29 September 2010

2010: Weaponized Cyberwar has arrived

The recent series of reports on the Stuxnet worm shows that Information Security specialists are facing a whole new order of threats, none of which were unexpected. Hidden inside its 600 kb payload are all sorts of tricks and traps, which have amazed and impressed every researcher who's looked into it.

First, this is not a normal worm. It uses something known as "zero-day" vulnerabilities -- undisclosed or as yet undiscovered vulnerabilities, usually found in Windows or its associated software (Adobe Flash and Acrobat have been particularly egregious in this regard.)

Unlike most other malware, however, Stuxnet deploys (according to Symantec) a total of four new zero-day defects in Windows -- a major achievement for any virus. But it doesn't stop there -- in addition, it includes two stolen certificates used to sign drivers, taken from a couple of Taiwanese manufacturers.

Recent research suggests that Stuxnet also hides itself among specialized files (known as Siemens SIMATIC Step 7), and even after being cleaned using regular techniques, it can re-infect PCs which use such software.

Why Step 7? Because this malware is highly targeted -- it focuses its effort on reaching Windows PCs with attached PLCs -- Programmable Logic Controllers, which are heavily used in industrial control processes, power plants -- and not surprisingly, nuclear laboratories.

Which has led many commentators to suspect that the target of Stuxnet is one, very specific, and highly sensitive location -- the Bushehr nuclear power plant in Iran. This view is supported by the analysis of Symantec's Patrick Fitzgerald, whose team found that 58.8 per cent of infections were in Iran, 18.2 per cent in Indonesia, 8.3 per cent in India, 2.6 per cent in Azerbaijan and 1.6 per cent in the US.

Furthermore, the payload for this worm is heavily customized to focus on one very specific configuration of PLC logic -- to the extent that the PLC will be ignored if it doesn't match exactly. What this implies is that a particular target was in mind. It's only speculation, but it could be linked to nuclear centrifuges, or critical cooling systems associated with the production of nuclear fuel.

Why, and more importantly, who has the capability and the motivation to do something like this? The sophistication of Stuxnet strongly suggests we are dealing with a small, highly skilled team, using intelligence about a specific target. Furthermore, this team has the resources to buy or discover independently four new zero-day vulnerabilities (which are valuable items in underground hacking markets), as well as stealing two signing certificates.

The only logical conclusion is a government-based cyberwar team. The likely candidates are the USA (CIA or NSA) and Israel (Mossad or IDF Unit 8200) -- both of whom are likely to wish to disrupt Iranian nuclear developments. We'll probably never know for sure, but there does seem to be a strong correlation of the worm's spread with delays in Bushehr's operations.

Why is this significant? Well, it exposes several well-known risks, and some new ones. First, Siemens' reluctance to change default passwords for its software, fearing collateral damage due to stupid administrators. Secondly, one of the primary vectors for infection was the AUTORUN "feature" of Windows, meaning that every USB key inserted into a computer is a potential plague vector (and which also provides a way to infect computers not attached to the Internet.)

The biggest risk here in my view is that we have been given a glimpse of the future of Cyberwar -- a threat which I have in the past considered negligible, but now think is starting to build. It's as if we are snorkeling just below the surface on a peaceful blue ocean, and have just seen a great monster in the depths below us, rising out of the darkness. This monster is military-grade cyberwar, and the consequences will be more investment in such weapons, and potential collateral damage as the titans of the deep struggle together.

No comments: