Vyuha | Stuxnet and its Aftermath

Around June 2009, Stuxnet malware started to stealthily infect windows machines across the globe, staying dormant on most machines and specifically targeting Win-CC based industrial control systems of two vendors: one Finnish and the other Iranian. Stuxnet was determined to be highly sophisticated malware targeting SCADA systems — it specifically targeted the frequency converter module in a power supply capable of variable frequency output to control a variable-speed motor, typically used in centrifuge devices. Specifically, the malware would sabotage normal operation of the centrifuges operated in a specific range of very high frequencies, arbitrarily changing the speed of the motors for short periods of time.

Stuxnet exploited four zero-day vulnerabilities in Windows OS and spread via infected network Samba shares and USB sticks of regular desktops and laptops, but only became active when it was on specific SCADA industrial control systems. Stuxnet disguised its presence in infected systems by recording the “normal” readings on the machine and playing those recorded values back to the operator, thus fooling the operators into believing that the centrifuges were operating normally. Because Stuxnet disguised its presence, it was not detected until a year later in June 2010.

In January 2011, The New York Times reported that US and Israel jointly developed Stuxnet to sabotage Iran’s Uranium enrichment centrifuges, and that the malware was targeting a system with 984 machines linked together, identical to the configuration in Iran’s Natanz Enrichment complex.

Two months later, on March 17, RSA Corp. reported that its master database of token number generators or “seeds” were stolen in a hacker attack. RSA is a leading provider of SecureID devices used by many corporations to have employees securely login into the corporate networks from remote locations. In the following weeks, Lockheed Martin, a customer of RSA was targeted by a cyber attack that was attributed to data stolen from RSA.

On March 31, Comodo, a leading provider of authenticated SSL certificates reported that its site was also breached by a hacker attack originating from Iran, but the breach was detected and the compromised certificates revoked. It was later revealed that Comodo was also attacked using stolen data from RSA, and the Iranian hackers were able to issue digital certificates under Comodo’s root certificate compromising secure data transfer between Comodo’s customers, which include Google, Yahoo, Skype, Microsoft, and Mozilla, and entities that used their services.

On April 24, the Iranian govt. claimed to be victim of a second Stuxnet computer worm, which they calls the “Stars worm”, though there has been no third party report of this worm outside of the Iranian government. The Iranian government blamed SCADA manufacturer Siemens for this alleged worm. To date, it is not clear whether this second worm was actually another real cyberattack on Iran or whether Iran was over-reacting to some other windows malware, mistaking it for a Stuxnet worm.

Shortly after Iran’s reprisal attacks on US systems, on May 31, Pentagon released parts of its official cyber strategy document, which states that any attack on US nuclear reactors, subways, pipelines or other automated systems will be considered an act of war. Pentagon stated “If you shut down our power grid, maybe we will put a missile down one of your smokestacks” — a strong statement given the fact that attributing cyber attacks to culprits is not always possible or likely, given the existence of tools like anonymizing web proxy servers such as proxy.org. The essential thinking in Pentagon seems to consider the end effects of a cyberattack — if the damage caused by a cyber attacks results in damage similar to that of a physical attack, then the cyber attack is equivalent to “use of force”, the legal term for armed attack on a country. The timing of Pentagon’s statement seems to be towards preempting any further actions by Iran targeting critical US networks.

The Obama Administration indicated its intention to fund a “internet in a suitcase” project that would quickly establish a wireless network over a large area that can connect to the internet, in countries where governments were monitoring or shutting down communication networks. This project is to be financed by a two million dollar US State department grant and its intended targets are the governments of Iran, Syria, and Libya, among others. This project is said to be based on mesh networks, where each node in the mesh acts as a router to relay information from other nodes, in addition to sending/receiving information of its own. Data is either broadcast or dynamically routed from any source to any destination node, automatically dropping unresponsive nodes and adding newer nodes that join the mesh. However, there are key logistical problems with the “Internet in a suitcase” project, such as ensuring that the hardware does not fall into enemy hands, which would compromise the project and aid the very regimes that it targets. Iran responded with bravado that “Internet in a suitcase is no match for Iranian intelligence” though they failed to specify how they planned to defeat operation of “Internet in a box” in Iranian territory.

All of the above events indicate that States all over the world are actively working to subvert or sabotage networks of adversarial nations, while terming any such act on themselves as “use of force” or a political “act of war”. This also motivates the question of how technologically advanced States vulnerable to crippling cyber attacks can deter such attacks from adversaries. Thus, while the US escalated its response to Iran’s attacks on US territory, US’s response to potential Chinese attacks on US cyber infrastructure was the opposite. On June 14, Kissinger and Huntsman called for a bilateral agreement between US and China that designated some areas of cyberspace off limits for hacking. The ostensible reason for this detente between US and China was to forestall a possible deterioration in relations if the issue was not addressed beforehand. This has lead to increased calls from within various governments for a more organized structure to respond to cyber attacks, which is easier said than done. For one thing, States with opposing ideologies that join hands to form a common platform defend against cyber attacks would be building on a foundation of contradicting goals and motivations, implying that such a platform may well never come into existence. This leaves the door open for States to continue Stuxnet like attacks on each other’s capabilities, with the more powerful states deterring less powerful states by equating certain classes of cyber attacks with State support as equivalent to “use of force”, requiring a military response. This also motivates all nations to have their offensive cyber capabilities conducted by “citizens groups” or other ways to deny any plausible involvement of a State in a cyberattack.

Given the low rewards for States to cooperate in a global common cyber-defense platform, the chances are that the more technologically adept states will call for a truce, potentially deterring each other from provoking conflict, while less powerful states may well have to bear the brunt of cyber attacks from the more powerful states, without the option of retaliating with force since they would not have the means to do so.

No related posts.


DISCLAIMER: This is an archived post from the Indian National Interest blogroll. Views expressed are those of the blogger's and do not represent The Takshashila Institution’s view.