Does US role in Stuxnet raise the risk of domestic cyberattack?
- By Kevin McCaney
- Jun 01, 2012
The infamous Stuxnet worm was part of a U.S.-Israeli effort targeting Iran’s nuclear program, started under the Bush administration and accelerated by President Barack Obama, according to a New York Times story adapted from a forthcoming book.
The revelation only confirms what many cybersecurity experts have suspected, but it does shed light on the broadening pattern of cyber espionage and attacks by the United States, China and other countries on each other. And it could renew questions about how ready U.S. cyber defenses are for an attack.
Starting in 2009, several versions of Stuxnet were introduced into Iran’s Natanz nuclear processing plant in a series of attacks that Obama decided to continue even after the worm “escaped” into the wild, the Times reported.
Iran a more serious cyber threat that China or Russia, experts tell Congress
Stuxnet, Duqu tip of the iceberg; more attacks on tap, researchers say
Stuxnet, designed to attack Siemens software in a specific type of programmable logic controller, caused centrifuges used in processing uranium to spin out of control, damaging between 1,000 and 5,000 of them and slowing down Iran’s nuclear program, according to the report, which is adapted from David E. Sanger’s “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” set to be published June 5.
Since Stuxnet was discovered in 2010, security experts have speculated, suggested and in some cases even claimed that it was the work of the United States and/or Israel. In an April profile in Smithsonian Magazine, former counterterrorism czar Richard Clarke said, “I think it’s pretty clear that the United States government did the Stuxnet attack,” with some help from Israel.
The Times article, based on unidentified current and former American, European and Israeli officials, said it was part of a secret program, code-named Olympic Games, targeting Iran.
The article doesn’t mention Duqu, an information-gathering Trojan horse that shares some of Stuxnet’s code and was found roaming in Iran’s nuclear facilities, among other places. But it does mention a “bit of computer code called a beacon” that gathered an electronic blueprint of the Natanz plant.
Security researchers also have found similarities between Stuxnet/Duqu and the recently discovered Flame spyware, which has spread in Iran, other parts of the Middle East and Europe and attacked systems in Iranian oil refineries in April. U.S. officials, however, said that Flame, parts of which date to 2007, was not part of the Olympic Games, the Times reported.
Stuxnet was introduced to Natanz via USB thumb drives — an article in ISSSource in April, quoting U.S. intelligence officials, said it was first planted by an Iranian double agent working for Israel — in 2009.
In 2010, it “escaped” and spread quickly around the world. And although it didn’t do other damage because was designed only to attack the Siemens software, it caught the attention of security experts, who analyzed it and dubbed the first weaponized malware because of its potential to damage industrial systems.
They also concluded that Stuxnet’s complexity likely made it the product of a nation-state. And because Iran was the target, speculation followed that the United States, which has opposed Iran’s nuclear program, and/or Israel, which views it as an imminent threat, were behind the attacks.
Stuxnet’s appearance has raised fears that similar targeted malware could be used to attack critical infrastructure — ranging from water and power plants to prisons — in this country and elsewhere.
Confirmation that the United States was behind Stuxnet could also raise the possibility that other countries could use it as justification for their own attacks. China and Russia often are blamed for attacks on U.S. government and industry, but a panel of technical and policy experts told a House hearing in late April that Iran was a more serious threat.
Iran has shown a willingness to attack the United States and is not bound by stable diplomatic relations, as are China and Russia. The latter two countries "aren’t going to start a war just for fun,” James Lewis, a senior fellow at the Center for Strategic and International Studies, told lawmakers. “I don’t know if we can say that for Iran and North Korea,” Lewis said.
Clarke, for one, says the U.S. infrastructure, such as its power grid, is woefully ill-prepared for an attack.
In the Smithsonian profile by Ron Rosenbaum, he warned about the consequences of conducting cyber offensives without having an adequate cyber defense. But he said his biggest fear, however, isn’t some kind of cyber Pearl Harbor but the “thousand cuts” of having the country’s intellectual property stolen — something he said China is already carrying out.
Other experts have made similar comments recently.
At the RSA conference in February, cybersecurity pioneer Marcus Ranum warned that the country was not well-enough defended to launch cyberattacks. “It’s not a good idea to initiate a response in kind by doing it to someone else,” he said.
And at a talk in Washington in April, Estonian President Toomas Hendrik Ilves warned that the focus on cyber war was distracting from the real threat. “It’s the economy, stupid,” he said. “It is intellectual property that is the real worry.”
Kevin McCaney is a former editor of Defense Systems and GCN.