- Security experts say Stuxnet attacked the software in specialized industrial control equipment made by Siemens by exploiting a previously unknown hole in the Windows operating system.
- Eric Chien, the technical director of Symantec Security Response, a security software maker that has studied Stuxnet, said it appears that the malware was created to attack an Iranian industrial facility.
- The malware marks the first attack on critical industrial control systems known as SCADA(Supervisory control and data acquisition.) It generally refers to industrial computer control system.
|Picture: Future Stuxnet Casualties in secret Iranian Nuclear control room - Adapted from Getty Images photo|
- Stuxnet has the ability to steal design documents or even sabotage controlled equipment in a factory or industrial setting such as a nuclear plant.
The malware casts a spotlight on several security weaknesses.
Who: Security experts say that it was likely staged by a government or government-backed group, in light of the significant expertise and resources required to create it. The specific facility that was in Stuxnet’s crosshairs is not known, though speculation has centered on gas and nuclear installations.
Stuxnet’s remarkable sophistication has surprised many security professionals. Its authors had detailed knowledge of Siemens’ software and where its security weaknesses are. They discovered and used four unknown security flaws in Microsoft’s Windows operating system. And they masked their attack with the aid of sensitive intellectual property stolen from two hardware companies, Realtek and JMicron, which are located in the same office park in Taiwan.
“It’s impossible this was created by some teenager in his basement,” Mr. Chien said. “The amount of resources and man hours to put this together,” he said, show “it has to be something that was state originated.”
What: Since it was unleashed, Stuxnet has spread to plants around the world. Siemens said it has received 15 reports from affected customers, five of which were located in Germany.
How: Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. Siemens however advises against changing the default passwords because it "could impact plant operations".
Bad News: But more in-depth study of the program, which is extremely large and highly complex by malware standards, has revealed that it can also make changes to control systems.
Exactly what Stuxnet might command industrial equipment to do still isn’t known. But malware experts say it could have been designed to trigger such Hollywood-style bedlam as overloaded turbines, exploding pipelines and nuclear centrifuges spinning so fast that they break. “The true end goal of Stuxnet is cyber sabotage. It’s a cyber weapon basically,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky, a security software maker. “But how it exactly manifests in real life, I can’t say.”
DHS VIDEO OF STAGED CYBER ATTACK ON A GENERATOR SET:
Twitter hashtags: #Stuxnet #Iran #nuclear #industrial #system #control #worm/ #Malware #SCADA
Stuxnet News updated links stories/articles:
NY Times blog link: http://bits.blogs.nytimes.com/2010/09/24/malware-hits-computerized-industrial-equipment/
Wikipedia article link: http://en.wikipedia.org/wiki/Stuxnet
#Stuxnet update: One of the theories is starting to point to a targeted sabotage of Iran’s nuclear facilities.
The latest, put forward by Frank Rieger, a researcher at security and encryption firm GSMK, posits in a Frankfurt newspaper (translation here) and on his blog that Stuxnet targetted a nuclear enrichment facility in the Iranian town of Natanz. Stuxnet has spread internationally, but the vast majority of infections have happened in Iran, according to numbers from antivirus firm Symantec in July.
Rieger points to signs that Stuxnet was engineered to infect systems as early as January 2009. And in July 2009, whistle-blower site Wikileaks posted a note from an anonymous source describing a nuclear accident in Natanz. The head of Iran’s nuclear program resigned shortly thereafter, and Rieger points to official Iranian numbers that showed a reduction in working enrichment centrifuges.
Rieger’s other piece of evidence pointing to Natanz comes from Stuxnet’s architecture. He writes, based on the current analysis of the worm’s software, that its infection is “intended to be synchronized and spread over many nodes.” That makes more sense in an enrichment plant filled with thousands of identical centrifuge units than in a more centralized nuclear power plant, he writes.