Is Stuxnet the 'best' malware ever?
And they were clever, said Schouwenberg.
Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. "There's no logging in most SCADA networks, and they have limited security and very, very slow patch cycles," Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.
Put all that together, and the picture is "scary," said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime gang.
"I don't think it was a private group," said O Murchu. "They weren't just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage."
The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.
"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control machinery in the real world."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the No. 1 target is telling.
"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation-state-backed."
"This was a very important project to whoever was behind it," said O Murchu. "But when an oil pipeline or a power plant is involved, the stakes are very high."
And although Siemens maintains that the 14 plants it found with infected SCADA systems were not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.
Experts have disagreed about when the Stuxnet attacks began -- Kaspersky believes it was as early as July 2009, while Symantec traced attacks back to January 2010 -- but they agree that the worm went undetected for months.
"We don't know if they succeeded or not, but I imagine that they got to the targets that they wanted," said O Murchu, citing the stealthy nature and sophistication of the worm.
"The command-and-control infrastructure of Stuxnet is very, very primitive, very basic," said Schouwenberg. "I think they were convinced that they would be able to do what they wanted before they were detected."
O Murchu will present a paper on Symantec's Stuxnet work at the Virus Bulletin security conference, which is slated to kick off Sept. 29 in Vancouver, British Columbia. Researchers from Microsoft and Kaspersky will present a separate paper at the same conference.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- University of North Florida breach exposes data on 107,000 individuals
- Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.
- GAO slams White House for failing to lead on cybersecurity
- Man charged with attack on Web site of Fox News' Bill O'Reilly
- Heartland breach expenses pegged at $140M -- so far
- IT contractor gets five years for $2M credit union theft
- Democracy would suffer if Google left China, says MIT panel
- Gonzalez accomplice gets five years for hacking TJX
- Threat of cyberattacks from overseas high, federal IT execs say
- Botnets 'the Swiss Army knife of attack tools'
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts