Everybody’s heard about the Stuxnet virus by now, built specifically to attack Siemens’ SCADA systems through one of its most popular programmable logic controllers (PLCs). At the most recent Virus Bulletin conference in Vancouver, BC, in late September 2010, researchers from Symantec reported their findings about this fascinating and complex threat. These findings included their determination that Stuxnet includes “…the world’s first-ever tookit designed for…” PLCs (SC Magazine, October 8, 2010) and that the complexity of the malware involved “…would have been written using 5-10 core developers over six months and tested on systems mirroring the process control hardware” according to statements attributed to Symantec researcher Liam O Murchu at that conference (ibid). In fact, for the attack to work, the Stuxnet developers “…would have needed to teal digital certificates used to sign driver files used in target systems” (ibid).
Clearly, this is not the work of a single alienated cracker with too much time on his or her hands (O Murchu puts his assessment in pithier language: “This is not a teenage hacker coding in his bedroom-type operation”). Because the attack apparently affected much of Iran’s nuclear development infrastructure, in fact, many people inside and outside that country see government funding (if not an outright government-led “black op”) behind the Stuxnet virus. Israel and the US lead the list of likely culprits, though proving such involvement is also nearly impossible.
But where things get interesting is in the byplay that follows disclosure of such technical analysis and information. The n3td3v IT Security Consultancy in the UK, which is the brainchild of a well-known and eccentric self-professed security “expert” named Andrew Wallace, posted this response to the aforecited SC Magazine article:
“Motivation behind Stuxnet.” BP lobbied for the release of the Lockerbie bomber, and the people responsible for Stuxnet wanted to make sure they paid. To make sure the oil deal from releasing the bomber, BP couldn’t make a profit from. Stuxnet targeted the oil well. There were a lot of unhappy people after the release of Abdelbaset Ali al-Megrahi. Abdelbaset Ali al-Megrahi was convicted for blowing up Pan Am Flight 103 over Lockerbie, Scotland, on December, 21, 1988. He was freed on compassionate grounds by the Scottish government on August, 20, 2009. The claim was he had terminal prostate cancer and was expected to have less than three months to live. It was a lie and he is still alive living the life of riley in Libya.
Originally posted by me at http://www.schneier.com/blog/archives/2010/10/stuxnet.html#c467887
[Note: other postings on the Schneier blog are more coherent and intelligible, and have lots of interesting things to say about the affected Siemens PLCs.]
In fact, nt3td3v is pretty well-known in the security community because his identity serves as the focus of BlackHat study from 2006 entitled Who is “n3td3v”? Andrew Wallace has even had his psychological profile “done” on the full disclosure list upon which he made something of a pest of himself in that time frame. But as interesting technical events unfold on the information security stage, there’s apparently always a temptation to exploit the notoriety and the publicity that surrounds spectacularly successful (or mysterious) exploits like this one. Who’s to say if this kind of epiphenomenon doesn’t make the whole situation still more compelling than it already is?