A Quiet Cyber War

Is there a quiet cyberwar going on and we are just starting to notice it?

There are science fiction stories about it: a genetically-engineered pathogen specifically tailored to attack a single individual. We may have encountered its real life equivalent and its name may be “Stuxnet”.

Earlier this year a very unusual and sophisticated piece of malware was discovered and given the name “Stuxnet”. Stuxnet attacks industrial control systems and has the ability to infect and reprogram programmable logic controllers. To date most of the instances of Stuxnet that have been discovered have been in Iran, Pakistan, India, and Germany.

There’s a fascinating article in the Christian Science Monitor about some informed speculation about Stuxnet:

One researcher’s findings, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls “fingerprinting,” qualifies Stuxnet as a targeted weapon, he says.

Langner zeroes in on Stuxnet’s ability to “fingerprint” the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet’s ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.

“Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open,” Langner says in an interview. “The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process.”

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

There are plenty of fascinating contingencies discussed in the article. Stuxnet may have been created by a government. Stuxnet may already have discovered and destroyed its target. The target may have been Iran’s Bushehr nuclear plant. That could be a potential explanation for the problems that have been reported there.

Or Stuxnet may still be looking for its target.

FILED UNDER: General, ,
Dave Schuler
About Dave Schuler
Over the years Dave Schuler has worked as a martial arts instructor, a handyman, a musician, a cook, and a translator. He's owned his own company for the last thirty years and has a post-graduate degree in his field. He comes from a family of politicians, teachers, and vaudeville entertainers. All-in-all a pretty good preparation for blogging. He has contributed to OTB since November 2006 but mostly writes at his own blog, The Glittering Eye, which he started in March 2004.

Comments

  1. James Joyner says:

    Very interesting.   I attended a two-day Cyberwar conference at Naval War College last week which included an interesting discussion of the role of sci-fi in developing theory but, alas, not this incident.  Considering we’re still trying to figure out who perpetrated some years-old attacks, I’m not holding my breath on pinning the blame for this one any time soon.

  2. john personna says:

    I’ve worked in industrial controls systems.  At the time, 15 years ago, PLCs (“programmable logic controllers”) were pretty dumb, and had a pretty narrow (serial) interface to a host computer.  I doubt you could get much of an enemy program into one, let alone one smart enough to “carry on.”

    Companies tend to standardize and use old-vintage tech for decades.

    It’s possible that later PLCs had direct net interfaces and more smarts.  Perhaps someone here knows.  If it is some very recent type, or some recent interface standard, that would explain the low level of infected hosts.  45K units is small compared to what must be millions installed.
     

  3. Franklin says:

    It should be interesting if we ever hear more about this.

  4. Gary Farber says:
  5. TG Chicago says:

    Very interesting. FYI, CSMonitor.com has corrected the beginning of the last paragraph. It now says this:

    So far, Stuxnet has infected at least 45,000 computers worldwide, Microsoft reported last month. Only a few are industrial control systems. Siemens this month reported 14 affected control systems, mostly in processing plants and none in critical infrastructure. Some victims in North America have experienced some serious computer problems, Eric Byres, an expert in Canada, told the Monitor.

    http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant/(page)/2

    So it’s far fewer industrial control systems than previously reported. Still, very intriguing.

  6. john personna says:

    We always felt people using Windows in a critical environment were the dumb kids on the block.  Learning that this is a Win virus targeting attached Siemens controllers reinforces that.