A Symantec Corp. expert thinks Stuxnet, a worm first discovered on PCs in Iran in July that has since attacked several industrial control systems, signals the start of a never-before-seen breed of cyber attack intentionally designed to inflict massive harm in the physical world.
“The intent of this threat is clearly not trying to steal information, but in some way get into industrial control systems to be in a position to potentially create destruction,” said Gerry Egan, director of product management with Cupertino, Calif.-based Symantec.
With end users’ lives increasingly tethered to smart devices, Egan said there has to be an awareness that these machines are beginning to, and have, come under attack.
“It is a very significant milestone on the threat landscape without a doubt,” said Egan.
Stuxnet was found in Iran by researchers at Belarus-based security firm VirusBlokAda Ltd. this summer. Specifically built to target Siemens AG industrial control systems, it has since managed to affect a number of Siemens plants but did not cause production malfunction or damage.
Stuxnet is hardly run-of-the-mill, with characteristics that couldn’t have come easy. Egan estimates its creation took six months and between five and 10 people with extensive knowledge of the Windows operating system and industrial control systems software and hardware.
Moreover, Stuxnet exploits four zero-day vulnerabilities. Putting that in perspective, Symantec’s 2009 Threat Report listed only 12 known zero-day vulnerabilities. The makers of Stuxnet also went to the trouble to use two stolen digital certificates, and two rootkits.
“All that together means an incredible effort went into this,” said Egan.
To top it all, there was a bit of social engineering effort involved. The worm took advantage of a Windows vulnerability, then unknown and since patched, and spreads between machines via USB stick. “How did these USB keys come to be inside these organizations? Well maybe they were dropped in the parking lot outside,” said Egan. “We don’t quite know what the mechanics were.”
Although Egan refused to conjecture what the identities of the makers were, he did say “it looks like a lot of effort went into this, so it was a well-funded body, well-organized.”
But Kaspersky Lab researcher Roel Schouwenberg did say Stuxnet is very likely the work of a nation state. “This sounds like something out of a movie,” Schouwenberg said. “But I would argue it’s plausible, suddenly plausible, that it was nation state-backed.”
Egan said 10 to 15 years ago, people were well aware of the potential security threats lurking in the form of floppy disks. But today, he’s not quite sure there exists the same perception about USB keys.
With files from Gregg Keizer of ComputerWorld U.S.
Follow Kathleen Lau on Twitter: @KathleenLau
