Is Stuxnet the 'best' malware ever?
And they were clever, said Schouwenberg.
Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. "There's no logging in most SCADA networks, and they have limited security and very, very slow patch cycles," Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.
Put all that together, and the picture is "scary," said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime gang.
"I don't think it was a private group," said O Murchu. "They weren't just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage."
The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.
"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control machinery in the real world."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the No. 1 target is telling.
"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation-state-backed."
"This was a very important project to whoever was behind it," said O Murchu. "But when an oil pipeline or a power plant is involved, the stakes are very high."
And although Siemens maintains that the 14 plants it found with infected SCADA systems were not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.
Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that the worm went undetected for months.
"We don't know if they succeeded or not, but I imagine that they got to the targets that they wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.
"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said Schouwenberg. "I think they were convinced that they would be able to do what they wanted before they were detected."
O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers from Microsoft and Kaspersky will present a separate paper at the same conference.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts