Mission possible: Stuxnet worm attacks no longer just Hollywood hype

Commentary - Recent revelations about the wide-scale and targeted Stuxnet worm attack directed at a nuclear power plant in Iran should raise red flags to all IT security professionals and managers of critical infrastructure facilities such as power plants, air traffic control sites and government agencies around the world.

For years there have been many Jason Bourne or Mission Impossible type movies and best-selling novels centered around rogue hackers, fringe government operatives and assorted bad guys finding a way to break into a government facility, financial institution or a power company and shutting down the network, disrupting service or removing some secret information. In fact, the plot of the movie “Ocean’s Eleven” centered around George Clooney, Brad Pitt and others knocking out the power in Las Vegas so they could rob multiple casinos.

But until the Stuxnet worm came to light, these types of attacks were more Hollywood fantasy than cyber-reality. Now the game has changed and the Stuxnet worm attack is bringing up important IT security issues that need to be addressed.

Media reports indicate that during the first week of October Iranian officials have acknowledged that the Stuxnet worm has infected at least 30,000 Windows PCs in the country, among them some used by workers at the Bushehr nuclear power plant.

Stuxnet is a perfect example of an advanced persistent threat
Thanks to Stuxnet we've been hearing a lot lately about Advanced Persistent Threats (APTs). What are they? Are they really anything different than the malware and viruses we've seen for decades? They are, and the Stuxnet worm flooding the news is a perfect example why.

First off, Stuxnet is advanced. Very advanced. It takes advantage of four zero-day vulnerabilities, uses two different valid (stolen) digital certificates, and contains dozens of encrypted code blocks. It uses a rootkit to hide itself, peer-to-peer capabilities for remote command and control, and alters its behavior based on the systems on which it is infecting. Utilizing a nasty vulnerability within the Windows Shell, the attack occurs upon simply viewing files within Explorer.

Secondly, it is a targeted attack. Unlike common worms and malware, its goal is not to spread everywhere or to anyone. It was designed specifically to target SCADA (supervisory control and data acquisition) systems, or industrial control systems like those used in power plants and other critical infrastructure locations. Among other behaviors, it is designed to reprogram the PLCs (programmable logic controllers) used in these systems. The advanced nature of the worm, along with its very specific targets, helped Stuxnet elude detection for months, perhaps even a year. Targeted attacks often fly below the radar of the major antivirus security vendors.

A new weapon of mass destruction
Lastly, most experts agree, the Stuxnet worm is the work of organized, and quite likely state-sponsored, professionals. Its creation required detailed knowledge of the SCADA systems being targeted, it was written using multiple languages, and it rivals many commercial applications in both complexity and stability (it’s hard to perform all of the work Stuxnet does without crashing or destabilizing a system, risking detection). At nearly 500KB in size, it is notably larger than most malicious worms we’ve seen. These observations suggest that a team of engineers developed Stuxnet over a significant period of time – something that requires commitment and more importantly, money.

Aside from being more advanced than traditional attacks, it is different in motivation (purpose and target) and generation (who created it). Kudos to the army of security researchers that have, and are continuing to, dissect this worm. But the most notable attribute of Stuxnet is, in my opinion, its initial entry point. The attack initiated from a simple USB stick, just like the one in Operation Buckshot. All the sophisticated techniques in its arsenal, and Stuxnet still needed to be physically inserted into “patient zero.”

And therein lies two important lessons: Number one is that the host computer is still the most vulnerable point of an infrastructure. All the perimeter defenses in the world (IPS, IDS, firewalls, etc.) would not have stopped Stuxnet (or the DoD attack involved in Operation Buckshot). It was delivered directly to an endpoint. It’s like a building with motion sensors in every hallway with office doors that open directly to the outside world. Why bother navigating the hallways when you can walk right into a room?

Number two traditional reactive and signature based technologies will continue to fail at detecting these new and unknown attacks. Don’t you think there were antivirus products on at least some of the estimated 45,000 computers infected by Stuxnet?

There is advanced threat protection on the market that would have stopped Stuxnet from ever executing in the first place – with or without the Windows Shell Explorer flaw. If a file is not approved, it cannot execute, whether or not the execution is explicit or via some unknown vulnerability.

A number of experts have commented that Stuxnet marks a new era in cyber-warfare. I agree. Advanced threats like Stuxnet are the new weapons of mass destruction. Just as the attackers and their methods have evolved, the defenders and our methods must as well.

biography
Harry Sverdlove is the Chief Technology Officer for Bit9, an industry leader in Advanced Threat Protection solutions that aim to eliminate the risk caused by malicious, illegal and unauthorized software.