Stuxnet: War 2.0

The virus that attacked Iran’s nuclear facilities marked the beginning of an era of cyber wars.
Is the world on the verge of a military IT revolution? Data. Comments Analytics.

“I don’t know what kind of weapon they will fight in the third world war, but in the fourth one stones and clubs will be used”
Albert Einstein

In late September, it became known that the Stuxnet virus caused serious damage to the Iranian nuclear program. Using the vulnerabilities of the operating system and the notorious "human factor", Stuxnet successfully hit 1,368 of 5,000 centrifuges at the uranium enrichment plant at Natanz, and also disrupted the timing of the launch of a nuclear power plant in Bushehr. The customer is unknown. The contractor is a careless employee of Siemens who inserted an infected flash drive into a workstation. The damage inflicted on Iran’s nuclear facilities is comparable to the damage caused by the Israeli Air Force attack.
The world spoke of the wars of a new generation. Cyber ​​attacks can be the ideal tools for the next wars - they are swift, effective in their destructiveness and, as a rule, anonymous. Today, states are in a hurry to agree on a joint strategy to counter cyber threats. What will be tomorrow? Unfortunately, the most realistic answer to this question is still Einstein's gloomy aphorism.

Iran is helpless against techno-threat

Editorials of the world press flooded the dark prophecies about the advent of technological wars. Over the clue of Stuxnet, a virus that infects Iran’s nuclear facilities, experts from a wide range of fields are fighting: from IT security to linguistics and anthropology. Stuxnet was discovered by antivirus labs for a long time, but the world learned about the true scale of infection in late September, when it became known about the delay in launching the first Bushehr nuclear power plant in Iran. Despite the fact that Ali Akbar Salehi , the head of the Atomic Energy Organization of Iran, said that the delay in launching the nuclear power plant was in no way related to the virus, Mark Fitzpatrick of the International Institute for Strategic Studies noted that this sounds “not very serious,” and Iran is inclined to hush up real problems at nuclear power plants. After some time, Mahmoud Jafari, the project manager of the Bushehr station, “let slip”. According to him, Stuxnet "hit several computers, but did not cause any damage to the main operating system of the station." Sapienti sat. Iran’s nuclear facilities at Natanz also suffered very seriously: 1,368 of the 5,000 centrifuges were disabled as a result of Stuxnet’s actions. When Mahmoud Ahmadinejad, after the UN General Assembly session, was directly asked about the technological problems with the nuclear program, he only shrugged his shoulders and did not respond. Note that according to the New York Times, the damage from the actions of the virus in Iran is comparable, perhaps, with the attack of the Israeli Air Force.

Author! Author!

For obvious reasons, the Stuxnet developers prefer to keep a low profile, but it is clear that the complexity of the virus can be called unprecedented. The creation of such a project requires huge intellectual and financial investments, which means that only structures of the scale of state ones can do it. All experts agree that the virus is not the result of the efforts of a “group of enthusiasts.” Laurent Eslo, head of security at Symantec, suggests that at least six to ten people worked on Stuxnet for six to nine months. Frank Rieger, Technical Director of GSMK, supports his colleague - according to him, the virus was created by a team of ten experienced programmers, and the development took about six months. Rieger calls the estimated amount of creation of Stuxnet: it is at least $ 3 million. Evgeny Kaspersky, general director of Kaspersky Lab, says about the military purposes of the virus: “Stuxnet does not steal money, does not send spam and does not steal confidential information. This malware was created to control production processes, literally manage huge production facilities. In the recent past, we fought cyber criminals and Internet hooligans; now, I fear, the time for cyber terrorism, cyber weapons and cyber warfare is coming. ” Tillman Werner (Tillmann Werner), a member of the community of experts in the field of Internet security of the Honeynet Project , is sure: single hackers are not capable of this. “Stuxnet is so advanced from a technical point of view that it should be assumed that experts from government agencies took part in the development of the malware, or that they at least provided some assistance in its creation,” Werner said.
')
In the process of analyzing Stuxnet, some media have concluded that Israel is behind the creation of the virus. The first to speak about Israel’s involvement in the attack on Iran, John Markov (John Markoff) , a journalist for the New York Times, said that analysts had highlighted the name of one of the code fragments “myrtus” (“myrtus”). Translated into Hebrew, the “myrtle” sounds like “Adas”, which, in turn, is consonant with the name “Adassa” belonging to Esther (Esther) - the heroine of Jewish history who saved her people from destruction in the Persian Empire. Drawing an analogy with ancient Persia, on the territory of which modern Iran is located, some analysts believe that Israel has left a “business card” in the virus code. However, according to a number of experts, this version does not hold water and resembles the plot of a cheap detective story - too primitive “handwriting”, as for a project of this magnitude.

At the same time, it should be emphasized that last summer (recall, the Stuxnet distribution began in 2009), WikiLeaks reported a serious nuclear accident in Natanz. Shortly thereafter, it became known that the head of the Atomic Energy Organization of Iran, Gholam Reza Aghazadeh, resigned without explanation. At about the same time, statements by Israeli politicians and the military about a possible confrontation with Iran on the technological front appeared in the media. In addition, Israel corrected the projected date for Iran’s atomic bomb, pushing it back to 2014, and the authority of Meir Dagan , the head of Mossad, was extended for its participation in unnamed “important projects”.

Human factor

Noteworthy is the history of primary infection, which initiated the spread of the virus. It is obvious that automated control systems of this level are not connected to the Network. Kenneth Geers, an expert at the NATO Cyber ​​Center in Estonia, at a security conference suggested that the success of the Stuxnet attack depended solely on contacts with people and… elementary USB drives. “You can pay someone who launches a Trojan in a closed system, or replace a flash drive that was intended only for internal use,” reflects Gears. “It’s enough to insert an infected USB flash drive into the standard USB connector of the computer, and Stuxnet immediately jumps to the operating system, and no anti-virus programs or other protection measures are interfered with by it.” And indeed, the “weak link” was the human factor - Stuxnet was brought into the system by means of a regular USB-drive, which carelessly inserted into the workstation a careless employee. It is noteworthy that after the statements of Iranian intelligence minister Heydar Moslehi about the detention of “nuclear spies” (they turned out to be completely uncomplicated Russian technicians), the Siemens management admitted that the company was infected by the company, emphasizing the unintended nature of the infection. It should be noted that Stuxnet affects only a specific type of Siemens controllers, namely SIMATIC S7, which, according to the IAEA, is used by Iran.

Cyber ​​war Battlefield - Earth?

At the conference Virus Bulletin 2010, held in Vancouver (Canada), the attention of the public was attracted by a brief report by Liam O Murchu (Liam O Murchu) , one of the leading experts on IT-security Symantec. The analyst conducted an experiment explaining the danger of cyber-threat better than hundreds of formal reports. About Murchu installed an air pump running on the stage of the Siemens operating system, infected a monitoring pump with a Stuxnet virus, and started the process. The pump quickly inflated a balloon, but the process did not stop - the balloon inflated until it burst. “Imagine that this is not a balloon, but an Iranian nuclear power plant,” the expert said, putting an end to the question of the “seriousness” of cyberwar.

Colleagues About Murchu fully share his concerns. Trend Micro researcher Paul Ferguson (Paul Ferguson) said that with the creation of Stuxnet, a full-fledged cyber-weapon appeared in the world that goes beyond traditional destructive schemes (theft of credit card numbers, etc.) and can lead to serious accidents at very dangerous industrial facilities. Ferguson stresses that now analysts will "literally intimidate the government in order for it to start taking serious security measures."

Indeed, the head of the newly created Cyber ​​Staff of the United States under the Pentagon, General Keith Alexander , speaking in Congress, has publicly stated that over the past few years, the threat of cyberwar has been growing rapidly. Alexander recalled two cyber-attacks on entire states — Estonia (in 2007, after the dismantling of the Bronze Soldier) and Georgia (in 2008, during the war with Russia).

Estonian President Toomas Hendrik Ilves in an interview with Berliner Zeitung raises the question of cyber threats at the highest level. The Estonian President stresses: NATO’s decision to locate the Cybersecurity Center in Tallinn (recall, it opened in May 2008) is due to the fact that Estonia is one of the most computerized countries in Europe, as well as the first state to have been subjected to full-scale cyber attack in 2007. After the attack that paralyzed the infrastructure of the whole country, Estonian Defense Minister Jaak Aaviksoo even demanded that NATO equate these cyber attacks with military actions. The president also expresses similar theses today: “The Stuxnet virus has demonstrated how seriously we should take cybersecurity, because with the help of such products the vital infrastructure can be destroyed. In the case of Iran, the virus seemed to be targeted against a nuclear program, but similar viruses could destroy our economy, which is controlled by computers. This should be discussed in NATO: if a rocket destroys a power plant, paragraph 5 comes into force. But how to act in the event of a computer virus attack? ”Asked Toomas Hendrik Ilves. The president’s proposal is in line with current trends: “Both the EU and NATO should develop a common policy, including legal norms, which will become the basis for collective protection against threats in cyberspace,” the head of state believes.

William Lynn, US Deputy Secretary of Defense, fully agrees with Toomas Hendrik Ilves. In an interview with Radio Liberty, Lynn tried to answer the question raised by Ilves: “If the blow affected the essential elements of our economy, we probably should consider it an attack. But if the result of a hack was data theft, then this may not be an attack. Between these two extremes are many other options. In order to articulate a political line, we must decide where the line between burglary and attack lies, or between espionage and data theft. I suppose there is a discussion on this topic both in the government and outside it, and I do not think that this discussion has been exhausted. ”

In addition, the key point of William Lynn’s speech was the public announcement of the five principles on which the new cybersecurity strategy of the United States is based. We quote the US Deputy Secretary of Defense without cuts:
“The first of these principles is that we must recognize cyberspace as what it has already become - a new war zone. Just like land, sea, air, and outer space, we must view cyberspace as a sphere of our actions that we will defend and to which we will extend our military doctrine. This is what prompted us to create a unified Cyber ​​Command as part of the Strategic Command.

The second principle I have already mentioned is that defense must be active. It should include two generally accepted lines of passive defense - in fact, this is the usual hygiene: pay patches on time, update their antivirus programs, and improve means of protection. We also need a second line of defense, which is used by private companies: intrusion detectors, security monitoring programs. All of these tools will probably help you repel about 80 percent of the attacks. The remaining 20 percent is a very rough estimate — sophisticated attacks that cannot be prevented or stopped by patching holes. A much more active arsenal is needed. We need tools that are able to identify and block malicious code. We need programs that will detect and pursue malicious elements that invade it within your own network. When you find them, you should be able to block their communication with the external network. In other words, it is more like a war of maneuver than on the Maginot Line.

The third principle of cybersecurity strategy is the protection of civilian infrastructure.

Fourth, the United States and its allies must take collective defense measures. Important decisions on this matter will be made at the upcoming NATO summit in Lisbon.

Finally, the fifth principle is that the United States must remain at the forefront in the development of a software product. ”

The reaction of Dmitry Rogozin , Russia's permanent representative to NATO, to the processes taking place in the Alliance is quite remarkable. Apparently, Russia is extremely concerned about the upcoming NATO summit in Lisbon, which will take place on November 20, because it is planned to clarify the dilemma on it, whether the attack on the military and government computer networks of a NATO member is considered a reason to use the 5th article of the Washington Treaty and respond with a collective military strike. Rogozin writes in a characteristic style for himself: “We will finally find out whether it is permissible for NATO to hit the apartments of hackers with a nudent bomb or it is assumed that cyber war will not go beyond cyberspace. In the last scenario, I have great reason to doubt. Literally in front of our eyes in Western periodicals a grandiose scandal is unfolding in connection with the spread of a computer worm called Stuxnet. I got used to reading and sending SMS in Latin, so I immediately read the name of the virus as a Russian verb of the future tense form: “goes out”. Be sure that someone will definitely die or fall off, and for those who have launched this virus. As is known, who sows the wind, he will reap the storm. " Not daring to comment on the literary and creative research of Mr. Rogozin, we note that it was Russia who was accused of two of the largest hacker attacks on entire states (Estonia and Georgia) that was the reason for such an intense plenipotentiary.

Thus, against the background of hysteria provoked by Stuxnet, a number of states stated the need to formulate a joint policy to prevent cyber attacks. Will this lead to the desired result, even if it is assumed that a certain document regulating the use of destructive technologies will be developed (and signed)? IT Business week it seems extremely doubtful, the temptations offered by high technologies are too high: anonymity, security (for the attacker), unprecedented cost / efficiency ratio. So, Stuxnet was only the first swallow of the epoch of the techno-social revolution, which did not start at all as it was dreamed of.