It’s hard to think of a story in the last few years that has generated more hype, conjecture, posturing, hyperbole and misdirection than Stuxnet, with the possible exception of the Aurora attacks. The commentary and hype around Stuxnet has shifted and morphed over the last few months, and now it seems to have coalesced around the idea that the malware was the work of Israeli intelligence and targeted specifically at Iran’s nuclear program. But this line of thinking fits together all too easily and has a number of inherent flaws.
Stuxnet is a fascinating piece of malware on a number of different levels, even without taking into account the possible nation-level involvement in the attack. The malware itself is, by all accounts, highly sophisticated, both in terms of its design and the systems that it targets. Everyone knows by now that Stuxnet had exploits for several bugs that were previously unknown (or at least not known very widely), including one in a Siemens software package that is used in industrial control systems.
The combination of these factors, as well as some circumstantial evidence such as the high number of Stuxnet infections in Iran and clues in Stuxnet’s code, have led many to conclude that the worm was the brainchild of programmers in Israel and was specifically designed to cripple Iran’s nuclear program.
What the sophistication of Stuxnet shows is a level of professionalism and seriousness that normally is attributed to governments and their intelligence agencies. They have the motive, the means and the opportunity to create a piece of malware of the magnitude of Stuxnet and pinning this on the government of Israel is perhaps a logical conclusion, given some of the evidence. There’s a hidden reference in the worm’s code to a date on which an Iranian Jew was executed, as well as some vague Biblical connections. Iran and Israel have a hostile, complicated history, and Israel also is thought to have elite offensive information security capabilities. And Iran had a huge number of Stuxnet infections, including at its Bushehr nuclear plant, which Israel presumably has a vested interest in damaging. Add that all together and you get a seemingly solid case for Israel having unleashed Stuxnet on Iran.
But when you remove the politically and religiously charged aspects of the discussion, this storyline begins to fall apart a bit. The politics, in fact, are mostly beside the point. Change the names of Stuxnet’s alleged target and creator from Iran and Israel to Company A and Hacking Crew B, and very little of the current narrative makes sense.
First, for the sake of this discussion, let’s stipulate that Stuxnet is the work of a professional, well-funded group of skilled developers. If that’s so, then the first question we need to ask is, what was their motive? The answer right now is that no one knows. People working under the assumption that the Bushehr plant was Stuxnet’s intended target work backward from there and make the secondary assumption that the motive was to disrupt the plant’s operations and/or steal some confidential data about the way the plant works. That leads to questions of who would want to attack the Bushehr plant, and that leads to Israel.
The problem here is that we don’t know for sure that Bushehr was the actual target. Machines in the plant were infected, but so were machines in more than a dozen other industrial plants running the vulnerable Siemens software, as well as thousands of Windows machines around the world. Bushehr was one infection point, but it’s virtually impossible to know for sure whether it was the main target and everything else was collateral damage.
Given our stipulation above about the creators of Stuxnet, it would serve absolutely no purpose for the malware’s creators to leave any kind of clue behind that might link the worm back to them. There doesn’t seem to be any sort of mechanism in Stuxnet that points to it being designed to make money, so if the worm truly was meant to attack a nuclear plant, its creators would have every reason to hide their own fingerprints. These are not amateurs looking for fame and props from their peers. Intel agencies are in the business of keeping their activities as quiet and unobtrusive as possible. In that world, noisy is bad.
There are no clear benefits that would accrue to Stuxnet’s creators if they made it easy for people to identify them. In fact, there are some major deterrents, including possible retaliation from the target.
On the other hand, the Israel-Iran story is a very easy one for people to process. It makes sense on a lot of levels and it’s much more comfortable than any of the alternatives. There are a number of other countries that have no desire to see Iran bring a nuclear plant on line–including the United States, the U.K. and their allies. And there are likely plenty of professional attackers with the skills to create Stuxnet, perhaps with their eye on an entirely different target.
Unless Stuxnet’s creator steps forward, we’ll likely never know for certain. But we’re also likely to see many more incidents like Stuxnet in the coming years, and they won’t all fit into a cookie-cutter narrative.