Stuxnet, arguably the most interesting and bone chilling discovery in the history of computer security threats, is back in the news this week. This time, however, it’s brought a friend – one familiar to security experts and IT personnel alike. If the report from one of the world’s foremost experts is accurate, then it’s going to be a merry Christmas indeed for conspiracy theorists and lovers of international intrigue – and potentially a headache for a couple of governments which are being pressed to fess up about the true origins of Stuxnet and Conficker.
When its presence became known in June 2010, the mere existence of the Stuxnet worm sent shudders through international cybersecurity circles. In case you were off-world at the time of the incident, here’s the skinny: Stuxnet is spread via Microsoft Windows and targets Siemens industrial software and equipment. Although it’s not the first time hackers have targeted industrial systems, it is the first malware to spy on and compromise industrial equipment, and the first to include a programmable logic controller (PLC) rootkit.
What made Stuxnet particularly interesting to conspiracy theorists was where, specifically, it landed. 60% of occurrences of Stuxnet infections were in Iran, and five variants of the worm were discovered at various Iranian facilities, with the apparent target being Iran’s nuclear programme. Stuxnet’s ability to control Supervisory Control And Data Acquisition (SCADA) systems – the kind found in industrial plants – has wreaked havoc on the Iranian nuke programme, particularly at the country’s uranium enrichment facility at Natanz, where, according to Haarretz, “the centrifuge operational capacity has dropped over the past year by 30 percent.”
News of the industrial worm quickly became the stuff of a Tom Clancy novel or Hollywood thriller. Stuxnet’s sheer sophistication and the level of resources required to enact such an attack made it clear that Stuxnet was most likely state-sponsored. Accusations flew about the originator of the worm, and in a fine example of inductive reasoning, fingers were squarely pointed at the U.S. and Israel.
Much ado has been made of Stuxnet, and as might have been expected, nothing’s been proven about the source of the worm; but in what is sure to be only the beginning of a heated new debate, this week several media outlets have reported that a “a celebrated ‘uber-hacker’ with 18 years of service in Special Operations and intelligence,” has linked Stuxnet to Conficker. No, that wasn’t a typo.
John Bumgarner, a retired U.S. Army special-operations veteran, former intelligence officer, and current CTO of the not-for-profit U.S. Cyber Consequences Unit, says he discovered the link between Stuxnet and Conficker only after, “spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code,” according to Reuters.
In case you’ve been off-world AND living under a rock, Conficker is one of the most devastating and pervasive worms, discovered in 2008 and infecting millions of computers in over 200 countries. The worm is traditionally thought to be the work of an organized crime gang in Eastern Europe, because, much like Stuxnet, Conficker is very sophisticated, probably required immense resources to create, and is extremely difficult to detect and destroy.
“Conficker was a door-kicker,” Reuters quoted Bumgarner. “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”
Let’s be clear: Bumgarner thinks he knows who is behind the two programs, but he’s not saying who, because the matter is “too sensitive to discuss.” According to Reuters, “The White House and the FBI declined to comment,” and, “Prime Minister Benjamin Netanyahu’s office, which oversees Israel’s intelligence agencies, also declined comment.”
Is it really possible that the botnet propagated by Conficker was all for the purpose of setting up a state-sponsored attack?
Things get even stranger from here. In September, Techworld reported that for the first time the Russian government has officially blamed the U.S. and Israel for Stuxnet, calling it “the only proven case of actual cyber-warfare.” And wouldn’t you know it? In related story, a water plant in Illinois was hacked in mid-November, an attack that apparently originated from Russia, and like Stuxnet, targeted the plant’s SCADA system. In the attack, the hackers gained control of the plant’s equipment and damaged it, the first such type of attack on U.S. soil.
Confused? You should be. If we’re to glean anything from these latest developments, let’s at least take away the following: that a) Conficker may have been the delivery mechanism for Stuxnet, and b) Jerry Bruckheimer’s probably finalizing scripts at this very moment.