Cyber-security researchers recently discovered the first confirmed “in the wild” instance of industrial-control malware.
Dubbed Stuxnet, the worm was meant to sabotage computers that run facilities such as electrical plants, oil pipelines and nuclear facilities. Eric Chien, the technical director for Symantec Security Response, whose team spent three months reverse-engineering Stuxnet, explains why it’s an ominous milestone.
By Glenn Derene
1. It's dangerous.
“It became apparent early on that we were dealing with something very, very different,” Chien says. “Without exaggeration, someone could die.” Stuxnet hides on Windows machines and then injects code into the programmable logic controllers for specialised equipment. The purpose is sabotage. “This could very easily explode a gas pipeline or speed up a centrifuge until it blew up,” he says. The only good news is that you needn’t worry if it ends up on your PC. Stuxnet doesn’t damage conventional home computers, and most commercial antivirus software can easily clean it.
2. We knew it was coming.
Cyber-security experts have been warning about the vulnerabilities of industrial control systems for years, and POPULAR MECHANICS published a cover story on the dangers of infrastructure hacking in 2009. Many of the private companies that run utilities have been upgrading software and equipment. Newer technology has cyber defences built in.
3. It's too sophisticated to have been programmed by some punk teenager.
There is considerable evidence that Stuxnet is not simply a malicious prank and may be an act of state-sponsored cyber warfare. “Based on the amount of resources needed and the expertise required to put this together, we’re talking about some sort of high-value target,” Chien says. “This is the first case where we can’t say it was probably a hacker in his basement programming this, and it could be a government.” That’s not counting the apocryphal bit of CIA lore from the 1980s where-in the agency’s spooks tricked the Soviets into installing rogue software on components of a Russian pipeline, causing it to explode.
4. It's impossible to determine exactly who did it.
In Stuxnet’s code, there is evidence to suggest what type of equipment and facility it was aimed at. Some cyber-security experts have concluded that Stuxnet’s release was an attack on either the Natanz or the Bushehr Iranian nuclear facility that spread unintentionally. (The United States and Israel maintain the power plants will be repurposed to make weapons, an allegation Iran denies.) But like most malware, Stuxnet is programmed to cover its tracks, so its creators may never be known.