Cracking Stuxnet, a 21st-century cyber weapon

Ralph Langner:

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its unusually high level of sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead’s final target — and its covert origins. In a fascinating look inside cyber-forensics, he explains how.


Share and Enjoy:
  • Twitter
  • StumbleUpon
  • Facebook
  • Digg
  • del.icio.us
  • Yahoo! Buzz
  • Google Bookmarks
  • LinkedIn

10 thoughts on “Cracking Stuxnet, a 21st-century cyber weapon

  1. Anyone remember the term “blow back”?

    Once that “generic” genie is out of the bottle – who is invulnerable?

  2. Stuxnet and nex-gen cyber-weapons are different in critical ways from conventional weaponry. First is ease of manufacture and second is ease of modification. I devised a Stuxnet-style attack on the U.S. energy infrastructure that was used in the Lior Samson techno-thriller, Web Games (Gesher Press, 2010), but I didn’t publish blueprints. The wide distribution of Stuxnet and its very public deconstruction put the template for an entire class of industrial control systems attacks in the public domain. The ease with which code can be revised, recycled, and repurposed means that it may only be a matter of time before we see pieces of reassembled Stuxnet flying our way. It’s warfare on the cheap, whether in the hands of terrorists or nation states. Israel, according to some sources in the intelligence community, may have hardened some of its crucial industrial infrastructure against a turn of the Stuxnet worm, but the U.S. is wide open.

  3. All the stories on stuxnet raise more questions than answers. Infecting a Windows machine is easy. Infecting a PLC is not. Since the word was out long before stuxnet ‘struck’ is it reasonable that the Iranians don’t read the high press which was talking about stuxnet for months and didn’t decide to unplug their Windows machines from their PLCs? Does it make sense they were using Windows (a notoriuosly unstable platform at the best of times) for projects of national importance?

    Nobody offering any information about stuxnet – neither the security experts, the Iranians, the Americans, or the Israelis have an incentive to tell anything approximateing the truth about what happened.

  4. If we and the Israelis can create a worm that causes certain brands of centrifuges to change speeds, couldn’t someone else disable a nuclear reactor’s cooling pumps?

  5. If any nuclear reactors are linked into a Windows based network, we are all screwed regardless.

    How about a glowing blue screen of death …

  6. A lot of the Stuxnet stories going around are misleading.

    It wasn’t as effective as it is be purported to be. There was a steady increase in low enriched uranium coming out of the Natanz plant at the time when the malware was active. If it was active in the plant, it didn’t do much damage.

    As a payload, it isn’t rocket science or beyond anything that has been seen before. There are many techniques used today that would have obfuscated the attack in a way that would have resisted the reverse engineering that Mr. Langner used.

    Lastly, Mr Langer’s talk is fear mongering by saying it is highly specialized and also generic. It is one or the other, not both.

    Cyber attacks are real and a threat. Take a Comodo hack and the systematic failure of SSL certificate revocation. Misleading presentations like this don’t help inform the public about their real exposure. It should be taken with a heap full of salt.

    References:
    http://mondoweiss.net/2011/02/how-the-nyt-swallowed-the-stuxnet-worm.html
    http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/
    http://www.freedom-to-tinker.com/blog/dwallach/building-better-ca-infrastructure

  7. Iran used Windows machines in a safety-critical application for the same reason that everyone else does: the development tools (in the Natanz case, Siemens STEP 7) run on Windows, and the PLC code they generate must be downloaded to the PLCs to run. The so-called air gap between corporate and engineering networks on the one side and plant-floor PLCs on the other is an illusion, because the PLCs cannot be programmed or updated without bridging that gap.

    As to rdp’s dismissive comments, that’s one perspective, but the truth, as insiders know, is that the techniques are indeed both specific and generic–they are models for the design and development of similar or related attacks through other delivery vectors (there are many) and directed toward other targets. All it takes is motivation and resources.

    It is not fear-mongering to sound a wake-up call–as some of us have been doing for years.

    –Larry Constantine (Lior Samson, author of Web Games)

  8. Some of the very vearliest viruses for DOS were designed to do much of what Stuxnet does – cause the drives to do seeks on the hard drive – go from the start of the drive to he end back and forth until the drive dies.

Leave a Reply

Your email address will not be published.