Monday, October 25, 2010

Stuxnet: The Future of War Is Here

This may sound like science fiction, but it's not. It’s Monday morning. You’re sitting at work, in your firm’s cafeteria drinking coffee, when suddenly you spot a computer memory stick lying on the floor next to your table. You take it to the IT people, so they can return it to the rightful owner. They pop it into a USB port. . . it’s empty. A month later, your plant explodes. Think I’m exaggerating? I’m not.

With the rush to computerize everything, it was inevitable that the peculiar weaknesses of computers would be exploited for military purposes. For years now, the Chinese have been firing “cyber missiles” at American companies to steal their business secrets. In 2008, we saw Russia take down the internet across Estonia and Georgia with denial of service attacks from millions of infected Western computers; this disrupted government and military communications and spread panic. It is rumored that predator videofeeds can be (or have been) hacked. And we repeatedly hear of attempts to hack the Pentagon.

But those attacks were nothing.

Meet Stuxnet, an incredibly sophisticated computer worm that many are speculating was created by American or Israeli military cyber warriors. This is the future of war, and the first shot has already been fired.

Stuxnet was designed to get onto a computer system from a USB memory stick. . . the one you found in your cafeteria or next to your car or which was dropped into your coat pocket on the subway. Why use this method of transmission? Because most of the control systems that run industrial plants are intentionally isolated from the internet so they can’t be reached by hackers. The USB solution gets around that problem.

Once the memory stick is connected to a computer, Stuxnet exploits one of four separate, previously-unknown holes found in Microsoft Windows to load itself onto any computer into which the USB memory stick is placed (it is unheard of for ordinary hackers to reveal their knowledge of so many holes in one attempt). To achieve this, Stuxnet uses two compromised security certificates stolen from firms in Taiwan. Once it's on the computer, it first tries to find an internet connection. If it finds one, then it contacts a server in Denmark or Malaysia for instructions. If it can’t, then it spreads itself across the network looking for a backdoor to allow remote access.

This level of effort is highly unusual for a normal bit of malware. But what truly makes Stuxnet stand apart is that it was programmed with extensive knowledge of plant control systems manufactured by Siemens, as well as the blueprints of a particular target. What target? It’s not entirely clear (or if it is, no one is saying), but all indications are that Stuxnet was aimed at Iran (60% of the 45,000 infected computers are in Iran), with the Bushehr nuclear reactor and the Natanz enrichment facilities being the likely targets. Iran denies that any damage was done, though when this worm struck last year, the number of working centrifuges at Natanz mysteriously dropped.

So what can be done using such a worm?

Almost everything now runs on some sort of computer system, everything from the stock market to the electrical grid to air traffic control to traffic lights. Stuxnet reveals the potential for cyber attacks to be aimed at specific targets, like a particular electrical plant. Moreover, these attacks can be done without any trace or hint of where they came from. Thus, you could shut down the electrical grid in a country right before an invasion rather than bombing, or you could stop a pesky nuclear enrichment facility, or cut off a fuel supply. . . and it can all be done without anyone know who did it. There are few limits.

And how life-threatening can the damage be?

Well, for example, by tinkering at a nuclear power plant, you could recreate Chernobyl if you had the expertise. Or by shutting down the right valves, you could generate enough pressure to cause a natural gas pipeline to blow itself up. In fact, in 2004, it was claimed that a C.I.A. campaign of computer sabotage in Siberia in the 1980s caused a gas pipeline to explode when “the pipeline software that was to run the pumps, turbines and valves was programmed to go haywire, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds.” This resulted in a three kiloton explosion, so large it could be seen from space.

Now consider this. So many of the computer chips, the processors, the routers and everything else that we use in every single home, business, and military application today are made in China, often by companies that are owned or controlled by the Chinese military. Who needs to plant a USB stick when your enemy will buy infected gear right out of your hand? Indeed, in a fascinating report some months ago, it was revealed that the Pentagon has turned to chip scroungers to save money when they need old chips, rather than paying to have new ones made. These scroungers typically get the chips from Chinese sources who take them out of old computer gear. In several instances, these chips have been linked to crashes of jet fighters and, in one instance, an aircraft carrier lost its radar system for several hours when some of these chips failed. That’s not very comforting, especially for a military and a country that rely so heavily on technology.

Fortunately, under a new policy, the Defense Department is quietly moving into the business of defending critical US infrastructure from cyber attacks. Specifically, DOD will provide cyber expertise to other government agencies, including Homeland Security, and to certain private companies.

Let’s hope that for once, the government is up to the task.


30 comments:

Tennessee Jed said...

1) My being at work drinking coffee does sound like science fiction.

2) Best defense is to return to low tech!!

3) The Chinese are not now and have never been our friend. They own Al Gore, Bill Clinton, and The Socialist Democrat Party (lol!)

StanH said...

“Live Free or Die Hard” Cyber attack was the premise for that movie as well as several other blockbusters, though they are fiction the story is very real. We recently worked on a project that was about Cyber-Security. Some of their concerns were quite frightening, the good news the half dozen experts that were interviewed are hip to the problems, very sharp, and up to the task. But like all types of terrorism, we have to be correct a 100% of the time, the terrorist have to be right once.

AndrewPrice said...

Jed, I like your point number 1!

I don't think anyone will be returning to low tech any time soon. They will instead continue to try to add layers of defense to their systems. The problem with that is it's a lot easier to attack a system than it is to protect every a system against all possibility of attack.

I was particularly surprised to hear about the USB idea, because you would think that you could protect a system by leaving it off the net -- but apparently, this works.

And you're right about the Chinese, they are no anyone's friends.

AndrewPrice said...

Stan, I was thinking about Live Free of Die Hard the whole time I wrote about this. It is rather frightening to think of what is possible if you have dedicated hackers with a lot of real knowledge.

In this case, the knowledge of the Siemens systems were key. That's not the kind of knowledge that most average hackers have. But the fact that these people had it and could exploit it is what makes this type of attack so potentially devastating.

Fortunately, from what I've seen, the best minds are on our side -- both in terms of fixing and finding holes. I don't think they can stop everything, but if they can find ways to stop the worst of it, then the rest just becomes an inconvenience.

Ed said...

Wow! This is pretty incredible. If you set up your team in some country like Russia, you could attack another country like China and they would never know you did it. They would think Russia did it!

AndrewPrice said...

Ed, I'm not familiar enough with the workings of computers to know if there would be another way to determine country of origin within the code itself -- maybe by writing style or something like that. I do know that they were trying to investigate this Stuxnet worm by looking at the serve activity in Malaysia and Denmark to see where those servers were reaching out to. But I suspect you're probably right, that if you set up a self-contained site in another country, they probably would trace it to that country -- especially if you intentionally set out to "frame" that country.

Notawonk said...

this gave me shivers. any memory stick lying around waiting to start mayhem will now get my boot. is there anything we don't have to worry about?!

AndrewPrice said...

Patti, I have to admit that I never thought about that. I would have popped a memory stick into my computer, figuring that my virus checker would take care of it. Now I know better.

And this is scary stuff because the potential to do so much harm is out there and how can you anticipate everything?

AndrewPrice said...

P.S. Patti, this is one of those moments where I am glad that our government is doing something and I hope they get whatever resources they need to do the job right!

Ed said...

I'm with Patti, this stuff gives me the shivers. I don't think it would take much to really mess up our society, and I think it wouldn't take much at all to "frame" another country. What do you do then if you don't even know who is attacking you?

Unknown said...

Andrew: As far as I'm concerned computers are voodoo/black magic. But then I say the same thing about the internal combustion engine. I think I was born in the wrong century. Your article is particularly scary.

AndrewPrice said...

Ed, That's a good question. You can't bomb Denmark (or at least "shouldn't"). So what do you do? Assume it was China or Russia? And if we're susceptible, what would happen if someone orchestrated an attack on India and made it look like Pakistan? It is a new age.

AndrewPrice said...

Lawhawk, I hate to tell you this, but I think the internal combustion engine is here to stay. LOL!

The one thing I can say that should give us comfort on this is that people in the know are apparently working on these things all the time, and we apparently have the best in the world. So who knows what our real exposure is?

DUQ said...

Our local radio guy was talking about this on Friday. Thanks for explaining it.

AndrewPrice said...

DUQ, You're welcome. Who is your radio guy?

Joel Farnham said...

Andrew,

For the longest time, I didn't get on the internet because of viruses. I have owned computers almost from the beginning. 1982 to be exact.

This USB thing can be avoided if you take away the USB ports on on critical computers. The easiest way is to have no convenient way for input. It won't stop it all, nothing ever does, but it will prevent most of it.

AndrewPrice said...

Everyone, It looks like comments are disappearing (and re-appearing again). Sorry about that. Let's hope Blogger gets this sorted our quickly.

AndrewPrice said...

Joel, Completely isolating computer systems may be the only answer. And getting rid of USB ports would probably be part of that (same with cds, etc). But I'm not sure if that's even possible if these systems are to run.

Moreover, this won't help us if we are buying equipment from places like China and we have no way to know if the chips themselves are infected? I know there was some concern at DOD that they have no way to know what's on their routers and that they could contain code that lets someone breach them.

Also, this assumes that people know about the particular threat. I'd bet that not 1 in 100 IT guys even suspect that USB sticks could be a problem like this?

I suspect there are no easy answers on any of this.

Joel Farnham said...

Andrew,

I have been around IT guys. They already know about the vulnerabilities of computers. They are the most paranoid guys I have ever met.:-) You must be thinking about the people put in charge of those guys. IT guys usually have to deal with users getting onto social sites and computer gaming sites. Some of the best trojans are from Russia.

AndrewPrice said...

Joel, That is true, but the IT guys can't work in isolation, they do need to satisfy the management, who will insist on things like e-mail and internet access. And it doesn't solve the problem of systems that need to have access outside the building to, for example, to receive monitoring signals from remote locations.

Plus, they still need to find ways to upload updates to software, which may be another vulnerability. In fact, for all we know, Microsoft or Siemens or whoever were part of this?

And none of that solves the infected hardware issue.

I think the reality is that this is one of those things where people will continue to find a way, especially foreign governments, even if they need to infiltrate using a human presence. But I'm betting that in almost all cases, no human need actually step foot anywhere near the computers being targeted.

In terms of Russia, they definitely are the worst. The attacks on Georgia and Estonia, for example, were made from millions of computers in the US and western Europe that had been infected with Russian trojan horses.

BevfromNYC said...

Okay, YIKES!! But do any of you actually pick up random memory sticks? I say, no more pockets, so they can't just drop stuff in them. I'm going to hide under my covers and never come out...

And Andrew, I think you are wrong about the internal combustion engine. It will not survive Algore or the Obama administration...

AndrewPrice said...

Bev, You may be right! LOL! They certainly want to see the combustion engine go!

Actually.... um.... yeah, before I heard about this, I would definitely have popped it in to see what was on it. Especially if I found it in my office or my coat pocket, then I would have assumed it belonged to someone I knew. I know... I know... but if you can't trust something you find on the floor of your office, what can you trust?

Seriously though, this was a shocker. I honestly never thought about passing a virus in that manner, and in hindsight, I think it is pretty brilliant.

Joel Farnham said...

Andrew,

I don't think those failures of old computer parts were the Chinese fault deliberate or otherwise. Most computer failures of older models are because of whiskers. Whiskers are peculiar because until the computer age, no one really knew they existed.

http://nepp.nasa.gov/whisker/

NASA had satellite failures that couldn't be explained until they discovered whiskers. An older chip could be rendered useless when it develops whiskers. Whiskers are thin pieces of metal growing out of tin. They make connections where there aren't supposed to be connections on the microscopic level.

AndrewPrice said...

Joel, You are correct about the Chinese. The failure of those computer parts wasn't an intentionally designed failure, they failed because the Chinese lied about what the parts were. In this case, the military was looking for military hardened chips because of the temperatures and pressures they would endure inside an F-15, but the Chinese scroungers apparently took similar but not-hardened chips, and sold them as the hardened version. So when they were put into the F-15 in question, they failed, causing the crash.

The issue of infected gear was a parallel security concern pointed out by the investigation -- especially wireless routers, which they concluded could be collecting data and sending it off at prearranged times.

I hadn't heard of whiskers before, very interesting! Amazing isn't it?

Individualist said...

Joel and Andrew

There is a section of the GPO (Group Policy Objects) that allow you the ability to turn off access by the computer to USB ports. The GPO is essentially like the mainframe system settings for Windows machines. This is available only in Windows Vista and I am assuming also Windows 7.

Course if you turn it on you can't use thumb drives.

AndrewPrice said...

Individualist, That's good to know, though I suspect that if a government wanted to get a virus onto my machine, they could probably do it pretty easily.

I was actually really surprised when I read this because I never thought about getting something onto a computer using a planted USB stick, but having read it, it's now so obvious. And that makes me wonder what other methods are out there that I haven't even considered?

For example, I've heard things about cell phones being used now to pass viruses (particularly phones that synch up to your computer). It's a dangerous world.

DUQ said...

Quinn and Rose, I think they're syndicated.

Individualist said...

Andrew

If you really wantto freak yourself out look up what a Van Eck device is...

that is truly scary

AndrewPrice said...

DUQ, I've heard of them, but I've never heard them... if that makes sense. :-)

AndrewPrice said...

Individualist, Holy cow! In truth, I figured something like that was coming -- some ability to read data without actually physically entering the device. I understand that they can already use sound vibration off of windows to record what is being said in a room, so it makes sense that they would find some way to read the emissions of electronic gear. I guess this is the future.

Post a Comment