Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is Stuxnet the Beginning of the Cyberwar Era?

Published: 2010-09-24
Last Updated: 2010-09-24 20:32:44 UTC
by John Bambenek (Version: 1)
4 comment(s)

Since the news of Stuxnet has reached the popular media, it's probably time for a quick diary on the subject. Securnia has write-ups on two of the unpatched security vulnerabilities that allow privilege escalation that Stuxnet relies on here and here.  Symantec also has a series on Stuxnet that you can read up on here.  While Stuxnet does use the LNK vulnerability, it existed before then using other modes of infection (for instance, via USB keys).  Another interesting note is that it exploited one of the same vulnerabilities that Conficker did.  Among other things, Conficker was a real problem for embedded systems (particularly those embedded systems that ran Windows).  Hospitals and health care facilities had a lot of trouble with Conficker, for instance, with their equipment.

One of the working theories is that Stuxnet was designed to attack Iranian facilities and may have had it's origin in Israel.  It's important to note that initial statistics showed that India and Indonesia made up a higher precentage of compromises than Iran but around the end of July, Iran had the bulk of infections. 

Assuming it is an attempt to attack the Iranian facilities, I suppose it's better to launch a cyberattack than to go all Osirak circa 1981.  But the moral and philosophical implications are probably best for another venue. 

An important thing to note when it comes to cyberwar, there is a lot of hype that attempts to make this a more dangerous threat than it probably is (at this specific point in time).  A healthy dose of skepticism is warranted, in part, because with any cyberattack it is very difficult to determine who is really behind an attack or why.  Incident responders only have (and can only get) a piece of the information, what the attack attempts to do and the forensic details of that attack.  Forensically examining a botnet C&C to determine who was behind it and what happened historically gets to be much more difficult. The reasons for that are as much legal and practical as they are technical.  Simply put, most "bad people" know to operate in jurisdictions least likely to cooperate with "the good guys".

What we do know is that many countries and organizations are looking for ways to use electronic ifnrastructure to cripple opponents and that this is not a new development.  Information systems have always been a rich target for espionage.  Sabotage has always been an element of covert warfare as well.  In so far as elements of our critical infrastructure depend and/or are controlled by information systems, electronic sabotage becomes a more real possibility.  In the current case, however, Stuxnet being a tool of cyber-sabotage is a theory that fits the facts but far from the only theory.  In short, the jury is still out.

At this point, most common malware detection tools will detect this. However, one of the key infection mechanisms early-on was USB keys.  A popular mode of pen-testers to test an organization is to drop USB keys in a parking lot, send "free" keys in with vendor logos and the like to get individuals in an organization to plug USB keys into the organizations network.  This is an easy to defect vector of attack by employing security education, USB port security and disabling AutoRun.  It's trivial to use USB keys and to create custom malware that will bypass all AV.  It's also easy (but not trivial) to shut down this vector.  For larger organizations, the solution may be to simply distribute your own "branded" USB keys for users to move data around which may be a proper balance between security and usability.

John Bambenek
bambenek at gmail /dot/ com

4 comment(s)
Diary Archives