The world is getting ready for a new
arms race - this time in cyber weapons. What was previously
considered to be the domain of semi-criminal marginal groups or a
cheap way of expressing sociopathy is now attracting the interest
of governments, who are considering producing weaponised software
on an industrial scale.
Whereas before it was unclear what the endless "army cyber
commands" and other sinecures were up to, the last two or three
years have seen the appearance of very unpleasant evidence of
serious work potentially capable of changing the image of the
world as we know it.
We've seen nothing like this before
This was the initial reaction of Symantec analysts when they
started looking into an incomprehensible computer worm nicknamed
Stuxnet. Two major waves of spreading the worm were noted: the
first version in summer 2009 and the second in spring 2010.
Developers found a rootkit (a set of malicious software programs
that integrate into the system without being detected) which was a
cyber-weapon masterpiece.
According to experts, half a million euros might have been spent
on developing this sophisticated piece of software. The worm was
unique in every respect - it simultaneously used four earlier
unknown Windows bugs and two genuine security certificates.
At the same time, Stuxnet carried out its main task (introduction,
analysis of the environment and further expansion) in a very slow
and unobtrusive manner.
The worm targeted industrial control systems, in particular a
specific brand of Siemens industrial controllers. At the same
time, the rootkit included control procedures for variable
frequency drive converters of two specific brands (of Finnish and
Iranian roots).
Moreover, experts said the worm was not rushing into these
converters but gradually penetrated the industrial network,
gathering information about its modes and fully establishing
control over the computer monitoring system.
Only once it had done this did the virus begin to gently
"manipulate" parameter settings. It would take them out of action
for a short time in order to disrupt the operation of the
equipment.
Based on the distribution of the worm, experts established a
potential target of attack: software-controlled centrifuges at the
uranium-enrichment facility at Natanz, Iran.
In late November 2010, Iranian President Mahmoud Ahmadinejad said
on the record that cyber attacks created "problems" in what he
called a "limited" number of centrifuges.
Naturally enough, this report evoked an instant response from the
public and the media, crediting Stuxnet with the successful
termination of Iran's enrichment efforts.
Your hard work is not your achievement but their failing
There is, however, considerable doubt that the worm attack took
place (or at least that it caused any noticeable results). Experts
on computer and industrial security sounded the alarm but nuclear
workers remained calm.
At any rate, IAEA experts who were directly in charge of
monitoring the Natanz facility bluntly rejected any allegations
that any disruptions in the work of the plant took place.
Nonetheless, they admitted that the worm could in theory penetrate
the facility's computer network.
Their conclusions are understandable - there was no evidence of a
drop in production at the uranium enrichment facility in Natanz,
the supposed target of the attack. The rate of breakdown of
centrifuges accelerated somewhat between November 2009 and January
2010, but that could be explained by the mass replacement of
worn-out or low-quality Iranian-produced equipment. No evidence of
any emergency at the plant was recorded.
Moreover, it seems that the worm's developers may have outsmarted
themselves. In working with frequency drive converters, they used
the parameters that had been supplied by Iran through the IAEA.
It is not clear whether this was a Tehran-inspired leak or whether
these "brainiacs" simply used the first information that seemed
authentic to them and did not bother checking it.
In other words, anti-nuclear hackers were let down by the
ignorance of the hardware they were planning to take over.
Moreover, it is possible that the equipment at Natanz was not the
intended target of the worm.
However, you could say the Iranians were lucky. The virus in the
network was discovered very fast and adverse consequences were
avoided. This is probably why no meaningful traces of the attack
were found: the worm's impact on Iran's centrifuges was designed
to be very subtle, causing increased wear and tear over a long
period of time.
Smile you're on camera
In the meantime, the "anonymous well-wisher" of the Iranian
nuclear programme has continued working.
Stuxnet was followed by two most interesting rootkits: Duqu, which
was discovered in September 2011, and Flame, which was intercepted
in late May 2012.
Unlike the mischievous Stuxnet, which was targeted at industrial
control systems, these viruses were more conventional, though no
less dangerous.
Both rootkits could be described as comprehensive tracking systems
that collected information from infected computers. They
intercepted passwords, tracked key presses, recorded sound from an
in-built microphone, took screenshots, gathered information on
processed files and analyzed network traffic. This information was
then encrypted and downloaded to an external master server.
Analysts believe that the approaches to the development of Stuxnet
and Duqu are so similar that they may have a common platform. In
any event, both rootkits are likely to have been created by the
same team.
Flame is considered to be a separate product, but some of the
solutions typical for it can be traced back to the first 2009
version of Stuxnet. This suggests that at least two groups of
developers, who partially relied on each other's work, might have
been involved in this project.
"Olympic Games" for Iran
The intuitively obvious guess about who was behind these efforts
was confirmed not long ago.
In June 2012, The New York Times bluntly reported that Stuxnet and
Flame were developed during the operation Olympic Games, a joint
effort between two electronic intelligence agencies, the US
National Security Agency and Israel's Unit 8200.
According to the newspaper's sources, the operation was launched
on the orders of George W. Bush. This is the estimated period for
the development of Stuxnet and Flame. Having replaced Bush in the
White House, Barack Obama ordered that this work be accelerated
with a view to impeding Iran's nuclear programme. All efforts to
this end were code-named Olympic Games.
On precisely the fifth day after the publication, The Wall Street
Journal carried the official reaction to it: "The FBI has opened
an investigation into who disclosed information about a classified
US cyber attack program aimed at Iran's nuclear facilities." No
further comment is needed.
Don't play with matches at a gas station
It does not matter whether Stuxnet's "physical attack" on Iran's
centrifuges was a success or if it was introduced into the
facility's network but failed to do much damage.
This is a model of a cyber weapon which is aimed not so much
against strictly "virtual" targets (such as private information or
the proper functioning of information systems) as against the
actual physical infrastructure.
Industrial control systems are widespread. They are the backbone
of all automated modern production systems, including hazardous
ones. Computer systems are used to run energy facilities, gas
compressor stations and control traffic.
The development of an effective cyber weapon capable of putting
such systems out of action could have disastrous consequences.
In this sense, we are at about the same stage as the world was
between July 16 and Aug 6, 1945, after the US tested its first
nuclear device near Alamogordo but had not yet dropped any nuclear
bombs on Japanese cities.
These new awkward cyber weapons, the development of which is
sponsored by the leading powers, will be followed by others, more
effective and more sophisticated. The problem is that such weapons
can potentially do much more damage to advanced "critical
infrastructures", of which there is a higher number in the US and
Western Europe than in Asia. Those who have launched this race for
cyber weapons are throwing stones while living in glass houses.
Konstantin Bogdanov is a commentator for RIA Novosti.
The views expressed in this article are the author's and may not
necessarily represent those of RIA Novosti.
|