The world is getting ready for a new arms race – this time in cyber weapons. What was previously considered to be the domain of semi-criminal marginal groups or a cheap way of expressing sociopathy is now attracting the interest of governments, who are considering producing weaponized software on an industrial scale.
Whereas before it was unclear what the endless “army cyber commands” and other sinecures were up to, the last two or three years have seen the appearance of very unpleasant evidence of serious work potentially capable of changing the image of the world as we know it.
We’ve seen nothing like this before
This was the initial reaction of Symantec analysts when they started looking into an incomprehensible computer worm nicknamed Stuxnet. Two major waves of spreading the worm were noted: the first version in summer 2009 and the second in spring 2010.
Developers found a rootkit (a set of malicious software programs that integrate into the system without being detected) which was a cyber-weapon masterpiece. According to experts, half a million euros might have been spent on developing this sophisticated piece of software. The worm was unique in every respect – it simultaneously used four earlier unknown Windows bugs and two genuine security certificates. At the same time Stuxnet carried out its main task (introduction, analysis of the environment and further expansion) in a very slow and unobtrusive manner.
The worm targeted industrial control systems, in particular a specific brand of Siemens industrial controllers. At the same time, the rootkit included control procedures for variable frequency drive converters of two specific brands (of Finnish and Iranian roots).
Moreover, experts said the worm was not rushing into these converters but gradually penetrated the industrial network, gathering information about its modes and fully establishing control over the computer monitoring system. Only once it had done this did the virus begin to gently “manipulate” parameter settings. It would take them out of action for a short time in order to disrupt the operation of the equipment.
Based on the distribution of the worm, experts established a potential target of attack: software-controlled centrifuges at the uranium-enrichment facility at Natanz, Iran.
In late November 2010, Iranian President Mahmoud Ahmadinejad said on the record that cyber attacks created “problems” in what he called a “limited” number of centrifuges. Naturally enough, this report evoked an instant response from the public and the media, crediting Stuxnet with the successful termination of Iran’s enrichment efforts.
Your hard work is not your achievement but their failing
There is, however, considerable doubt that the worm attack took place (or at least that it caused any noticeable results). Experts on computer and industrial security sounded the alarm but nuclear workers remained calm.
At any rate, IAEA experts who were directly in charge of monitoring the Natanz facility bluntly rejected any allegations that any disruptions in the work of the plant took place. Nonetheless, they admitted that the worm could in theory penetrate the facility’s computer network.
Their conclusions are understandable – there was no evidence of a drop in production at the uranium enrichment facility in Natanz, the supposed target of the attack. The rate of breakdown of centrifuges accelerated somewhat between November 2009 and January 2010, but that could be explained by the mass replacement of worn-out or low-quality Iranian-produced equipment. No evidence of any emergency at the plant was recorded.
Moreover, it seems that the worm’s developers may have outsmarted themselves. In working with frequency drive converters, they used the parameters that had been supplied by Iran through the IAEA. It is not clear whether this was a Tehran-inspired leak or whether these “brainiacs” simply used the first information that seemed authentic to them and did not bother checking it. In other words, anti-nuclear hackers were let down by the ignorance of the hardware they were planning to take over. Moreover, it is possible that the equipment at Natanz was not the intended target of the worm.
However, you could say the Iranians were lucky. The virus in the network was discovered very fast and adverse consequences were avoided. This is probably why no meaningful traces of the attack were found: the worm’s impact on Iran’s centrifuges was designed to be very subtle, causing increased wear and tear over a long period of time.
Smile you’re on camera
In the meantime, the “anonymous well-wisher” of the Iranian nuclear program has continued working. Stuxnet was followed by two most interesting rootkits: Duqu, which was discovered in September 2011, and Flame, which was intercepted in late May 2012.
Unlike the mischievous Stuxnet, which was targeted at industrial control systems, these viruses were more conventional, though no less dangerous.
Both rootkits could be described as comprehensive tracking systems that collected information from infected computers. They intercepted passwords, tracked key presses, recorded sound from an in-built microphone, took screenshots, gathered information on processed files and analyzed network traffic. This information was then encrypted and downloaded to an external master server.
Analysts believe that the approaches to the development of Stuxnet and Duqu are so similar that they may have a common platform. In any event, both rootkits are likely to have been created by the same team.
Flame is considered to be a separate product, but some of the solutions typical for it can be traced back to the first 2009 version of Stuxnet. This suggests that at least two groups of developers, who partially relied on each other’s work, might have been involved in this project.
“Olympic Games” for Iran
The intuitively obvious guess about who was behind these efforts was confirmed not long ago. In June 2012, The New York Times bluntly reported that Stuxnet and Flame were developed during the operation Olympic Games, a joint effort between two electronic intelligence agencies, the U.S. National Security Agency and Israel’s Unit 8200.
According to the newspaper’s sources, the operation was launched on the orders of George W. Bush. This is the estimated period for the development of Stuxnet and Flame. Having replaced Bush in the White House, Barack Obama ordered that this work be accelerated with a view to impeding Iran’s nuclear program. All efforts to this end were code-named Olympic Games.
On precisely the fifth day after the publication, The Wall Street Journal carried the official reaction to it: “The FBI has opened an investigation into who disclosed information about a classified U.S. cyber attack program aimed at Iran’s nuclear facilities…” No further comment is needed.
Don’t play with matches at a gas station
It does not matter whether Stuxnet’s “physical attack” on Iran’s centrifuges was a success or if it was introduced into the facility’s network but failed to do much damage.
This is a model of a cyber weapon which is aimed not so much against strictly “virtual” targets (such as private information or the proper functioning of information systems) as against the actual physical infrastructure.
Industrial control systems are widespread. They are the backbone of all automated modern production systems, including hazardous ones. Computer systems are used to run energy facilities, gas compressor stations and control traffic.
The development of an effective cyber weapon capable of putting such systems out of action could have disastrous consequences.
In this sense, we are at about the same stage as the world was between July 16 and August 6, 1945, after the United States tested its first nuclear device near Alamogordo but had not yet dropped any nuclear bombs on Japanese cities.
These new awkward cyber weapons, the development of which is sponsored by the leading powers, will be followed by others, more effective and more sophisticated. The problem is that such weapons can potentially do much more damage to advanced “critical infrastructures,” of which there is a higher number in the United States and Western Europe than in Asia. Those who have launched this race for cyber weapons are throwing stones while living in glass houses.
The views expressed in this article are the author’s and may not necessarily represent those of RIA Novosti.