About Me

My Photo

Geek by profession, thinker/writer/artist by passion. Part-time blogger,social media enthusiast and a tramp by nature :) A Man Of Mud

Connect

Saturday, October 16, 2010

Age of Cyber Warfare : The Advent of Cyber Weapon

In last few years there have been some major cyber-attacks involving nation states such as China  and Russia but the latest Stuxnet worm attack, takes cyber warfare to another level, where the damage may not be confined to digital assets but also to the physical world. Most security experts believe that the Stuxnet worm's design and perceived objectives indicates that the was aimed to disrupt Iranian nuclear program and most likely it was successful too.


Not many people know that the Internet was outcome of a military venture. The ARPA, the precursor to the Internet, was launched by the Department of Defense of the US government in response to  Soviet Union's launch of the first artificial satellite, Sputnik. The objective was to develop a mechanism which would allow the US military to retain control and counter-attack in case of a pre-emptive nuclear attack on the USA destroying its capability to retaliate. But then World Wide Web was invented and in a decade the Internet had evolved into an alternate reality called Cyber Space where limitations of the physical world, such as, geographical distance, became irrelevant.

However,decades later,there are now clear signs that the Internet may be becoming a crucial battle-zone even if not the weapon it was originaly intended to be. Last month, Wired.com published an article saying that computer security experts had discovered, that the worm, Stuxnet, was found to have a very unusual design and capabilities, the likes of which have not been seen before. Most malware are designed with the purpose of stealing information from the victim's computer or in other cases damage the victim's digital assets but Stuxnet is the first malware that has been designed to damage real-world infrastructure by hijacking the systems that control them. It primarily targets specific Industrial Control Systems (ICS) which are used in infrastructures such as gas pipelines, nuclear facilities etc and it tries to reprogram the Programmable Logic Control (PLC), which if successful would grant the attacker full control over the system.   

  It is interesting to note that although Stuxnet has an incredible capability for self-replication, propagation and updation, its destructive payload is intended to be delivered to Siemens Simatic WinCC SCADA system only. This is the exact configuration of computers used in  Iranian nuclear facility if an earlier UPI report attached with a screenshot, is to be believed. Further, demogaphic reports clearly reveal that most infections have been reported from Iran (58%). Given the facts that most developed countries have been making every effort to halt Iran's nuclear program and US-Israel were seriously contemplating an air-strike on Iranian facilities, a cyber attack to sabotage the plant's infrastructure would be completely plausible. What would be more difficult to accept is if it could be actually achieved. Iran may be a diminutive player in the context of global politics but its leadership cannot be so naive as to leave their nuclear plants unprotected!

The specific configuration that Stuxnet targets  is WinCC/Step 7 with Siemens PLCs.  These are highly customized systems, the PLCs are programmed usually on Windows-based computers which are rarely connected to the Internet or even local network. In order to infect the target machine the attackers would have to come up with a very sophisticated piece of software which functions in a manner that those entrusted with cyber security of the facility cannot anticipate. Such a project would require a lot of resources, not  just hardware to set up an identical environment  but also intelligence gathering (HUMINT,SIGINT),infiltration, things requiring people on the ground. An operation that rogue hacker groups would be unable to contemplate.

Besides, experts opine that Stuxnet is perhaps the most complex, malware ever made. It exploits four zero-day vulnerabilities, installs a powerful Windows rootkit, uses two compromised digital signatures, evades all major anti-virus software,  injects malicious code into running processes, uses multiple techniques to propagate as well as update to newer versions and what Symantec calls, "the first ever PLC toolkit". It does all of these without allowing the operator to notice that the security has been compromised!

In order to fully understand how powerful this worm is, just go through the dossier on it by Symantec. The main file comes across as a large, half megabyte DLL containing a host of resources and exports that perform various clandestine functions such installation,code injection, propagation through network and removable drives, identifying the target PLC and modifying it to hand over its control to the attacker. What is really interesting is the manner in which the architects have taken into account multiple, possible scenarios and have included alternative features for predictable impediments. For instance,for propagation it uses 5 different methods of which 2 are zero-day vulnerability exploits, a WinCC hard-coded database server password, LAN and Peer-To-Peer transfer. After the infection, the driver is loaded using a compromised Realtek digital certificate signed by Verisign (revoked on July 16, 2010 ). It can then inject the  malicious code into a trusted process, create a new process and even instruct a trusted process to inject code into another running process. But even this is functionality is not as plain. It first checks for the anti-virus installed and chooses the service to inject accordingly. For instance, if the anti-virus present is Symantec, the injection target is Lsass.exe  but in case of McAfee being installed, it would inject in Winlogon.exe. Anyway, this malware is truly sophisticated, so it would be most unwise for me to go into technical detail based on news reports and dossiers. If you really want to find out more on the way it works, check out Symantec's dossier on it or paper by security researcher Ralph Langner, who was one of the first to identify the malware and is an authority of sorts on it. He is also probably the first expert to use the term cyber-weapon for Stuxnet.

All of these clearly indicate that such a sophisticated software would require immense resources. In fact Symantec says that the full cycle of such a complex software would  have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management. Taking all the factors into account it would be reasonable to presume the involvement of one or more nation-states in this operation and the most obvious suspect would be Israel, Iran's current arch-enemy in the region. Israel has in the past made it clear that it would do everything possible to stop Iran from acquiring nuclear weapon, air-strikes on the latter's nuclear facilities being the most likely action.

Although there is no incontrovertible proof of Israel's involvement,there are hidden clues within the software to suggest it. The number 19790509 (don't infect marker) corresponds to the date the execution of a prominent Iranian Jew,Habib Elghanian a watershed moment in Iran-Israel relationship. Another clue exists in the form of the text "myrtus", which may be a reference to the story in the Book of Esther, one of the books of Hebrew Bible. According to the story,Esther/ Hadassah (myrtle) helped Jews pre-empt and kill the Persians who had planned to exterminate them.

Similarly, Stuxnet was most likely designed for the sole purpose of sabotaging Iran's nuclear program and even cause physical destruction. Lagner says the target of the worm was Bushehr facility but the attackers may have been targeting multiple facilities too. A couple of incidents occurring around the same time as the cyber attack indicate that all is not well in Iran's nuclear facilities. According to wikileaks, there has been a serious nuclear accident at the Natanz nuclear facility and BBC reported the "the head of Iran's atomic energy organization's abrupt resignation because of unknown reasons." However, the din and clamor over Iran's nuclear program has died down, though both sides are unwilling to share.

It might seem Stuxnet is the first cyber-weapon using which Israel was able to achieve its military objective without the use of force, it would definitely be a positive development (air strike was the alternative) but sadly that is not true. Other nation-states are likely to follow suit,designing a cyber weapon as sophisticated as Stuxnet is difficult but with the resources they have at their disposal, one cannot rule out destructive ones. Then there is also the issue of collateral damage. Stuxnet struck Iran the most but it also spread to countries like Indonesia (17.83%) and India (9.96%) who dealt with same Russian contractor, AtomStroyExport, as Iran did. Finally, terrorists and non-state entities may not have the resources to create something as powerful but they can always learn from the techniques used in this and implement them on much smaller scales.    

Update
According to The Register, Iran President, Ahmadinejad has admitted that several uranium enrichment centrifuges were damaged by a a virus.

Update 2
Mainstream media has finally woken up! A New York Times report reveals that the worm was tested in Israel 's Dimona nuclear facility in Negev desert, which also housed centrifuges completely identical to Iranian ones. It further says that a fifth of Iranian centrifuges were damaged in the attack delaying the nuclear program but fell short of destroying it.

0 comments :