Stuxnet is not just another worm, or cybercrime toolkit. It is perhaps the most sophisticated industrial sabotage tool to emerge so far. The good news? This does not infect your home or office PC. The bad news: It is directed to take control of complete industrial plants and systems.
This has been a busy summer and looks to be an even a busier fall for malware and threat analysts. The Stuxnet worm has got all manner of us experts involved in analyzing its deepest and darkest orifices. Having examined the worm, on the one hand it is difficult not to admire the way it has been engineered and project managed; on the other hand, we are dismayed at the range of its capabilities.
“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses,” stated Aleks, a Kaspersky Lab Expert and one of the main researchers, in his incident write-up this week.
In one sense, the arrival and potential consequences of Stuxnet -- or something similar to it -- has been anticipated hypothetically for some time, but its arrival brings a sobering reality: industrial espionage on a level that could make the Clearwater Horizon oil spill in the Gulf look like a minor incident.
So what makes Stuxnet so special? Well, this is highly selective and targeted. It can be installed on a PC without any effect. Only when the PC is using WinCC (Windows Control Center, a PC-based process visualization system) and Siemens SCADA (Supervisory Control and Data Acquisition Visualization System) and connected to industrial PLCs (programmable logic controllers), does it go to work. It is structured to control all manner of industrial plants, energy complexes, critical infrastructures, and numerous other processes run from such an operating system.
Actually, this kind of vulnerability is old news that was first reported by Cisco and patched back in July. What makes Stuxnet so special is the multiple vulnerabilities that it exploits. As a Kaspersky Lab announcement states: “This makes Stuxnet truly unique: it is the first threat we have encountered that contains this many surprises in a single package.”
Among the vulnerabilities recently patched on September 14 is the Windows Print Spooler Service Impersonation Vulnerability that can send malicious code via a printer, either shared-access or networked. Still awaiting correction are two “Elevation of Privilege” vulnerabilities.
So who is behind Stuxnet? It is clearly not targeting financial institutions, or hapless PC users, so a quick grab-and-run is not the intention. Back in July, Symantec reported that nearly 60 percent of Stuxnet attacks were found in Iran. So intelligence gathering and industrial sabotage are its most likely aims -- taking into account the use of stolen trusted Realtek and Jmicron digital certificates.
Quite clearly, the ongoing system problems Iran is having with bringing online the Bushehr nuclear power plant help to provide a few pointers.
While many could be tempted to feel reassured that this is only targeting one country’s industrial infrastructure, Stuxnet has now infected between 90,000 and 100,000 systems worldwide. Initially, back in July, Siemens reported just two cases where SCADA systems (i.e., complete plants) were infected. Currently, 15 have been detected, and so far it would appear that no critical infrastructure or production industry has been infected.
Such infected industrial plants are now also in Korea, the US, and the UK. Just as a reality check: When compared with Conficker, which infected millions of PC systems, 15 infected SCADA-based processing plants does not sound like much to concern us. But to help visualize the potential scale -- and without wanting to be alarmist -- just consider: That could be 15 Clearwater Horizon Gulf operations, 15 New York subway systems, 15 Three Mile Islands, or 15 Chernobyls.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com