A New York Times report on Friday about the U.S government’s extensive involvement in the Stuxnet attacks against Iran is sure to trigger a sharp increase in state sponsored cyber attacks against American businesses and critical infrastructure targets, security experts warn.
The dramatic report in The Times described how President Obama, and his predecessor President Bush, had overseen the development of a secret and highly sophisticated U.S cyber campaign to disrupt and degrade Iranian nuclear capabilities.
The story, which quotes several unnamed sources, describes how Stuxnet was designed by security experts in Israel and the United States to disable centrifuges used to purify uranium at Iran’s Natanz nuclear facility.
It talks about how Obama decided to accelerate the cyber attacks — codenamed “Olympic Games” by the Bush Administration — even after being informed that Stuxnet code had accidentally become public in the summer of 2010 and had begun attacking industrial control systems in other countries as well.
The Stuxnet attacks temporarily took out nearly one-fifth of the 5,000 centrifuges that Iran had operating at Natanz in 2010 and caused considerable delay to the program.
The attacks marked the first time that a computer worm was used to cause physical damage to property, prompting many to call Stuxnet the most sophisticated piece of malware that had ever been crafted.
The Times’ story confirms what many security experts have been openly hinting at for several months now about U.S. involvement in Stuxnet. Alan Paller, director of research at the SANS Institute, said the revelation dramatically alters the cybersecurity landscape.
The public airing of the U.S. involvement in Stuxnet is going to make others bolder about launching similar attacks against the country using the same kind of tactics and cyber weapons, he said. “We are now going to be the target of massive attacks,” Paller said.
“For a long time everything has been under the radar,” he said. “No one was really sure that the U.S. was practicing this kind of activity. The U.S. has acted like it was an innocent victim” of state sponsored attacks by other countries, he said.
“But behavior will change when there’s no longer an argument” about the U.S sponsoring cyber attacks on other nations, he said.
The one positive fallout from Friday’s news is that it will force U.S businesses and critical infrastructure operators to pay more attention to securing their defenses. It is not longer a question of if, but when other nations are going to come after U.S. cyber assets, Paller said.
“We now as a nation have painted a huge target on our back,” said Mike Lloyd, chief technology officer at security vendor RedSeal Networks. By choosing to develop and use cyber weapons such as Stuxnet, the U.S. has basically exposed its own companies and networks to the same kind of threats, Lloyd said.
“One of the clear lessons from history is that people in conflict tend to use what their opponents have used,” he said. Friday’s disclosure should drive home to everybody how cyber weapons are in fact being used to settle political conflicts around the globe, Lloyd said.
“You got to realize this kind of fight is going on and that it will be coming to you soon,” he said. What’s worrisome is that unlike Iran, where the targets of such attacks were state-owned, most critical infrastructure in the U.S. is privately owned and defended, he added.
Ironically, the ability of hostile entities to attack U.S. targets may only have been bolstered by Stuxnet.
For one thing, the worm has attracted broad attention to vulnerabilities in the supervisory control and data acquisition (SCADA) systems that are used to control equipment at critical infrastructure facilities such as power utilities, water treatment facilities and nuclear power plants.
Such systems are considered to be an especially weak link in the U.S. critical infrastructure and successful attacks against them could have serious consequences.
In fact, U.S. concern over SCADA vulnerabilities are so great after Stuxnet that two researchers were persuaded to abandon a talk they were scheduled to make on the subject at a security conference last year.
The researches were scheduled to talk about how they had written malware capable of exploiting flaws in a Siemens Programmable Logic Controller (PLC) system of the sort targeted by Stuxnet, but decided to pull the talk after the U.S. Department of Homeland Security (DHS) expressed concern.
Stuxnet’s success in damaging Iran’s nuclear centrifuges has also inspired others to try and emulate the worm. One example is Duqu, a Stuxnet-like piece of malware targeted at industrial control systems.
Unlike Stuxnet, Duqu was designed to only steal information from SCADA systems that could then presumably be used to craft an attack against such systems at a later date. The malware, christened “Son of Stuxnet” by the security firm Symantec, is believed to be the work of a group with state support and deep pockets.
Another piece of malware with apparent connections to Stuxnet is the recently discovered Flame, an information stealing malware.
News about the American role in Stuxnet is likely to take some of the air out of U.S. complaints about China launching cyberattacks against U.S. businesses, as well as government and military networks. Over the past few years, senior U.S. officials have routinely blamed China for attempting to steal government and military secrets, as well as intellectual property, from U.S. networks.
“It basically points out that the U.S. does not occupy higher ground than China, as far as state-sponsored malware [goes],” said John Pescatore, an analyst with Gartner.
The main point, though, is not to get hung up on who is doing the attacks but on how they are being carried out, he said.
“I have no inside information whether the Times piece is accurate or not but I’m sure the U.S., U.K., China, Israel, and at least France if not other countries have offensive malware capabilities that they have used, prior to Stuxnet,” Pescatore said.
“[But] what Stuxnet and now Flame point out is that such malware takes advantage of glaring weaknesses in IT security,” he said. “There are no unstoppable objects in cyberattacks.”
Media attention has tended to focus on the authors of such malware, Pescatore said. What enterprises need to be focusing on are the vulnerabilities in enterprise systems processes and people that such attacks seek to exploit.
“Security managers must focus on avoiding or reducing the damage from advanced targeted threats by eliminating or mitigating the vulnerabilities that they exploit,” Pescatore noted.