Stuxnet and the Future of Malware

Who was responsible for Stuxnet? This was a question I asked a number of security pros at the 2011 RSA security conference last month in San Francisco. The leading contenders were the obvious ones: the U.S. and Israel. However, a very good case was made (off the record, unfortunately) for a surprising dark horse: China.

“Sure, China relies on Iran for oil, and it is an ally of Iran at the U.N., but China doesn’t want a nuclear Iran any more than we do,” my source said. Compelling cases for this point of view can be found in this Forbes article from December, Stuxnet’s Finnish-Chinese Connection and in this report to Congress, U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION.

China has proven itself to be proficient at cyber-espionage; most likely responsible for penetrating the U.S. electrical grid, as well as both U.S. defense and intelligence networks usually via thumb-drive launched malware.

Is the private sector next?

There’s a case to be made that a Fortune 500 company has already been a cyber-espionage victim — or more, accurately, a Fortune 500 company suffered collateral damage when it was caught up in state repression. That company was Google. The culprit was almost certainly China. The argument could be made that this is an isolated case but it seems the Chinese government’s main target was its own dissidents, and it was just a fortunate side benefit for China that it had also been at odds with Google for some time.

Thus, China wasn’t too terribly concerned about covering its tracks, avoiding detection or minimizing collateral damage. Warning shots are now a key component of cyber-espionage, it would seem.

Today, the biggest threat to the enterprise is still the insider attack. Those attacks aren’t bankrolled by nations, but how long will it be until a hostile or even shady and opportunistic foreign government notices this opportunity? How long until a bad-actor nation-state or a creative organized-crime network decides to start turning unhappy, underpaid or simply greedy insiders into intelligence assets in the same manner that nations have turned locals into spies for centuries?

In fact, some insider attacks are practically proof-of-concept for state sponsored or organized crime sponsored ones. The only missing ingredient is the link between the insider and a larger malicious entity willing to pay.

Logic bombs in everyday life

Stuxnet is, in part, a sophisticated logic bomb, or a specific type of malware that kicks into high-gear when specified conditions are met. Logic bombs have long been suspected in several high profile cyber-espionage attacks, including, but not limited to, the Google hack, the penetration into the U.S. electrical grid, some of the attacks that hit Georgia and Estonia during their conflicts with Russia, and U.S.-backed attacks against the Taliban and Serbia.

Even for national defense agencies, cyber-espionage is still far more theory than fact. Skeptics have long argued that the threat from cyber-espionage is overblown. “Show me the actual damage,” they say. Or as Rob Rosenberger writes on the security-hype-debunking site vmyths:

“Did a story in the Wall Street Journal say ‘Thousands of Georgians feared dead in Russian military cyber-attack?’ NO. Did The Register announce “Russian army hackers make Georgian fuel pipelines flow backward”? NO. Did the U.S. Air Force website proclaim “Airmen deploy to Tbilisi to stop Russian military hackers”? NO. Remember this the next time the computer media gets infatuated with the notion of a cyber-war.”

Well, Stuxnet has done lots and lots of real-world damage. There’s no body count, nor were Iranian defense systems, say, turning themselves against Tehran Terminator style, but Rosenberger now has some of the evidence that was previously lacking.

Not to pick on Rosenberger (he knows a thing or two about security) but the signs pointing to something like Stuxnet have been around for a while. With security so often an afterthought, I have a hard time dismissing anyone who wants to get out ahead of the evolving threat landscape for a change. That said, Rosenberg, back in 2008, had a very valid point. A few years later, several high profile attacks that hit the enterprise look to have plenty in common with Stuxnet.

Here are some highlights:

2010, Texas Auto Center – A vengeful employee, who had just been laid off, launched an attack from the company’s Webtech Plus software. He used the software, meant to aid with repossessions, to disable customer vehicles, flash lights continuously and cause horns to blare all day long. The dealership was besieged with angry calls and towing requests.

2008, Fannie Mae – A logic bomb from a contract engineer, who had recently been terminated, attempted to delete data on more than 4,000 servers.

2008, Wand Corp. – A laid off tech support employee at this family-owned restaurant technology and management company launched a semi-successful logic bomb attack that crashed 25 computers and cost the company thousands of dollars to clean up.

2006, UBS – A UBS system administrator, angered over his “meager” annual bonus, launched a virus that, had it been successful, would have driven UBS’s stock price into the ground.