Stuxnet: It’s the real thing, baby

While Tom Ricks is away from his blog, he has selected a few of his favorite posts to re-run. We will be posting a few every day until he returns. This originally ran on December 7, 2010.

Tom R.: For a long time I thought "infowar" or "cyberwar" was nonsense, mainly a gambit to make money in the defense consulting complex. But expert comments like this one on Stuxnet have me reconsidering. 

By Jay Holcomb
Best Defense infowar columnist 

I believe this event should be looked at from a much wider view … the Stuxnet worm (threat vector) certainly should be considered a "game changer" … the folks who are conducting the forensics analysis have been somewhat successful in gaining high level public/government attention to this issue.

While most folks seem to unofficially agree this worm likely targeted Iranian facilities — if we look wider — this "attack" … or perhaps a better classification "sabotage" … contains so many complex cyber elements combined into one package that it is absolutely fascinating. I do not believe it is hyperbole to say the Stuxnet worm is "revolutionary" in terms of what we should be expecting to see in future high quality cyber threat vectors.

For example, a few of the well publicized items used by the Stuxnet worm include:

• At least four zero-day vulnerabilities were used. Remember, these were classified as "zero-days" once we found out about them back in June/July — which means the folks that discovered the vulnerabilities could have been using them/testing them for 12-24 months(?) before we even knew they existed. Discovering a single previously unknown vulnerability and using it successfully against a target is impressive!
• Used "legitimate certificates stolen from two certificate authorities" to digitally sign Stuxnet code to be installed on target machines — this was needed to prevent Microsoft Windows from alerting the computer user that a suspicious file is trying to install on the computer. This is huge! Imagine if someone was able to steal a genuine SSL/TLS certificate for YOUR online bank from VeriSign or Entrust and set-up a web site that was an exact clone of YOUR online bank. If you accessed the cloned web site — your web browser would NOT alert you to any problems with the fake web site because the site uses a valid certificate — the entire Internet online commerce model is based on this "trust" of Certificate Authorities.
  Sound unrealistic … how about this … anyone else remember 10 years ago when VeriSign issued two Microsoft certificates to someone posing as a Microsoft employee? Imagine what they could have done with those certificates … perhaps create their own "special" Microsoft Windows patch … how many folks would download and install? We often trust major companies and our systems will trust the process if the source file is using a "trusted" Certificate Authority (VeriSign for example) security certificate to sign the files! To further highlight this issue … to this day the only two "Untrusted Publishers" certificates installed in our Internet Explorer browsers are for Microsoft from VeriSign!
• Numerous propagation methods — USB drives, network shares, other peer-to-peer methods, etc. Interesting to see the Conficker vulnerability (MS08-067) was one of the Stuxnet propagation options. Depending on what type/version/patch level of Windows the worm is residing determines which propagation method it will use. (Amazing)
• Command and Control options — via Internet or peer-to-peer if Internet access is no longer available.
• Very specific configuration of the target environment is needed to activate the Stuxnet payload (manufacturer, specific product type, and unique product configuration are examples) … the intelligence and reconnaissance needed of the target must have been incredible.
• The goal does not seem to have been destruction — rather interruption/delay. The payload modified the speed of very specific high speed motors and at seemingly random intervals. How many people knew weapons-grade uranium enrichment requires long periods of constant high speed motor action?

These examples do not include the many other specific SCADA asset features the worm is targeting to validate prior to payload release/action — amazing!

With the complexity of this cyber "event" it should change how we view future potential threat vectors — from both the government (at varying levels and organizations) and civilian perspective. The possibility of this type of complex/specifically targeted cyber threat has now been proven in the wild. It is only a matter of time before we identify a similar event has occurred or is occurring right now.

The potential targets are only limited by our imaginations. I would expect both Nation States and common Cyber Criminals have been analyzing the same materials we are and developing new ingenious complex threat vectors into critical infrastructure, defense assets (government and civilian), financial environments, technology resources, and numerous other industries depending on the target niche market. 

The goal would not have to be "global domination" or "nation destruction" — in fact, I would propose the most dangerous outcome of this event will be the smaller — highly sophisticated/complex — threats that are successful but stay under the radar. They launch, are successful, and either destroy themselves or are jettisoned as expendable.  (From both Nation States and common Cyber Criminals)

One interesting "pie in the sky" future item — will Cyber Criminals be able to pull together a team of experts similar to the Stuxnet team (Cyber Mercenaries … a field that we can assume is growing quickly!) to create the civilian Stuxnet equivalent — perhaps for historic financial gain or nearly any other historic event. Sounds like a Hollywood movie doesn’t it … I assume everyone has seen "Live Free of Die Hard"…

Finally, here are some additional background resources and great reading if interested:

http://www.wired.com/threatlevel/2010/11/stuxnet-clues/
http://www.wired.com/threatlevel/2010/09/stuxnet/
http://www.symantec.com/business/theme.jsp?themeid=stuxnet
http://www.tofinosecurity.com/blog/stuxnet-mitigation-matrix

Jay Holcomb is an assistant professor in the cyber/information assurance depart of the National Defense University.