12 March 2017

Stuxnet ushered in era of government hacking, say experts

By Charles Poladian

When cybersecurity researchers discovered the computer worm known as Stuxnet in 2010, they reacted with a mix of excitement and anxiety.

The excitement came from the apparent sophistication that went into crafting the malicious code designed to harm Iran's nuclear program by causing centrifuges to spin rapidly out of control. But there was trepidation, too: If one government had the technical prowess to launch such a devastating cyberattack, it wouldn’t be long before others followed suit.

Symantec researchers Liam O’Murchu and Eric Chien, two of the first cybersecurity experts to analyze Stuxnet, say that time has arrived. 

“When we first started looking at Stuxnet, we had, maybe, one or two attacks we believed were nation-state related. Now, we’re looking at over 100 campaigns from all over the world,” Mr. O’Murchu told Passcode.

O'Murchu and and Mr. Chien are among the cadre of cybersecurity professionals and intelligence officials interviewed for Alex Gibney's new film "Zero Days" that explores how Stuxnet sparked a global cyberweapons arms race.

"It's opened the door to potential destructive attacks,” said Adam Segal, a senior fellow at the Council on Foreign Relations and the author of “Hacked World Order,” a book about how cyberspace has become a geopolitical battlefield. “Everybody had kind of thought before Stuxnet that attacks on industrial control systems were possible, but Stuxnet brought that into the realm of reality.”

Mr. Gibney's film follows the history of Stuxnet from its likely development during the President George W. Bush administration, to when it infected Iranian computers. The US has not officially admitted to creating the computer worm but many experts say it was the product of American and Israeli intelligence agencies. 

“What’s interesting about Stuxnet was that it was spreading all over the world,” said Chien, who also examined Stuxnet first hand in 2010.

The Symantec researchers discovered that the worm automatically scanned infected computers for Siemens automation software, which many industrial companies around the world use to control their facilities. It would then override and take over that software, while also hunting for other vulnerable computers on the same network.

“It wasn’t just attacking Iran or Natanz. It had the capability, and it did, infect any Windows computer anywhere in the world as long as it was connected to the internet,” Chien said. 

While security researchers have not turned up any cyberweapons as advanced as Stuxnet, many say the worm's discovery compelled governments around the world to start investing heavily in their technical abilities to craft digital weapons.

For instance, Iran has ramped up its own cyberwar capabilities since 2010, according to a number of security research reports. Two years after the Stuxnet discovery, US intelligence officials blamed Iran for a computer virus that hit 30,000 computers used by Saudi Aramco, the massive oil company owned by the Saudi Arabian government. Attackers erased documents, spreadsheets, emails, and other sensitive company files and replaced them with an image of a burning American flag.

Tehran-backed hackers have emerged as among the largest threats to US cyberspace, according to Joseph Loomis, chief executive officer of Cybersponse, a threat intelligence firm. As proof, Mr. Loomis cited the 2013 breach at a dam in upstate New York. The hack did not result in any damage, but attackers appeared to access a computer that controlled the supervisory control and data acquisition system at the dam, according to a US indictment.

“This is an attack that everyone should be concerned with," said Mr. Loomis. "Attacking industrial control systems will certainly impact thousands if not millions of people, including way of life.” 

What's more, the US Department of Justice indicted seven suspected Iranian hackers for allegedly launching distributed denial of service attacks against American financial institutions. The attacks, starting in 2012, involved waves of web traffic that attempted to knock the targets offline, disrupting business and ideally (from an attacker’s standpoint) creating havoc in the marketplace.

“I think it’s fair to say that all national state hacks and capabilities have increased since the exposure of complex malware code [in Stuxnet],” Loomis said, referencing similar attacks that have been carried out by suspected Chinese, North Korean, and Russian hackers. 

But it's not just Stuxnet that invigorated a global cyberarms race, say experts. The disclosures by former National Security Agency contractor Edward Snowden also hastened the competition, too, said Mr. Segal at the Council on Foreign Relations.

“You see a range of activity right after the Stuxnet exposure, such as Russia rewriting a lot of its code for industrial control systems or India started accelerating some areas for industrial control systems," said Segal. But, he said, "a lot of the action since then seems to have been motivated in large part to the Snowden exposures in regards to espionage and mass surveillance."

No comments: