Who Wrote the Nefarious Stuxnet Worm? And Why?

Imagine a nefarious computer virus, one some industry experts say may bethe most sophisticated piece of malware ever written. Imagine this worm,loaded onto a Siemens Programmable Logic Controller (PLC),creating two hexadecimal words as its output: DEAD F007. Now imaginethis piece of malware, Stuxnet — or somethinglike it — coming to an industrial plant near you.

[login]Let’s start by dispelling one myth that seems to be growing up aroundthis piece of PLC-controlling software: PLCs are not super-secretdevices, but are standard bits of industrial control equipment that cancost as little as $200 (and, for really complicated ones, manythousands), and are available from industrial supply houses all over theworld without any kind of security check. The software used to programPLCs is no more secret than the devices themselves. WinCC,the compromised program, may not be known to many programmers orsysadmins who work in offices, but it is a familiar tool for industrialplant people in many different fields.

Siemens, based in Germany is one of the biggest of multinational bigdogs in the PLC field. They sell into the U.S., China, Brazil, India,and almost anywhere else there’s any industry at all. Want to countcereal boxes on an assembly line and measure out the right amount ofcereal for each one? You can program a Siemens PLC for that application,no problem. Want to spin your Uranium-enrichment centrifuges at just theright speed? Ditto. Or run track-mounted speed detectors and switch gearfor your high-speed rail system or the moisture control on your Yankee dryer? Noproblem. If there isn’t a PLC app for that already, writing one is nobig deal.

An early article about the Stuxnet infection in Iran claimed that itinfected “millions” of industrial control computers there. This isunlikely. Indeed, it’s unlikely that Iran has millions of industrialcontrol computers, period. And Stuxnet is not — at least in formsdiscovered so far — an Internet-spread problem, but one that typicallyinfects a computer network when someone plugs a USB stick containing theworm into a computer on that network.

Another article,on Forbes.com, postulated that the Stuxnet worm’s purpose was to disablesatellites run by the Indian Space Research Organization, which wouldmean more business and prestige for China’s AsiaSat.

And maybe some Siemens PLCs are not supposed to be going to Iran, afterall. A New York Times storypublished on Sept. 29 said, “…last year officials in Dubai seized alarge shipment of those controllers — known as the Simatic S-7 — afterWestern intelligence agencies warned that the shipment was bound forIran and would likely be used in its nuclear program.”

That same story mentions the Biblical-sounding connection of one of theworm’s file names to the Book of Esther,”a clear warning in a mounting technological and psychological battle asIsrael and its allies try to breach Tehran’s most heavily guardedproject.” But it also says, “Others doubt the Israelis were involved andsay the word could have been inserted as deliberate misinformation, toimplicate Israel.”

And then there’s that DEAD F007 “leetspeak” PLC output. Eric Loyd,President of Bitnetix, says thatno matter how juvenile DEAD F007 sounds, “Stuxnet is far from akid-hacker attack.” Indeed, Loyd is one of many IT experts who believesStuxnet may be the most sophisticated piece of malware ever written,with its use of four seperate Windows zero-day attacks, not one but twogenuine security certificates (now revoked), and it’s ability to not onlymonitor but modify instructions for the targeted Siemens PLCs.

While PLCs may be a mystery to many — even most — programmers andsyadmins, they are not complicated, nor do they take advanced degrees tofigure out. In most of the industrial world, they are the responsibilityof guys who wear their names on their shirts. Indeed, the whole point ofSCADA is that it makesplant processes easy to visualize and control.

So far there is no concrete evidence that Stuxnet-infected computers orPLCs have affected Iran’s nuclear fuel enrichment program or delayed thestartup of the country’s one nuclear reactor. But there are suspiciouscoincidences that make it seems like Stuxnet might have donesomething to Iran’s nuclear efforts, depending on whichcontradictory reports coming out of Iran you want to believe.

On one hand Iranian government sources say Stuxnet has not causedproblems or delays to anything nuclear, and on the other they claim they have arrested “NuclearCyberspace Spies” and is “fully aware of the activities of ‘enemies’spy services.'”

Stuxnet may not be the biggest problem

Whether Stuxnet is the work of Chinese or Israeli governmentcyberwarriors or a computer science student’s prank that got out ofhand, there are cures for it, and Microsoft is closing the four Windowszero-day vulnerabilities that allows the worm to do its mischief and topropagate laterally within a government or corporate computer network.And with the right malware protection, a Stuxnet infection can bedetected immediately, says Kurt Bertone, Vice President of StrategicAlliances for FidelitySecurity Systems, who says his company’s XPS cyber defense productshas no trouble dealing with Stuxnet.

Other virus detection and malware control companies also now have ahandle on Stuxnet, including Siemens, which offers completeStuxnet detection and removal instructions.

But the problem now, Bertone warns, is not so much Stuxnet but otherpieces of malware that are out there but may not have been discovered.He and Eric Loyd both worry that there may be some “Son of Stuxnet” wormout there, spread manually, like Stuxnet, or by some other vector, thatwill one day cause dangereous problems at nuclear plants, oil refineriesor chemical plants or….

…there are millions of critical points in our modern industrialinfrastructure that use PLCs and other computer-based controls, some ofwhich are carefully secured against malware infections — and some ofwhich are not secure at all but have not yet been attacked.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

Recent Articles: