A guided cyber missile

On his website, Langner lays out the
Stuxnet code he has dissected. He shows step by step how Stuxnet
operates as a guided cyber missile. Three top US industrial control
system security experts, each of whom has also independently
reverse-engineered portions of Stuxnet, confirmed his findings to the
Monitor.

“His technical analysis is good,” says a senior US
researcher who has analyzed Stuxnet, who asked for anonymity because he
is not allowed to speak to the press. “We’re also tearing [Stuxnet]
apart and are seeing some of the same things.”

Other experts who
have not themselves reverse-engineered Stuxnet but are familiar with the
findings of those who have concur with Langner’s analysis.

“What
we’re seeing with Stuxnet is the first view of something new that
doesn’t need outside guidance by a human – but can still take control of
your infrastructure,” says Michael Assante, former chief of industrial
control systems cyber security research at the US Department of Energy’s
Idaho National Laboratory. “This is the first direct example of
weaponized software, highly customized and designed to find a particular
target.”

“I’d agree with the classification of this as a weapon,”
Jonathan Pollet, CEO of Red Tiger Security and an industrial control
system security expert, says in an e-mail.

One researcher’s findings

Langner’s
research, outlined on his website Monday, reveals a key step in the
Stuxnet attack that other researchers agree illustrates its destructive
purpose. That step, which Langner calls “fingerprinting,” qualifies
Stuxnet as a targeted weapon, he says.

Langner zeroes in on
Stuxnet’s ability to “fingerprint” the computer system it infiltrates to
determine whether it is the precise machine the attack-ware is looking
to destroy. If not, it leaves the industrial computer alone. It is this
digital fingerprinting of the control systems that shows Stuxnet to be
not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet’s
ability to autonomously and without human assistance discriminate among
industrial computer systems is telling. It means, says Langner, that it
is looking for one specific place and time to attack one specific
factory or power plant in the entire world.

“Stuxnet is the key
for a very specific lock – in fact, there is only one lock in the world
that it will open,” Langner says in an interview. “The whole attack is
not at all about stealing data but about manipulation of a specific
industrial process at a specific moment in time. This is not generic. It
is about destroying that process.”

So far, Stuxnet has infected
at least 45,000 computers worldwide, Microsoft reported last month. Only
a few are industrial control systems. Siemens this month reported 14
affected control systems, mostly in processing plants and none in
critical infrastructure. Some victims in North America have experienced
some serious computer problems, Eric Byres, an expert in Canada, told
the Monitor. Most of the victim computers, however, are in Iran,
Pakistan, India, and Indonesia. Some systems have been hit in Germany,
Canada, and the US, too. Once a system is infected, Stuxnet simply sits
and waits – checking every five seconds to see if its exact parameters
are met on the system. When they are, Stuxnet is programmed to activate a
sequence that will cause the industrial process to self-destruct,
Langner says.

Read more: http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant/(page)/3

Stuxnet infects 30,000 industrial computers in Iran: report

The Stuxnet computer worm has
infected 30,000 computers in Iran but has failed to “cause serious
damage,” Iranian officials were quoted as saying on Sunday.

Some
30,000 IP addresses have been infected by Stuxnet so far in Iran,
Mahmoud Liayi, head of the information technology council at the
ministry of industries, was quoted as saying by the government-run paper
Iran Daily.

Advertisements

6 comments on “Stuxnet a precision, military-grade cyber missile

  1. Israel warned Iran numerous times that they would strike. Everyone thought that it would be a physical attack, like they did against Syria and Iraq’s nuclear plants.

    But with dwindling international support for a kinetic attack, it would seem that Israel created the perfect cyber weapon and deployed it.

  2. Are there any updated pie charts on the countries Stuxnet has infected? I’m looking for updates of any kind at this point. The information on this worm seems to have died down drastically over the last week. Also, and I know this is a long shot, any substantial findings for attribution (not circumstantial)?

  3. @ V.Reschke

    I tried doing a research, since it is a state sponsored cyber attack and the Stuxnet is rapidly changing forms, the last public detection was on August

    There is no updated chart

  4. My friend reported me Their university networked computers is infected right now, also most of the people who used Flash-Drive to transfer files from university to home, their home computer is infected, now imagine how many people study in there and their computer is infected.

  5. I don’t care if they CYBER ATTACK Computers, what will happen all the RICH PEOPLE will lose their money? I am all for it? I am Native American, the ONLY thing that hurts all you is taking your money you got ill gained anyways? the CREATOR has more important issues in life than MONEY. Stop fighting over Oil & things OBAMA has is it right we need to be GREENER. We don’t NEED OIL ANYMORE it’s all for GREED? Stop hating on someone trying to do something GOOD FOR ONCE. I am ALL FOR HIS RELECTION.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s