About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Sunday, September 26, 2010

Cyberwar, revisited

When I started this blog just two months ago, the news was all about "cyberwar" and the threats of it.  I posted my take on the issue, which was essentially that although espionage happened, there wasn't really much that would be considered "war".

That was before the worm called Stuxnet hit the news (although after the main infection hit).  Stuxnet (officially W32.Stuxnet) is a type of malware that is unique for a number of reasons, not the least in that it's the first known malware to infect SCADA systems.  It's rather versatile as well, possessing the ability to exfiltrate data (send confidential info back to the hackers), hide itself in the Windows operating system, and insert new code into the systems so that the hacker can change the operations of the system.  Interestingly, it injects the code in such a way that the new code is hidden from people who examine the infected system.  Stuxnet exploits several different zero-day vulnerabilities, which in itself is quite unusual.  A vulnerability is most effective before it's discovered and patched, so to "waste" four vulnerabilities on one virus is quite uncommon.  On top of that, the hackers who wrote the virus stole two digital certificates and used them to sign the virus, so that Windows would trust that the virus came from a legitimate company.  The virus contacted two command and control servers to obtain updates and instructions, but it also had a peer-to-peer (p2p) update scheme as a backup.

All of this leads several leading virus researchers to believe this was created by an organization with a large degree of technical skill, time, and money.  Many believe it was created by a government intelligence agency.  The fact that in the first couple days 59% of infections were in Iran further encourages the belief that it was an intelligence operation against a particular industrial facility in that country, perhaps the Bushehr nuclear reactor or perhaps the Natanz nuclear enrichment facility.  The Natanz facility was built 8 meters underground and protected by reinforced concrete, likely to protect it against threatened airstrikes.  Since the facility is very difficult to attack by conventional means, it's tempting to believe that this was the target of Stuxnet, and it's tempting to believe that Stuxnet may have been an Israeli intelligence operation.  However, we'll likely never know for sure.  Even if the perpetrators step forward and admit what they were doing (and the odds of that are nil), we'd have no way to verify it.

Either way, the fact that Stuxnet exists is proof that cyber sabotage is indeed possible.  Two months after the beginning of the attack, we still no proof as to who was responsible for it, only guesses.  To me, that's the more frightening part.  With all conventional weapons, it's relatively easy to determine who is responsible for an attack.  Even in the case of terrorism, with some investigation it's possible to prove who should be held accountable for their actions.  With viruses, sometimes it's possible but much of the time it's not.  Obviously, only time will tell if the creators of Stuxnet will be held accountable for their actions, but if they're never identified then I don't think there can be an effective arms control for "cyberwar"

What do you think?

No comments:

Post a Comment