Stock up on the ketamine and brace yourselves for a relentless new assault of PR-driven cyberwar scare stories. On Friday The New York Times confirmed that Barack Obama has been ramping up attacks on Iran’s uranium enrichment facilities — and yes, the Stuxnet worm was a joint US-Israeli operation.
When it was first discovered in November 2010, Stuxnet represented a breakthrough in malicious software: it caused damage in the physical world. It infiltrated computer networks, took over industrial controllers — the so-called SCADA systems — and sought out the specific type of centrifuges used by Iran’s nuclear program.
Then, while feeding the operators in the control room false data that said everything was running normally, it sped up and slowed down the centrifuges, ruining that batch of enriched uranium and damaging the centrifuges themselves.
The information security world has long assumed that Stuxnet was produced by the US, or Israel, or both. They had the skills and potential motive.
Now The New York Times’ 18-month investigation has confirmed that Stuxnet was part of an operation code named Olympic Games, begun in the Bush era and significantly expanded under the direct orders of Obama.
“Mr Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade,” The New York Times writes.
“He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.”
Indeed, the US has repeatedly stated that an attack on its digital infrastructure could be responded to with a physical counter attack — “kinetic warfare” as opposed to “cyber warfare”, to use the current jargon.
At last month’s AusCERT 2012 information security conference, US Department of Defence lawyer Robert Clark outlined how the law of armed conflict applies to the online world. There are gaps, major gaps, when it comes to defining an appropriate scope for action.
However, something isn’t legally an act of war unless it is conducted by a nation-state, and the nation-state victim calls it one. In the case of Stuxnet, that first condition has now been fulfilled. Stand by for Iran’s move.
Meanwhile, analysts are cutting through the hype of the Flame worm, whose discovery was announced last week by Kaspersky Lab. The “most complex malware ever seen” claims are starting to be moderated.
“From my perspective, there’s nothing really gee-whiz about Flame, with the exception of … the interaction it has with Bluetooth devices,” said Trend Micro senior threat researcher Paul Ferguson on today’s Patch Monday podcast.
Sure, Flame is 20 times the size of Stuxnet, but size isn’t a measure of complexity. Flame is loaded with libraries of program code, much like a traveller might take 15 suitcases of clothes to cope with every possible destination. And the complexity of the tool used has little relationship to the seriousness of the security breach.
“We have seen much more serious targeted attacks with data being exfiltrated targeted at some very important technology companies in the past couple of years that seem more disconcerting,” Ferguson said.
He means things like the attack on security company RSA that stole information vital to the operation of the SecurID tokens used by all manner of secure organisations — though RSA claims that in the end no harm was done. Or things like the attack on DigiNotar, a company that produced the SSL certificates used to authenticate secure website connections.
The latter we know was conducted from Iran, and we know it allowed the Iranian government to intercept supposedly secure communications via Google’s Gmail, Microsoft’s Hotmail and others. People are dead as a result.
Ferguson’s colleague Paul Ferguson (no relation) noted Flame’s PR value for Kaspersky, and the pressure he gets from Trend Micro’s PR department to hype up their discoveries. But far from being a revolution in malware sophistication, Flame seems to be more evolutionary.