Is Stuxnet the 'best' malware ever?
And they were clever, said Schouwenberg.
Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. "There's no logging in most SCADA networks, and they have limited security and very, very slow patch cycles," Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.
Put all that together, and the picture is "scary," said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime gang.
"I don't think it was a private group," said O Murchu. "They weren't just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage."
The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.
"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control machinery in the real world."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the No. 1 target is telling.
"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation-state-backed."
"This was a very important project to whoever was behind it," said O Murchu. "But when an oil pipeline or a power plant is involved, the stakes are very high."
And although Siemens maintains that the 14 plants it found with infected SCADA systems were not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.
Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that the worm went undetected for months.
"We don't know if they succeeded or not, but I imagine that they got to the targets that they wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.
"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said Schouwenberg. "I think they were convinced that they would be able to do what they wanted before they were detected."
O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers from Microsoft and Kaspersky will present a separate paper at the same conference.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts