The Internet was developed as a military system first and foremost and, as is often the case, the subsequent utility it has more recently afforded peacetime humanity is only a fringe benefit. The decision therefore, by Israel with, at the very least, the tacit support of the United States to develop offensive malware, whilst appearing on the face of it to be a watershed moment in the militarisation of the Internet, was actually the continuation of a long embedded trend line. The fact is, there was no Rubicon to cross and the trajectory of modern warfare will continue into cyberspace with increasing speed.
Against this backdrop then, the development of Stuxnet appears to have been the starting pistol of a new arms race in the field of cyberweapons. This field however is largely invisible and as a result is immune to the clamour for regulation that would accompany such a step change in real-world military technology under normal circumstances. Although it happened a decade ago, there is still no international treaty to limit the damage that can be brought to bear by a small fragment of computer code upon an entire country’s telecom, banking or energy infrastructure. The recent colonial pipeline event in the eastern United States will have left the west in no doubt that it is in everybody’s interests to push for one before the tables are further turned and more chaos is wrought upon society.
Stuxnet was developed with a single purpose in mind. Its development and level of complexity implies that it was only capable of being brought into existence by a nation state but for all its finesse, the deliberate network based isolation of the plant in Natanz, (the uranium enrichment facility in Iran which was its intended target) meant that it still had to be carried in by hand and delivered manually. It is almost certainly a measure of the chaotic picture in Natanz following its delivery, that the malware eventually made it back out into the wild and infected thousands upon thousands of systems worldwide.
The victims of the Stuxnet attack were ostensibly the Iranians but, as described already, there have been thousands of others in the intervening time since its release. This is the rub. It is extremely challenging for the creators of these nefarious programs to stop them after they have done what was intended and indeed the very creation of mechanisms to do this runs counter to their intended purpose in the first place.
The target of Stuxnet was an ICS (Industrial Control System). Such systems, often somewhat obsolete and poorly architected to cope with malware as well as more mainstream enterprise systems, are the systems which control our critical infrastructures such as energy, transport, telecom and industrial networks. These enormous networks, known collectively as operational technology as opposed to information technology fulfil a unique role in modern life and their disruption can be catastrophic with consequences up to and including massive loss of human life.
Stuxnet is a variety of malware known as a worm. It was first discovered by a security contractor in June 2010 and quickly became an almost household name due to the news coverage it attracted. Analysis of the source reveals that it has been developed to specifically target the SCADA (Supervisory Control And Data Acquisition) and PLC (programmable Logic Controller) systems used by Iranian nuclear R&D. It operates by attacking an MS Windows application used to control uranium enrichment centrifuges built by Siemens using the following five vulnerabilities:
- MS08-067 RPC Vulnerability – allowed a remote user rights equal to a local user
- MS10-046 – LNK Vulnerability – allowed remote insertion of malware
- MS10-061 – Spool Server Vulnerability – allowed a malicious print request to take control of a server
- MS10-073 – Win32k.sys Vulnerability – opens a vulnerability to execute kernel privileges
- CVE-2010-2772 – Siemens SIMATIC Win CC Default Password Vulnerability – use of known default password to access the system3
Ultimately Stuxnet was successful in achieving its end goals but it also succeeded in achieving far more than that, attracted a lot of unwelcome publicity and ratcheted up the stakes in the business of cyberwarfare. One supposes that, if it hadn’t come along, another candidate would have but it is certain that Stuxnet changed the face of Critical Infrastructure Cyberespionage forever and there is no going back.