Stuxnet Suspicions Rise: Has a Cyberwar Started?
Sep 23, 2010 11:40 AM PT
The Stuxnet worm, which made headlines last summer when it hit one version of a system that controls critical infrastructure systems governing power grids and industrial plants, is once again creating a buzz.
This time, there's speculation that it was created by Israel to target Iran.
However, security experts remain divided on the origins of this troublesome bit of malware.
Ralph Langner, an expert on industrial systems security, published an analysis of the worm and suggested it may have been used to sabotage Iran's Bushehr nuclear reactor.
Iran was perhaps hit hardest by Stuxnet, with nearly 60 percent of all infected PCs found in that country.
"In the statistics we've collected, there was an abnormal rate of infections in Iran," Pierre-Marc Bureau, a researcher at ESET, told TechNewsWorld. "But there were infections in other countries as well. This might lead us to think that somebody was paying more attention to Iran but I can't jump to any conclusions at this point in time."
Suspicions that a nation state was behind the Stuxnet worm were voiced in August by Roen Schouwenberg, a senior antivirus researcher with Kaspersky Lab Americas, at a conference the antivirus vendor held in San Francisco.
"We agree this worm was state-sponsored because it is the most professional malware we've seen so far, and the resources needed to create it were far greater than we usually see deployed in creating other pieces of malware," ESET's Bureau pointed out.
However, whether Israel specifically was behind the attack is a question that's still being debated.
"There's nothing that proves whether it has or has not been created by Israel," Bureau said. "But it might have been created by other countries," he pointed out.
Israel has been accused of hacking into other countries' systems before, Graham Cluley, a senior technology consultant at Sophos, pointed out. Mossad, Israel's Institute for Intelligence and Special Operations, allegedly hacked a Syrian laptop and bombed a Syrian nuclear facility as a result of information it discovered, Cluley claimed. He pointed to a story in the German newspaper Der Spiegel as his source.
Cluley wrote about that incident and about cyberwarfare among other countries in his blog.
The Fog of Uncertainty
"I don't think anyone can prove that it was even created in Israel, let alone sponsored by the powers that be in Israel," Cluley said.
"It's not clear who's behind Stuxnet," Kaspersky Lab's Schouwenberg told TechNewsWorld. "A nation-state is the most probable scenario, but without somebody claiming responsibility for this worm, we'll probably never find out who was behind it."
Why the uncertainty? Why is it taking so long to track this worm down?
"We've dedicated a team to investigate this Stuxnet worm, and months afterwards, we kept finding out more stuff," ESET's Bureau said. However, the worm is so complex that "we realized other companies were finding different things than we were," he said.
The different findings are probably because Stuxnet profiles systems and will run differently on different systems. It attacks industrial control systems, known as SCADA systems, and works on all versions of Microsoft Windows after Windows 2000.
In addition to stealing code and design projects and hiding itself using a classic Windows rootkit, Stuxnet can upload its own code to the programmable logic controllers (PLCs) in SCADA systems, controlling or changing how those systems operate.
The Rules of Cyberengagement
If a nation-state sponsored this attack, could it be regarded as a cyberterrorist act?
Not at all, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
"A terrorist attack's goal is to create fear," Enderle pointed out. "The goal of this attack wasn't fear, and it was probably launched by a nation-state in a state of undeclared war with another, so I don't think this meets the bar of a terrorist attack."
The attack could be considered state-sponsored malware rather than cyberterrorism, but there's no solid proof that a state is indeed behind the Stuxnet worm, Sophos' Cluley said.
"I think it's wrong to call this terrorism," he declared. However, it's to be expected that nation-states will "use every dirty trick in the book to spy upon each other, disrupt activities, and grasp an advantage."
The U.S. State Department, which is busy with the United Nations General Assembly's annual meeting currently being held in New York, was unable to provide comment by press time, but State Department spokesperson Harry Edwards told TechNewsWorld that "we're working to provide you answers."
As more attacks emerge, more and more of them may begin to resemble state-sponsored activities, Sophos' Cluley predicted.
Is there any way to protect against such attacks? Could countries come up with a common code of conduct to govern cyberactions that would rule out such attacks?
"The best way to protect yourself or your country is to use the same defenses that all computers should already have -- up-to-date antivirus and other security software, security patches and so on," Cluley said. "A code of conduct for cyberwar is an awfully nice idea, but I very much doubt it would be achievable in practice."