The Bushehr nuclear power plant in Iran was the most likely target of the recent Stuxnet worm – a computer virus designed to disrupt and damage industrial equipment. According to the AFP, more than 30,000 IP addresses have been infected in Iran. According to Reuters, Symantec and Kapersky Labs have both speculated that Stuxnet was specifically targeted to hit Iran, and that the construction of such a virus likely required nation-state support to develop. Langner Communications (formed by cyber attack guru Ralph Langner) has directly stated that the Bushehr nuclear power plant is Stuxnet’s intended target. So let’s just make this very clear: Stuxnet is cyber warfare, and it looks custom built to attack Iran’s nuclear ambitions. This is simply the latest sign that the digital realm is going to be a major arena for global conflicts in the years ahead. Welcome to the new world, everyone.
I’m not a cyber security expert, nor do I have the background necessary to accurately describe the intricacies of Stuxnet’s attack strategy. For an advanced and detailed account of the worm, you probably can’t do better than the coverage at Langner – it’s just one perspective, but it’s probably the right one. For those of us with limited cyber backgrounds let me summarize what Stuxnet does: Exploiting weaknesses in Windows systems, Stuxnet spies on supervisory control and data acquisition (SCADA) systems. SCADA is used to run the pumps, motors, and other controls associated with large industrial facilities. The SCADA at Bushehr was developed by Siemens. Stuxnet identifies certain SCADA systems – ones that are running particular configurations, probably related to nuclear power plant operations – and then it waits for a designated time. At that time it works to disrupt and shut down these systems. When successful it can cause major delays and damage, requiring long hours and millions in costly repairs, if not outright disaster.
The complexity of this worm speaks to its professional nature. It exploits four different weaknesses in Windows, it has stolen authentication certificates, and it can upgrade itself peer to peer. In short, it’s a nasty piece of work, and not many people could have made it. In fact, it probably took many months (years?) of work from dedicated experts to craft, costing hundreds or thousands if not millions of dollars to create. This is nation-grade cyber warfare.
Of course, those same complexities mean that we are likely to eventually be able to trace the worm back to its creators. Or at least get a very short list of people and institutions that could have created it. Stuxnet may be a shot fired form a gun in the dark at the moment, but the attacker is not going to be remain cloaked forever. There’s only so many people who could have done this.
Considering the focus of the attack is clearly Iran, and considering how likely it is that the Bushehr nuclear plant was probably the target of Stuxnet, suspicion falls heavily on the US and Israel. Yes, the most widely publicized cyber warfare attack to date probably isn’t some plot from a terrorist organization or a mafia strike gone haywire. It’s likely another result of the Western military (or its allies) flexing their muscles. Ugh.
Ok, let’s forget politics, and whether or not strikes against a nuclear facility (for peaceful purposes or not) are warranted or not. Let’s just look at the ramifications of Stuxnet itself. Langner Communications points out that the components of Stuxnet are now widely available to be cannibalized by other cyber attackers. That means that the next virus designed to target SCADA systems will be cheaper and quicker to create. We’ll probably also see more of them at once. Cyber warfare of this nature just got easier due to this digital equivalent of arms distribution. Of course, high value targets around the world will spend millions to keep themselves protected, but lower end systems could now face increased vulnerability. Big strikes like Stuxnet attacking Bushehr may be rare in the future, but little Stuxnet-like attacks on your local power plant or shoe factory could become much more common.
Which might be the real danger of escalating cyber warfare. As we’ve mentioned before, governments and major multinational corporations around the world are likely to invest large capital into developing the digital equivalent of weapons of mass destruction. Yet these same institutions will develop shields against these attacks, and keep themselves safe. The same may or may not be true further down in the cyber warfare ecosystem. Military grade viruses could facilitate nastier and nastier attacks on commercial and private targets. We already have botnets and other mainstream cyber threats to worry about, now we have to be anxious about common hackers getting their hands on the digital equivalent of nuclear bombs.
My long standing hope in cyber warfare has been that the global ecosystem of computers will become so interconnected that open attacks will injure the offender as much as the target. In general, I still think this is true. Yes, Stuxnet and its eventual derivatives can pinpoint those systems they wish to strike. Yet the attack itself proliferates the capabilities of pinpoint targeting to a much wider base. The attack you make doesn’t hurt you, but the fallout pollutes the ecosystem as a whole, and that could make its way back to you. Let’s hope that realization will curtail governments from deploying the worms and viruses they create. The cyber warfare arms race is probably unavoidable – in fact it appears to be in full swing – but I can hope that the cyber war stays cold. If it every burns hot it will be the general public, not the individual targets of the viruses, that truly bear the brunt of the attack.