Stuxnet spyware targets industrial facilities, via USB memory stick

Attackers' intentions unclear

But the breadth of the threat could be far larger. The spyware has at least 5,000 functions, and only that one basic function – the database download – is well-understood so far, Frank Boldewin, an independent computer security researcher analyzing Stuxnet, writes in an e-mail interview.

"It's still unclear what exactly are the intentions of the attackers," he writes. "Someone might slightly change a process course, shut down the SCADA control servers, deleting the data base and so forth with a sabotage factor in mind, but I haven't found any code-snippets yet which instruct a hacked SCADA system to do so."

Electric utilities, like many companies, are known to be under attack around the clock by attackers probing their Internet firewalls. News reports last year suggested that some power-grid defenses may already have been penetrated by elite nation-state cyberattackers who may have planted "malware" bombs to deactivate or destroy a power system, or may have installed trap-door access for a future covert attack.

But nearly all of the publicly known cyberdamage to power stations' computer controls has come from viruses rampaging on the Internet that workers accidentally introduced onto their companies' systems. That's not the case now.

"When power plants got hit before, it was always collateral damage from other Internet-based attacks," says Eric Byres, a controls systems expert with Byres Security in Vancouver. "Now it's clear that software-running generators and transmission systems and chemical plants are no longer just collateral damage – they are in the bull's-eye."

Symantec, the big antivirus company, was recently reporting 9,000 attempted infiltrations per day, worldwide, using the Stuxnet zero-day flaw in Microsoft operating systems. Microsoft reports about 1,000 new computers infiltrated per day. Any new USB drive or any device with a computer memory chip –including cameras and music players – that are plugged into an infected system become a transmitter of the worm.

Home computers vulnerable, too

Any computer hit by the spyware – even home computers that don't have Siemens software – will have a "back door" installed on it that could potentially be exploited later, Mr. Byres says. Antivirus companies are working on a short-term fix. Microsoft, too, is working on a patch for its operating system – and has recommended some interim steps to help safeguard computers. But virtually every computer with a Microsoft operating system today remains vulnerable to attack, say Byres and other experts.

While a wide array of attack software is widely available on the Internet, the unusually sophisticated techniques used in the Stuxnet attack indicate that a large, well-funded, very sophisticated organization is most likely behind the attack, several experts say.

"The significance of this attack is that this is a really serious piece of malware that upped the ante for all of us about what the bad guys are doing," says Ed Skoudis, cofounder of InGuardians, a software security firm. "The techniques being used here go way beyond what we've seen even from sophisticated organized crime groups."

Three things the spyware does

First, the spyware uses a "zero-day" attack – a vulnerability that neither Microsoft nor antivirus companies knew existed. As a result, antivirus and other defenses were unprepared for it.

Second, the spyware managed to fool personal computer security systems by using a real, not a forged, digital certificate (or complex encrypted code) from a computer company named RealTek. That circumvented another Microsoft barrier, giving the spyware automatic permission to install. It's possible that the keys used to create the digital certificates were stolen – a serious problem, but not as serious as if the certificates could be created. A variant of Stuxnet (one that uses another company's apparently stolen digital certificate) has already been found.

Previous

1 | 2 | 3

Next