6 Dec 2011

What is Stuxnet?

As MIT warns the power grid of the United States needs a cyber shield, Technology Producer Geoff White looks at the threat posed by the most serious cyber infrastructure attack ever: Stuxnet.

What is Stuxnet? (Getty)

I recently re-watched Dr Strangelove, Stanley Kubrick’s dark, Cold War comedy about a military industrial-complex as it races towards Mutually Assured Destruction.

Times change, defence contractors don’t. Every generation of military lobbyists finds a mortal threat to justify its existence, and today’s is summed up by the term “cyber” (if you doubt how seriously this is being taken in defence circles, check out the title of a recent post on the Cyber Defence & Network Security website: “Are We Heading Towards A Digital 9/11? – requires registration).

What the defence industry needed was a bogeyman to personify this threat, and it came in the form of Stuxnet – a fiendishly complex computer virus which damaged an Iranian nuclear facility. Finally, here was a computer security breach which had tangible, physical consequences.

Last weekend saw the publication of another major piece on the subject, this time from Christopher Goodwin of the Sunday Times, who interviewed Ralph Langner (paywall), an IT security specialist who’s done sterling work on analysing Stuxnet.

Every generation of military lobbyists finds a mortal threat to justify its existence.

Goodwin’s piece was light on new information, but it was a good read and it gives the opportunity to look once again at what we know (and what we assume) about Stuxnet.

The usual script is that it was a targeted piece of “weaponised IT” designed by Israel and the US to disrupt centrifuges inside an Iranian nuclear enrichment facility (thereby harming Iran’s nuclear weapons programme).

The threat of cyber attack (Getty)

The theories

As far as I know, no-one has definitively pinned Stuxnet on the US and/or Israel. The logic behind the assumption is that the aggressor needed to be someone with a fear of Iranian nuclear capability and a lot of cash to spend on designing a virus. But in my view that doesn’t necessarily mean just Israel and the US – it includes many other Middle Eastern countries too.

What does seem to hold water from the US/Israel theory is that Stuxnet was actually the work done of two separate entities. For a start, Stuxnet was composed of two elements – the delivery mechanism and the destructive software itself (think of the former as the missile and the latter as the warhead attached to the top).

While the “warhead” was indeed very specifically targeted on the Siemens computer system controlling the facility, the virus which was used to get that “warhead” inside was actually quite indiscriminate – it turned up in many countries, but the “warhead” was only triggered when it got to Iran. Is the group which spent hundreds of hours designing a “warhead” which targeted such a specific objective really the same group which attached it to such a clumsy virus? IT security professionals I’ve spoken to think not.

The second compelling reason for believing Stuxnet was the servant of two masters comes from computer security software firm Symantec. It recently found that the Stuxnet virus code was being used without the original, Iran-focused “warhead” (Symantec named this new twist “Duqu”). Whoever designed Stuxnet is now either re-using the code or licensing its adaptation as Duqu, which targeted half a dozen European chemical companies in order to exfiltrate information. So it seems the missile maker and the warhead designer have parted company.