Most security professionals have at least a basic understanding of Stuxnet. However, because the story behind the malicious worm used to attack Iran’s nuclear program is so complex, many of those covering it in news stories, features, and reports have only addressed aspects of the events. Not so Kim Zetter, who literally wrote the book on the subject—2014’s Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, an in-depth account of the unfolding of the attack that fills in the gaps left by all the media coverage.
Introduced by symposium chair Sari Greene as “the authority of what happened with Stuxnet,” Zetter presented Stuxnet and Beyond: The Age of Digital Warfare at the 2015 CyberCrime Symposium, in which she not only chronicled the Stuxnet events for attendees, but highlighted the lessons it holds for security professionals.
Stuxnet, the worm developed to thwart Iran’s efforts to enrich uranium for its burgeoning nuclear program, was highly effective at carrying out its goal — physically damaging centrifuges at an underground enrichment plant in Natanz, causing them to fail. To cause these failures, Stuxnet targeted Windows-based computers that technicians used to manage programmable logic controllers (PLCs) that controlled valves on the centrifuges. With this approach, Stuxnet broke new ground: It was not only the world’s first digital weapon, but instead of compromising the computers and networked systems that cyber-attacks typically target, Stuxnet destroyed physical equipment.
Moreover, digital warfare of this kind has serious implications for critical infrastructure in the U.S., said Zetter. Noting that symposium attendees might see cyber-threats involving nuclear facilities as irrelevant to their jobs, Zetter assured them otherwise.
“This is an ongoing problem that we're going to have as nation-states get into attacks,” said the award-winning journalist who covers cybercrime and security for Wired. “The attackers behind Stuxnet used very sophisticated techniques that are trickling-down to cyber-criminals. They teach cyber-criminals new methods, which cyber-criminals then adapt for their own attacks.”
Stuxnet in Short
In a nutshell, the first version of Stuxnet, released in 2007 and again in 2008, targeted a specific PLC that controlled valves on the centrifuges Iran was installing to enrich uranium hexafluoride gas. The code got into the plant by way of USB sticks. It worked in a way that incrementally destroyed the centrifuges, lessening the chances it would be detected, while also disabling the safety system that automatically shuts down systems when it detects unsafe conditions. Meanwhile, Stuxnet fed false data to technicians that made it look as if the centrifuges were operating normally. The second Stuxnet version, delivered in 2009 and 2010, targeted a different PLC, and was more aggressive in how quickly it destroyed the centrifuges. This version infiltrated the plant by infecting the systems of five companies that installed ICSs in Iran. Both versions used zero-day exploits.
Stuxnet was first discovered in 2010 when one of the five companies whose systems were used to invade the plant started seeing systems in satellite offices and those of their contractors infected. “Contractors were spreading it to customers around the world, at every plant and office they went into,” said Zetter. “Whenever they plugged in USB sticks or their laptops, they were spreading Stuxnet.”
Dissecting Digital Warfare
To illustrate the changing nature of cyber-attacks, Zetter’s presentation incorporated a video clip from the 2007 movie “Live Free or Die Hard,” in which cyber-terrorism is a loud, incendiary experience. “This was Hollywood’s version of what a cyber-attack would look like — a lot of explosions, a lot of physical destruction,” said Zetter. “Cyber-attacks take over computers and steal data — we’d never seen anything that actually caused physical destruction.”
But that’s the kind of attack now preoccupying top security officials in both the private and public sectors. In other words, attacks like Stuxnet, whose objective was to destroy critical infrastructure by compromising PLCs, part of the group of systems that fall under the umbrella “industrial control systems” (ICSs).
“The PLC is actually used in a lot of different types of facilities,” said Zetter. “They are the hard workers in our critical infrastructure, controlling gas pipelines, utilities, electric grids, water facility plants, traffic lights, elevators, and parts of the NASDAQ stock exchange. These are critical components and they are highly vulnerable.”
The ultimate question: What are the pros and cons of digital warfare? Among the pros, according to Zetter: “It can save lives if you can avoid an all-out war, and if done right, it causes no collateral damage.” A campaign doesn’t require troops and equipment to be deployed, and can be conducted from a remote location.
Another checkmark on the pro side is the attribution aspect. “It’s difficult to attribute the source of an attack, giving actors plausible deniability,” Zetter said.
Then there are the cons: Once unleashed, digital weapons are difficult to control. “With interconnecting systems you can’t necessarily anticipate how something affecting one system is going to affect others,” said Zetter.
Also, when traditional weapons like bombs are detonated, the pieces can’t be picked up, put back together, and turned against the attacker. “Digital weapons can be reverse-engineered and sent back to execute the same attack,” said Zetter. Further, Stuxnet legitimized the use of digital weapons for resolving political disputes. “You no longer have to go to the UN to resolve your disputes if you can just unleash a digital attack that can’t be attributed.”
Such attacks lower the bar for entry. Said Zetter, “While a teenager can’t necessarily build a nuclear weapon in his backyard, he can build a digital weapon capable of taking down critical infrastructure.”
This is the 4th in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. In case you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” make sure to check-in weekly for the latest installment featuring insight from select presentations.