By Anthony Doesburg
Did they or didn’t they? Was the Stuxnet computer worm the work of an Israeli cyberwarfare team or of some other government wanting to implicate Israel?
The answer, says United States security specialist Bruce Schneier, writing on Forbes.com, is unlikely ever to be known.
Certainly, the London-based Jewish Chronicle reported last week that Israel wasn’t admitting to having created the worm. But the paper pointed out that the country has the capability – within Unit 8200 of the Israeli Defence Force – to do so.
And it quotes the head of the IDF’s intelligence branch, Major General Amos Yadlin, saying last year that “cyber will be the new battlefield” of war. Israeli Defence had over the past year “formalised its cyber efforts”, the paper said.
Stuxnet is such a sophisticated piece of software that there’s little dispute it’s the work of a national government, says Sydney-based Steve Martin of antivirus software company Symantec.
“The theory is, it looks like it’s government-based rather than from a private entity or criminals, and that probably narrows down the field somewhat,” he says.
But like Schneier, he believes the many law enforcement and intelligence agencies that will be trying to trace Stuxnet’s source have little chance of success.
“They want to find its origins, but more, they want to understand the strategy, because this really is the type of malicious code that is ideal for cyberwarfare. If I was a country intent on invading another, before I did that it would be pretty powerful to disrupt their electricity grid or water supplies or other services.”
The finger keeps pointing at Israel because the main victim of Stuxnet, which first surfaced in June, was Iran. The worm, which targets a particular type of industrial control system from German company Siemens, appears to have disrupted Iran’s fledgling nuclear industry, a flashpoint for tension particularly with Israel and the US.
Fuelling the speculation that Israel is responsible are clues in the Stuxnet code itself. The worm records a value of”19790509″ in the Windows registry, or settings database, of infected computers. The digits can be read as the date in 1979 when Iran executed Persian Jew Habib Elghanain for spying for Israel.
Elsewhere in the code can be found the word “myrtus”, which could mean the myrtle plant. The Hebrew word for myrtle is hadassah; Queen Esther, who in the fourth century BC saved Persian Jews from genocide, was named Hadassah.
Equally, myrtus might mean “my RTUs”, where RTU stands for remote terminal unit, an industrial control system component.
But obvious markers of Israeli authorship of the worm could be intended to throw investigators off the scent, Martin says.
“That could well be in there to confuse those trying to track down the source, which is a highly likely tactic for whoever has written the code.”
Or Israel might have wanted it to look as though it was being framed.
If it was the work of Israel, Jerusalem Post columnist Caroline Glick wrote last weekend, it showed the country was maintaining a technological edge over its enemies, which was “a great relief”.
Symantec estimates up to 10 programmers would have taken six months to write Stuxnet, clearly making it a government-sponsored – albeit illegal – effort.
The worm relies on five “zero-day exploits” – hitherto unknown security vulnerabilities – to infect Windows computers, en route to the industrial controllers that are its target. Martin says zero-day exploits are a rare commodity.
“To put that into perspective, in 2009 a total of 12 zero-day threats were identified.”
Symantec is less interested in Stuxnet’s origins than in preventing its spread. As far as Martin is aware, no New Zealand or Australian organisation has suffered damage from it. “The clear advice to organisations with industrial control systems is, first, make sure your security software is up to date on your PC network, and that you’ve scanned for this particular worm.”
Typically industrial control systems only come in contact with an organisation’s PC network through the intermediary of a USB memory stick, which might be used to transfer a software update.
“This is the single biggest threat we have seen and it has the potential for causing catastrophic consequences,” Martin says. “One would imagine that if I could turn off a cooling system in a nuclear plant, and also turn off the alarm that it was overheating, that I could get some sort of meltdown. This code absolutely has the potential to do that.”
Anthony Doesburg is an Auckland technology journalist.
, Oct 18, 2010
Leave a Reply