On a superficial level, Stuxnet has played out like a cliché espionage tale or some sort of political thriller. Jason Bourne, James Bond, or what have you.
The super-worm, distributed via thumb-drives, was authored to disrupt specific machinery manufactured by Siemens. It happens that the machinery were centrifuges used by Iran’s nuclear program. To save some face, the Iranian government indicated that they had cleaned their networks, acknowledging that they had been infected. Beyond Iran’s networks and centrifuges, Pakistani and Indian networks were hit by the Stuxnet virus as well.
After Iran was hit, two new worms – Duqu and Flame – were found to be closely related to the Stuxnet program. However, instead of disrupting machinery, the point of Duqu and Flame was espionage. They were programmed to record keyboard activity, take screenshots, record Skype conversations, among other spying activities. Shortly thereafter, the source code of the worm was leaked on the Internet.
After all that, Iran says that they have just combated the Stuxnet worm yet again.
The authors were, and still officially are, unknown, though most speculation points toward Israel developing the Stuxnet worm with copious amounts of help from the United States. In what seems to be trying to rub Iran’s nose in the situation, American and Israeli officials have reportedly “smiled” at reporters when asked about Stuxnet, and the former IDF Grand Poobah had a going-away shindig that included a video apparently referencing the worm. On top of possibly implicit admissions, countless security experts have come out and said they think the origins of the program were in America or Israel. Of course, nothing can be confirmed for sure. It is still speculation.
There are a few things that makes the Stuxnet program intriguing, which Wired Magazine exhaustively documented in this article. First is how specialized the code was, in that it was designed to specifically hit a single target. A specific machine. If the worm had infected a computer that did not meet the specifications of that target, then it did nothing and likely was no cause of concern. Within that code, it sought to inject a new set of guidelines into the machine in order to destroy, in this case, a centrifuge bought by the Iranians.
Second, in addition to the specialized and sophisticated code, the operation behind getting it out there suggested an author or authors who had access to extraordinary resources that helped them accomplish this task, which lead to the suggestions of United States or Israeli involvement. In this, it established a precedence in cyber warfare. In the words of former CIA Director Michael Hayden, “The rest of the world is looking at this and clearly someone has legitimated this kind of activity as acceptable international conduct.”
Third, the means of distribution. This thing was in the wild for over a year before the infection came to infect the machine it was looking for. It moved around the world, in a way sneaking from machine to machine until it found the target. When imagining the path, it’s hard not to personify this intelligent program as an animal, something more than a mere piece of software.
In the 60 Minutes profile on Stuxnet, they posed a question that people are asking but one that hasn’t been dealt with or answered yet. Commentator Steve Kroft remarked that having Stuxnet’s source code being released onto the web has opened a kind of “Pandora’s Box.” Meaning, since the example is set, there’s no reason that variations can’t be made for a pretty penny and a cyber attack can be launched on our vulnerable infrastructure. The question being, what do we do or what are we doing to prevent an attack like that from happening? As far as we know, there have not been any large scale cyber attacks that resemble something like Stuxnet, but I’m not sure if that’s because computer security has tightened or because someone hasn’t paid out the right price tag for it yet.
Should we even worry about a Stuxnet-like attack on our infrastructure? Let us know what you think on Twitter, @RobotCentral. You can also get us on our Facebook page.
