Stuxnet. A major military strike using a virus through cyberspace.
I've been following news surrounding the very interesting Stuxnet virus for months. In short, this is a virus that targeted a specific piece of equipment and had a singular goal. I'll explain in more detail later. Stuxnet is quite exceptional.
In the late 1980's and early 1990's 'hacking' a computer was practiced by intelligent, obsessed, possibly sociopathic individuals (although not dangerous). The best and most entertaining accounts I've read surrounding this era are:
This kind of 'hacking' was not motivated by greed or politics. It was simply to gain bragging rights and a sense of personal achievement.
Today, we suffer at the hands of organised crime who trade not directly in drugs, but in ill-gotten information -- like your credit card details, and other personally identifiable information that can lead to an identity theft.
We have seen politically motivated organised attempts to damage specific companies. For example The SCO group were knocked off internet for days in December 2003 by activists.
But Stuxnet is different.
What is a zero day attack?
A zero day attack is a method of breaking into a computer that has not yet been analysed by the security community. A piece of malware can be identified by a pattern and when this pattern is found the anti-malware companies put the signature into their databases for fast and positive identification. Since a zero day attack has not been analysed, it will not have a signature and therefore is more likely to get past security defenses.
Why is Stuxnet different?
Stuxnet is very different because it targeted not only a single organisation, but also a single type of equipment inside that organisation. It did so to be specifically destructive and yet remain hidden and be very difficult to detect and remove.
Reportedly, it used four zero-day attacks. These are exploits that target previously unknown and unpatched vulnerabilities. From analysis of the malware, it's clear that the organisation behind it would have required huge funding and taken years to develop. This was not the work of an individual activist.
What is a PLC?
A PLC is a Programmable Logic Controller. This is a computer that runs in "real time". Typical computers do not run in real time because the CPU is shared amongst multiple tasks in a non-deterministic manner. A real time operating system allows the programmer to predict and control how long a task will take. This is important for industrial control where timing is crucial. A typical time sharing computer might do the job most of the time but occasionally take too long to do an important task. A real time PLC is purpose built to control multiple outputs from multiple inputs with perfect deterministic control.
The Stuxnet worm specifically targets Microsoft Windows. It's different to past attacks because it spied on a specific industrial system, reported back to base, and modified the behavior of the target.
It was discovered in July 2010 but was in operation long before that and is so sophisticated it's clear there was a significant development cycle. By the end of November, Iran admitted that its nuclear program for uranium enrichment was compromised.
In the year 2001, I wrote about a developing theory surrounding fear-based decisions and reaction as related to the security industry. One of the topics addressed at that time was the possibility of cyberwarfare. My conclusions ten years ago were that these types of attacks were possible but would be unlikely to be used by an aggressor unless a very specific outcome was guaranteed. Terrorists, for example like to control their damage rather than take pot-luck as would be typical for a non-specific virus attack on utilities.
It seems stuxnet was the first specifically targeted example of cyberwarfare.
Centrifuges and uranium enrichment
Uranium ore when mined and extracted is about 99 percent U-235 and the rest U-238.
U-235 is used for weapons and power generation but must be pure. The process called 'enrichment' takes advantage of the different masses of U-238 and U-235.
First, a powerful acid is used to make uranium hexafluoride (a gas) and that is then spun at very high speed in a centrifuge. The different masses of U-235 and U238 cause these elements to physically separate. The U-235 is a higher concentration at the center of the centrifuge and is extracted into another centrifuge. This cascade is repeated thousands of times to obtain the desired purity.
Stuxnet targeted specific PLCs used to control Iran's nuclear enrichment centrifuges. Once control of the PLC was obtained, the worm activated code to drastically change the centrifuge speed which not only ruined the enrichment process, it ruined the bearings by cracking the rotor. If this sounds improbable, then consider the need for magnetic bearings to sustain a spin of 100,000 rpm. Even a slight imbalance would have serious effects. The high speed demands the use of light rotors, and these would be relatively delicate. If the speed was changed often and drastically, a slight weakness would crack and worsen to the point of unbalance and that would ruin the bearings.
Obviously there is a tactical advantage to remain undetected which is why stuxnet could also hide evidence of the changes it made. As a result, the cyber weapon that is stuxnet was able to 'discover' previously unknown enrichment facilities.
Who detected stuxnet?
Wide speculation is that the 15,000 lines of code took years to develop and was outside the scope of an individual. It's presently thought that Israel and America were two nations involved with its development. As time goes on, If more information comes to light, then I'll update this article.
[ On 1 June 2012, SC Magazine reported that America and Israel were behind the Stuxnet virus. ]
What does this mean for the future? As with any game-changing technology, this means a different security mindset is needed. Stuxnet shines a powerful spotlight onto a whole new array of international cyber attacks.
Iran has a big task ahead to eradicate the worm. There are new versions coming out, and new attack vectors. The cost of the cleanup will be massive, and time to recovery is likely to be more than two years. If seen as a 'military strike', this was a very successful campaign.
This is day one of a new arms race.
Expect to see a lot of related activity in the technology space. Iran has not had good security but this will change. The world in general has not been subject to cyberwarfare, but this too has changed forever. "Hacking" is now officially a government career.