“Stuxnet is definitely not a military code, at least not a Western one” said Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. “Stuxnet is a sophisticated and highly advanced code, but it lacks certain elements commonly associated with military operations” Blitzblau explains that the broad, indiscriminate attack on industrial computers launched by Stuxnet is not characteristic to a military operation, where the nation launching the attack tries to minimize collateral damage and focus on a specific target.

“Every student can write a module discriminating the target computer and localizing the attack to a specific target” Blitzblau added, “The fact that this sophisticated code does not have such elements, and certain aspects of the functionality of the malicious code, allege to the creators’ aiming Stuxnet to target Siemens industrial systems on a broad base, rather than a specific application as reported by the media.” In addition, a high level code aimed at Network Intelligence Operations would have an anti-anti debug mechanism to avoid forensic analysis.

Who could be the perpetrators behind this attack and what were their goals?

Blitzblau describes an act of ‘Advanced Industrial Espionage’ a deliberate cyber sabotage launched by someone against Siemens – this could be a competitor or service-provider, seeking to exploit the situation for business opportunities – first create the problem and then – help fixing it. But there are also other aspects to the attack that could tell a different story. “This could also be a ‘general test’, prior to a planned attack, or a proof of concept, initiated by an academic group – in the past we witnessed such attacks, for example, one attack was launched from Japan, on video drivers.” According to Blitzblau a military test going out of control is not an option here. “Military offensive cyber ops are not conducted this way and even when an intelligence agency conducts such tests they will go a long way to ensure that the test is limited to a specific volume and not spread it worldwide.” He said. Blitzblau attributes the widespread infection of industrial networks in Iran to low level of security and, apparently the high popularity of Siemens systems in the country. In fact, Stuxnet could have propagated from Belarus, and Russia unintentionally by Russian system engineers, using USB devices to update and program Siemens systems in Iran, Indonesia and India. The intensity of attack in Iran could illuminate the intensity of their activities associated with the nuclear projects in Natanz and Bushehr.

While the media attributed Stuxnet as a cyber weapon launched by Israel or the USA against Iran’s nuclear facilities, the possibility of it being a cyber weapon developed and launched by international terrorists’ organization has not been tackled seriously by the media. Yet, Blitzblau has a grim outlook as to the potential value of such cyber weapon in the hands of terrorist organizations. “International terrorist organizations certainly have the will, and means to launch such an attack, and they could gain the most from it – creating mega events like bringing airports, disrupting train traffic, cutting power supplies and utilities. “Even if they did not create it, they now have access to such a weapon, as Stuxnet is now in their reach, like a loaded gun. Despite the countermeasures developed by Microsoft and Siemens, there are many networks that have not been patched yet – some will never be protected. Blitzblau warns that the current attack will probably set the route for new vectors for cyber terror, as the malicious code is modified and manipulated into a range of new forms and variants. The vulnerabilities highlighted by the current attack will undoubtedly set the course for more attacks aimed at industrial controllers and embedded systems. With that, the risk of compromising military systems will grow dramatically; as such elements are widely used in military weapon systems.

Stuxnet uncovers the vulnerability of our infrastructure system – exposing the vulnerable interfaces between the logical and physical world, these elements are totally unprotected and open disastrous vulnerabilities to attack by cyber terrorism and cyber criminals.

“We have analyzed the code, and compared it to other, similar known malware, this new code has definitely the parameters of a ‘military code’, but it lacks some aspects one would expect to find in military cyber warfare application” Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. Among these parameters are communications, encryption, internal self-protection (anti-anti debug) and certain methodologies that are followed by western cyber warfare specialists.

While Iran was marked as Stuxnet’s most popular target, other countries falling prey to the new malware were many third world nations where Siemens equipment is widely used and security and legal discipline in licensing and security methods are not strictly enforced. Stuxnet also attacked Indonesia, India, Russia, Belarus, and in Kirgizstan. What’s more important is where the Stuxnet didn’t attack – China and – most surprisingly – Germany, where only few systems were compromised yet none of the reports was confirmed!

“Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesman at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in German process industry sector. Siemens’ own plants are said not to be affected” simon added.

Although it was ‘discovered’ by the media in late September, Stuxnet is definitely not a new threat and, in fact, most of the vulnerabilities it exploited have already been ‘patched’. It was created sometime in January-February according to the ‘time stamps’ embedded into the compiled code. Initial anomalies related to the new threat were reported about two months later. Maglan received the new threat as part of our technical support services to some of our customers, who were hit by the malware. After thorough analysis we have uncovered several interesting aspects of the code that were not familiar before, and lead us to assume that Stuxnet was not created by a western cyber warfare organization. However, the great effort and resources invested in this code testify to its value to its creators, who spent great investments – financial, technical and in – most importantly, in assets considered scarce commodities among the hackers community.

Targeting Industrial and Infrastructure Systems

First, and most important, the code was not written by “home based” hackers – unlike most other malware codes, it is not directed against conventional windows systems, but specifically at industrial systems, by exploiting four different vulnerabilities (security ‘holes’ detected by hackers but not yet patched, three months ago, by the targeted software provider – also called ‘Zero Day’ exploits). Such Zero-Day Exploits are not spent easily by hackers, and would rarely be used in tandem, let alone in a ‘quad’ formation, testifying to the fact that the developer team had no limits on the use of resources.

Multiplicity and redundancy were also employed addressing the targeted operating systems. The creators of Stuxnet also went into great effort to ensure the malware covers all potential avenues of approach – including systems that rarely interest hackers – like WindowsCC, a Microsoft operating system designed for embedded systems. The code also targets all Windows platforms from Windows ME, XP, NT, Vista, 2000, 2003 and 2008 to the latest Windows 7 – again not a simple task for regular hackers. Other aspects of the code target specific vulnerabilities attributed to Siemens PSC7 systems, designed to control Programmable Logic Controllers (PLC) widely used in utility and industrial SCADA systems.

While each of these penetration axes operates independently, these parallel lines are coordinated and supporting each others to achieve the goal – ‘hijack’ as many PLCs as possible and burry embedding itself into the command and control hubs. The malicious code does not carry the type of spyware commonly found in other bots, but is rather ‘attack oriented’ – carrying a ‘payload’ in form of a set of commands designed to bypass those controlling the PLC, and carry out a set of actions as instructed by the hijacker.

Self Contained Weapon’s Payload

The carry out and control such attack the creators of Stuxnet embedded three separate means of communications in the code – two are considered ‘advanced’ and one ‘low level’. However, the code lacks communications elements that would enable a ‘nation state’ operation much more flexibility and control, having the capability and means to conduct operations in the proximity of the targeted site. One of the unique features of Stuxnet is the way its payload is ‘packed’ into the code.

Previous malware attacks employed a communications mechanism that could download the payload – the intelligence collecting ‘spyware’ or ‘attack’ from the command and control center – this enables the use of more compact code, better precision and more flexibility as the attack unfolds. Stuxnet has the payload built-in to the code, alluding to the fact that it was targeted against known targets and its creators had little consideration as to the collateral damage they create. Again, this methodology is rarely used among Western cyber warfare operatives.

Although the code was designed with remotely controlled ‘uninstall’ and termination function, these do not work properly in most cases, as the level of sophistication invested in this segment fall behind the general high standard of Stuxnet.

Countermeasures and Concealment

Nevertheless, the creators took great effort to conceal the malicious code from detection, in an effort to mask its existence, activity and objectives. For example, the malicious code was written as a ‘dynamic link library’ (.dll) commonly associated with hardware device drivers – software elements rarely considered a risk, since these they are written, signed off and distributed by hardware providers to support specific functions of such hardware. Users commonly download these devices as part of hardware installations and support and trust their own anti-virus scanners and the companies that provided the drivers for their security. Alas, Stuxnet exploited this vulnerability – it uses highly sophisticated anti-anti-virus countermeasures, addressing 38 (!) known anti-virus programs, not only few of the most common ones, as most hackers will do.

In addition, the code is digitally signed by VeriSign as genuine Siemens software. Later, Siemens reported that these signatures were stolen but did not explain how such sensitive material was compromised and reached hostile elements. Technically, ‘extracting’ such signature from existing products is possible, but this capability is beyond the reach of hackers and could be done only with massive computing power not available in non governmental levels. In this area, Stuxnet creators have again demonstrated they can be generous – to ensure their code is accepted, they used two different signatures – by chip Taiwanese makers JMicron and Realtek. The fact that these signatures are time-stamped in within more than a week of each other could testify as to the lengthy process of the preparation, testing and operation planning.

A Cyber Storm III exercise participant briefs Department of Homeland Security (DHS) Deputy Secretary Jane Holl Lute during the exercise kickoff at U.S. Secret Service headquarters in Washington, D.C. Photo: DHS

The U.S. Department of Homeland Security (DHS) launched today the ‘Cyber Storm III’, a drill testing the nations’ resilience under a simulated, deliberate international cyber attack aimed at the hubs of government, infrastructure and business.

The three day exercise is the third and largest in a series of annual cyber attack drills conducted outside the defense community. The current event involves more participants that past years, form the federal, state, and commercial sectors. Among the ‘defenders’ are players from seven government departments, 11 states, 12 different countries and 60 private sector companies. The exercise is managed by the DHS’s National Cyber Security Division (NCSD).

The cabinet-level departments participating in Cyber Storm III are from Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury. In addition, the White House and representatives from the intelligence and law enforcement communities will also attend the event. Eleven states are taking part – California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas and Washington. Among the participant countries are Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (only four foreign nations participated in Cyber Storm II last year). DHS selected 60 companies from the private sector, to assess the effect of potential cyber attack on commercial services sectors, such as Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water.

The scenario developed by NCSD incorporates known, credible technical capabilities of adversaries and the exploitation of real cyber infrastructure vulnerabilities, resulting in a range of potential consequences – including loss of life and the crippling of critical government and private sector functions. By coincidence, such capabilities have surfaced in recent weeks, with the distribution of a new malicious code called Stuxnet, spreading through industrial systems and infrastructure networks. Such code has the potential to penetrate highly protected systems, including networks that are completely isolated from the internet, to conduct espionage, disruption or deliberate attack.

The ‘defenders’ could face over 1,500 separate events; some will be subtle, with only few hints indicating ongoing penetrations into computerized systems. Other events will be more dramatic, demonstrating the resulting effects to compromised networks. They will have to identify the ongoing attack in real time, mitigate the compromises and vulnerabilities that allowed it to occur, and deal with the possible consequences to compromised systems. “At its core, the exercise is about resiliency – testing the nation’s ability to cope with the loss or damage to basic aspects of modern life.” DHS officials explain, adding “the Cyber Storm III exercise scenario reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet’s fundamental elements against itself – with the goal of compromising trusted transactions and relationships.”

Cyber Storm III provides the DHS with the first opportunity to assess and strengthen cyber preparedness and resilience of the nation’s critical infrastructure and key resources (CIKR) – evaluating how the collective cyber preparedness and response capabilities perform against realistic cyber attack. It will also provide the first opportunity to assess the newly-developed National Cyber Incident Response Plan (NCIRP) – a blueprint directed by President Barack Obama, for cybersecurity incident response. The exercise will examine the roles, responsibilities, authorities, and other key elements of the nation’s cyber incident response and management capabilities and use those findings to refine the plan. It will also test the new, National Cybersecurity and Communications Integration Center (NCCIC) inaugurated in October of 2009, which serves as the hub of national cybersecurity coordination.