A USB memory stick carrying the Stuxnet malware is believed to have provided intruders with access to Iran’s nuclear program. The same technique was used in November 2008 to break into CENTCOM, providing a foreign government with unfiltered access to the Pentagon’s command of the wars in Iraq and Afghanistan. Did both attacks come from the same source?
Earlier this week, Reuters reported:
Cyber warfare has quietly grown into a central pillar of Israel’s strategic planning, with a new military intelligence unit set up to incorporate high-tech hacking tactics, Israeli security sources said on Tuesday.
Israel’s pursuit of options for sabotaging the core computers of foes like Iran, along with mechanisms to protect its own sensitive systems, were unveiled last year by the military intelligence chief, Major-General Amos Yadlin.
The government of Prime Minister Benjamin Netanyahu has since set cyber warfare as a national priority, “up there with missile shields and preparing the homefront to withstand a future missile war”, a senior source said on condition of anonymity.
Back in 1997, when the US did not overtly support political assassinations, President Clinton intervened to save the life of Khalid Meshaal. The Hamas political bureau chief had been poisoned by Mossad operatives (carrying stolen Canadian passports) on the streets of Jordan’s capital, Amman.
Clinton wasn’t trying to help Hamas but knew that a peace treaty he had helped broker between Israel and Jordan would be in jeopardy if Prime Minister Netanyahu thought he could disregard the sovereignty of Jordan and carry out assassinations with impunity. Likewise, neither King Hussein nor the Canadian government believed that Israeli actions showing a flagrant disregard for the authority of their respective governments could go unanswered.
Netanyahu would probably have found Clinton’s pressure unpersuasive were it not for the fact that the Israeli operatives had already been arrested. In exchange for their release, the Israelis supplied the antidote that saved Meshaal’s life while also releasing the Hamas spiritual leader Sheikh Ahmed Yassin.
Then came 9/11.
Before long, Yassin had been assassinated, the US was using Israeli methods of torture in its campaign against an amorphous Islamic threat, Israel’s own war crimes were sanctioned by the US in the name of the war on terrorism, and the use of stolen foreign passports by Mossad agents committing murder on foreign soil provoked nothing more than a diplomatic slap on the wrists.
When suspected Israeli agents were reported this week to be conducting surveillance on the NSA in Utah, the national security breach did not provoke a murmur in the national media — even though a string of similar incidents prior to 9/11 raised questions about whether Israel could have had foreknowledge of the attacks.
The willingness of this and the previous administration to allow Israel to disregard international law shows that even if the Israel lobby can no longer flourish like a night flower, its power is barely diminished. Even so, the appearance of the Stuxnet malware should be a wake-up call to every government around the world that refuses to place Israel’s national interests above its own.
In its conception, Stuxnet can be viewed very much like a targeted killing — but one designed to attack silently and leave no trace of its origin.
It’s creators understood that they had designed an exceedingly dangerous weapon and so they made sure its damage could be contained. But it seems not to have worked according to plan and so caution got tossed out of the window. Apparently, Israel did what it has done so many times before: pursued what it regarded as its own interests with an utter disregard for the international consequences.
The original infection method, which relied on infected USB drives, included a counter that limited the spread to just three PCs, said [Liam] O Murchu [operations manager with Symantec’s security response]. “It’s clear that the attackers did not want Stuxnet to spread very far,” he said. “They wanted it to remain close to the original infection point.”
O Murchu’s research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.
Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?
Kaspersky’s [Roel] Schouwenberg [a senior antivirus researcher] believes it’s because the initial attack, which relied on infected USB drives, failed to do what Stuxnet’s makers wanted.
“My guess is that the first variant didn’t achieve its target,” said Schouwenberg, referring to the worm’s 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. “So they went on to create a more sophisticated version to reach their target.”
That more complex edition, which O Murchu said was developed in March of this year, was the one that “got all the attention,” according to Schouwenberg. But the earlier edition had already been at work for months by then — and even longer before a little-known antivirus vendor from Belarus first found it in June. “The first version didn’t spread enough, and so Stuxnet’s creators took a gamble, and abandoned the idea of making it stealthy,” said Schouwenberg.
In Schouwenberg’s theory, Stuxnet’s developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.
“They spent a lot of time and money on Stuxnet,” Schouwenberg said. “They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm.”
O Murchu agreed that it was possible the worm’s creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn’t provide clear clues.
What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. “It’s possible that [the attackers] didn’t manage to get to all of their targets [with the earlier version],” O Murchu said. “The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target.”
With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm’s developers gladly took.
And that risk may have been quite small. “Perhaps they knew that their own critical infrastructure wouldn’t be affected by Stuxnet because it’s not using Siemens PLCs,” Schouwenberg said.
The danger now posed by Stuxnet is not simply through its direct proliferation but by virtue of the fact that it provides a blueprint that can be adapted by other parties who would otherwise lack the resources to create malware this sophisticated from scratch.
What might have been conceived as a tool to prevent the creation of a weapon of mass destruction could itself be turned into a WMD.
The Washington Post reports:
“Stuxnet opened Pandora’s box,” said Ralph Langner, a German researcher whose early analysis of the worm’s ability to target control systems raised public awareness of the threat. “We don’t need to be concerned about Stuxnet, but about the next-generation malware we will see after Stuxnet.”
Sean McGurk, director of the U.S. National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said that the department posted its first report to industry recommending steps to mitigate the effects of Stuxnet on July 15. But “not even two days later,” he said, a hacker Web site posted the code so that others could use it to exploit the vulnerabilities in Microsoft.
“So we know that once the information is out in the wild, people are taking it and they’re modifying it,” he said.
In other words, what started as an Israeli cyber attack on nuclear installations in Iran could end up crashing the US powergrid or causing havoc anywhere else on the globe.
Even before Stuxnet loomed over the horizon, serious warnings were being issued about the United States’ vulnerability to a crippling cyber attack, yet thus far none of those raising the alarm have pointed to the ways in which Israel’s cyber warfare capabilities may now indirectly or directly threaten the United States and its interests.
– – –
Late last year, 60 Minutes reported on America’s vulnerability to a major cyber attack.