Stuxnet Is Remarkable, But Perhaps Limited

The height of Stuxnet triumphalism—the belief that the worm thought to have been produced by Israel and the United States has delayed Iran’s nuclear weapons program by several years—came at the beginning of this year, when the New York Times dramatically reported that the worm was extensively tested, and that it ingeniously sends centrifuges spinning out of control while fooling monitors into thinking they are doing okay. But now along comes a fine Vanity Fair feature that leaves cause for doubt. As Jeff Goldberg put it, on occasion of the VF article, “I’ve become dubious about the effect of Stuxnet.”

The January Times article—an obvious leak-job—could plausibly be seen (as I noted at the time) to have served certain contingent purposes (making departing Mossad chief Meir Dagan look good, making the Obama administration seem smart, making Israel look valuable to the U.S.) as opposed to simply telling the total truth. Plus, some worry that the Stuxnet mystique is at this point more useful to Iran than to the West! Perhaps, this theory goes, the Islamic Republic has gotten the worm under control and has fooled the West into believing that it was dealt a major setback and therefore that further sanctions and threats of military action are no longer urgent and necessary? (This line of thinking is expanded upon in an excellent Leonard Lopate Show podcast.)

The VF piece, authored by Michael Joseph Gross, is an entertaining tick-tock that contains much that has already been reported and some that hasn’t. It further conveys just how “revolutionary” Stuxnet is: “The first known virus that, released into the wild, can seek out a specific target, sabotage it, and hide both its existence and its effects until after the damage is done.” Michael Tanji explored much of what made Stuxnet unprecedented last October in Tablet Magazine. Also then, Yossi Melman guessed—it increasingly seems correctly—at the involvement of both Israel and the German conglomerate Siemens; Melman also presciently hypothesized that Stuxnet primarily targeted not Iran’s declared nuclear energy reactor at Bushehr, as many originally thought, but rather the murkier enrichment facility at Natanz. After the jump, some choice highlights from VF.

• Stuxnet contains a number of fail-safes to try to ensure that it not get totally out of hand—an indication, many say, that it is the handiwork of a comparatively responsible state actor. Among the safeguards: On June 24, 2012, Stuxnet will self-destruct.

• There have been at least three versions of Stuxnet, each more daring than the one before. “The authors, [one expert] thinks, weighed the risk of discovery against the risk of a mission failure and chose the former.”

• Among hackers, it is a big deal to be able to find and exploit a so-called “zero day,” which is a flaw in a system that the system’s own creator is unaware of; it is a particularly big deal when a zero day is discovered in a prominent system, like Microsoft Windows. Stuxnet’s creators discovered and exploited four Windows zero days.

• Last July, just as the worm was receiving widespread publicity, it was given a new digital signature, enabling it to continue breaking into systems undetected.

• Here, basically, is how Stuxnet works:

Stick a flash drive with the virus into a laptop and it enters the machine surreptitiously, uploading two files: a rootkit dropper (which lets the virus do whatever it wants on the computer—as one hacker explains, “‘Root’ means you’re God”) and an injector for a payload of malicious code that was so heavily encrypted as to be, to Ulasen, inscrutable. The most unsettling thing about the virus was that its components hid themselves as soon as they got into the host. To do this, the virus used a digital signature, an encrypted string of bits that legitimate software programs carry to show that they come in peace. …

When Stuxnet moves into a computer, it attempts to spread to every machine on that computer’s network and to find out whether any are running Siemens software. If the answer is no, Stuxnet becomes a useless, inert feature on the network. If the answer is yes, the worm checks to see whether the machine is connected to a [programmable-logic controller, the tiny computers that regulate machinery all over the world for all sorts of things] or waits until it is. Then it fingerprints the P.L.C. and the physical components connected to the controller, looking for a particular kind of machinery. If Stuxnet finds the piece of machinery it is looking for, it checks to see if that component is operating under certain conditions. If it is, Stuxnet injects its own rogue code into the controller, to change the way the machinery works. And even as it sabotages its target system, it fools the machine’s digital safety system into reading as if everything were normal.

• Finally, Frank Rieger: Whatta character!

A few weeks later, in Berlin, the morning after a fresh snowfall, Rieger stomped into the Chaos Computer Club (C.C.C.) hacker space, a giant rec room on Marienstrasse full of fake surveillance cameras, beat-up leather sofas, and lots of softly whirring fans cooling lots of computer processors. Rieger’s dark-blue-gray jumpsuit was caked with ice from his morning commute, which he makes on a large tricycle regardless of the weather. Beefy and taciturn, Rieger serves as spokesman for the C.C.C., the second-largest human-rights technology group in the world (after the Electronic Frontier Foundation). The group calls itself “a galactic community of life forms, independent of age, sex, race or societal orientation, which strives across borders for freedom of information.”

A Declaration of Cyber-War [VF]
Related: Israeli Test on Worm Called Crucial in Iran Nuclear Delay [NYT]
Uncloaked [Tablet Magazine]
Coded [Tablet Magazine]
Modern Warfare, Too [Tablet Magazine]
Underreported: Who Was Behind the Stuxnet Worm? [The Leonard Lopate Show]
Earlier: How Stuxnet Came To Be