Stuxnet, a piece of malicious computer code called a “worm,” brought Iran’s Bushehr power plant to its knees almost a year ago. The worm – a type of damaging code like a virus – also was suspected of halting Iran’s plans to enrich uranium by damaging the computer controls of the uranium enrichment centrifuges.
Cybersecurity specialists worry about the worm because Stuxnet made the transition from the virtual digital world into the real world. Stuxnet was the first cyberweapon designed to cause physical damage to an industrial piece of equipment.
And now there are members of a new class of cyberweapon that have the capability to reprogram industrial control systems that run electrical generating plants, oil refineries, and gas pipelines and other parts of the national infrastructure. The final goal would be to manipulate the physical equipment operated by the industrial control system so the equipment acted in a manner contrary to its intended purpose. The most obvious results could be sabotage, industrial espionage, or cyberwarfare.
Evidence is coming to light that Stuxnet and its close cousin, Duqu, could be just the tip of the iceberg in the cyberweapon development process, according to researchers at two of the world’s foremost computer security companies.
According to cybersecurity researchers at the United States’ Symantec Corp. and Romania’s Kaspersky Labs, Stuxnet and Duqu appear to be the first products of a larger cybersecurity weapons program with code that can be modified easily by an individual user with intermediate skills. The design of the code is such that it can also be modified for different uses with minimal cost and effort.
This puts a nation-state class of cyberweapons in the reach of cyberterrorists and criminals.
While studying the Stuxnet worm, researchers discovered at least seven other files made from the same design as Stuxnet. Two of the files are used by Stuxnet and two others were found in the newly discovered computer worm, Duqu. The other three files are thought to be either unknown versions of these two worms, or new weapons that are currently in operation.
Costin Raiu, head of Research and Development for Kaspersky Lab, explained, “Stuxnet’s creators used a [software] platform to package and deliver it, because they wanted to be able to make many cyberweapons easily and be able to change them rapidly for targeting and attack.
“Let’s imagine you want to steal documents. You don’t need the sort of sabotage capability built into Stuxnet, so you take that off. Instead, you use the same platform to create targeted malware, but perhaps focusing on espionage instead. That’s Duqu.”
According to Symantec, Duqu is “nearly identical to Stuxnet, but with a completely different purpose.”
While Stuxnet was designed to cause physical damage, Duqu will collect data from computers and send it back to the developers. Believed to be used for industrial espionage, Duqu has been found on the computers of seven or eight European companies that are involved in the development of industrial equipment and software.
Duqu has many of the same lines of code as does Stuxnet, but since it is only concerned with espionage, only part of the Stuxnet code was used for this worm.
Liam O Murchu, Symantec Security Response’s manager of operations, said Symantec’s research corroborates Kaspersky’s findings.
“We’ve done the same analysis Kaspersky has, and seen the same timelines, dates, encryption keys; we think Stuxnet and Duqu are made by the same team, with the same goal. … They can change [the software weapon produced on the common platform], manipulate it, and have different payloads.”
It has been common practice for years for developers to build reusable code into programs. In this way “modules” of code can be recycled into other programs at a much lower cost than developing original programs. Since the code has been used before, it does not have to be tested as strenuously as original code so programs are produced faster and at less cost.
Also, the modules can be rearranged, like building blocks, into new programs by people with fewer computer skills making the available pool of programmers much larger. The modular code is similar to a factory building cars. While the chassis may be the same, the engine, interior, paint, radio, and other options are easily changed, giving the automobile a completely different look and performance using the same frame.
Ed Skoudis, the cofounder of Inguardians, a cybersecurity firm, agreed with Kaspersky and Symantec. He said, “It makes tremendous sense; look at the effort needed to produce Stuxnet. You wouldn’t want to do it in a way that was (one of a kind). You would want to produce a process that could reuse the parts.”
As an example, Skoudis pointed to the United States and its efforts to build the first atomic bomb.
“When the U.S. built the atom bomb, it wasn’t just the one. We had an infrastructure and platform for building additional weapons,” Skoudis said. “Whoever built Stuxnet got a lot of money and a lot of smart people working on it. It just makes sense that creating these kinds of weapons should be repeatable – and that some set of fingerprints are left behind that shows that.”
Countries such as China, India and Iran, as well as terrorist groups in Yemen, are grooming their own cyberwarriors to wage cyberjihad throughout the world. These warriors do not have the computing skills that many developers have so using reusable code would allow them to attack countries, infrastructures, businesses, and individuals with fewer skills, requiring less training.
Many experts believe that the 2008 economic crash was intentional and that the United States was the target of “economic terrorism” launched by cyberterrorists that could have been trained in these countries.
Analysts believe that 2012 will be the year of increasing attacks on industrial control systems. While many of the attacks will be for information gathering, probing the electrical grid and major industrial plants will draw the nation closer to the point where there may be major failures of the electrical grid or the facilities that provide the country with fuel, food, or medical attention.
The odds of a cyberattacker getting through a target’s defenses will increase greatly merely by the fact that more people will be able to launch attacks with this new style cyberweapon.
As Raiu said, “These are not normal line weapons, but the highest tech possible to wage cyberwar and cybersabotage.”