Holy Shit, Stuxnet!

In June of 2010, researchers at a cyber security firm in Belarus called VirusBlokAda discovered a troubling bit of malware with a mysterious purpose. It used USB drives to transmit itself, bypassing Internet security. This was nothing new, nor was it overly troubling.

What was both of those things was the fact that this new malware was using multiple zero-day exploits. That's what programmers call an exploitable bug that hasn't been discovered or patched yet. Which means a fully-patched, fully up-to-date operating system with cutting edge security would still be vulnerable to it.

So not like the malware you'd only find on grandma's computer

It takes an enormous amount of effort and resources to discover a zero-day exploit, largely because there are legions of hackers constantly working to do just that in the interest of proactively preventing security problems. This malware, which came to be known as Stuxnet, used four of them. No malware up to that point had ever managed such a feat.

Even more baffling, Stuxnet did not appear to cause any harm once it infected a new system. It just sat in wait until either it could infect a new computer or a specific piece of hardware was attached to it. By painstakingly reading through countless lines of code, security experts were able to determine that its target was specific PLC systems.

Which basically look like boxes of plastic with some wires and lights on them.

A PLC is used to automate industrial processes, which is where you might start to feel uneasy about this whole story. A bit more digging and the process of elimination revealed the bombshell. The PLCs that Stuxnet was intended to target were almost certainly used to regulate industrial centrifuges at a nuclear facility in Natanz, Iran.

The other ways in are well-guarded and way less subtle. So flash drive it is, I guess.

At this point, the perpetrator of the Stuxnet cyber attack has all but tacitly acknowledged its role. But I'll give you two guesses. Who would have a major interest in sabotaging a nuclear facility in Iran?

Certainly a motive there.

But who would have the resources to assemble the team of gifted programmers, industrial experts and spies necessary to pull off a feat like that?

Spoiler Alert: it was probably both.

And make no mistake. It worked. It's hard to say how well it worked since any official planning or execution documentation is certainly and highly classified, but thousands of Iranian centrifuges mysteriously failed before Stuxnet was discovered.

This is obviously a win for American espionage, but it has broader implications that are staggeringly bleak. At some point, this operation, (known as Operation Olympic Games), and by extension the United States government, determined that there were four vulnerabilities which could potentially lead to industrial sabotage. Maybe even to catastrophic attacks on infrastructure. And rather than take defensive measures to fix the problem, they used it against another nation.

The use of zero-day exploits by nation states is potentially a Pandora's Box on par with the use of weapons of mass destruction. Stuxnet opened the box.

Holy shit.





"Gas centrifuge cascade" by U.S. Department of Energy - Public Domain

"Bonzi buddy". Licensed under Fair use via Wikipedia

"S7300" by Ulli1105 - Own work. Licensed under CC BY-SA 2.5 via Commons
\
"Natanz nuclear" by Hamed Saber - http://www.flickr.com/photos/hamed/237790717. Licensed under CC BY 2.0 via Commons