Stuxnet may have been super sophisticated cyber weapon deployed by state actors, but future generations of the malware will be available to run of the mill script kiddies, a noted expert on security and industrial control systems has warned in a letter to the U.S. Congress ten months ago.
Ralph Langner, the UK-based security consultant, released a copy of a confidential letter addressed to a member of the U.S. House of Representatives. In it, Langer warns that malicious hackers will use the Stuxnet worm’s code as a foundation for a generic malware platform to attack programmable logic controllers.
“Sooner or later, every script kiddy (sp) will be able to assemble and distribute it as worm payload,” Langner warns.
The warning comes the same week as officials at the Department of Homeland Security (DHS) warned members of Congress about the threat posed by future Stuxnet worm variants.
In a statement published on Tuesday, Sean P. McGurk and Roberta Stempfley of the DHS’ Office of Cyber Security and Communications warned that as the makeup of Stuxnet becomes increasingly more public; attackers could cultivate their own copycat variants of the worm. Their statement was part of a hearing by the House Subcommittee on Oversight and Investigations on Tuesday. Langner seconded that in a blog post on Friday, saying he was “very much concerned about the threat of Stuxnet-inspired attacks.” A copy of his e-mail, dated September 19, 2010, is included in the blog post and is addressed to a “Congressperson who is concerned with critical infrastructure proetection against cyber threats,” Langner said. The name of the member of congress the e-mail was addressed to was obscured.
In the e-mail, Langner reiterated positions he has articulated publicly before. While many of the Windows based vulnerabilities used by the worm have been fixed, other Stuxnet vulnerabilities “cannot be patched” he says, referring to problems that are inherent to the way SCADA and industrial control systems are designed and deployed. He also said that, while Congress and the public have focused on the sophisticated nature of Stuxnet and the attack on Iran’s uranium enrichment facilities, attacks against critical infrastructure do not require sophisticated attackers.
“One can use exploit code to attack PLCs without any insider knowledge at all,” Langner wrote.
The Stuxnet worm was highly targeted at a particular type of programmable logic controller and a particular type of operation. However, the worm wasn’t perfect. Within the foreseeable future, Langner warned, denial of service attacks against critical infrastructure and other systems that rely on programmable logical controllers could be at the fingertips of even unsophisticated hackers.
Since it was first detected just over a year ago, Stuxnet has been analyzed in detail.
The analysis supports the idea that the worm was created by nation-state actors – possibly the U.S. in cooperation with Israel. The worm’s source code has also been leaked online by members of the hacktivist group Anonymous. Security experts warn that the code could serve as the foundation for future variants.
“With the growing public body of knowledge on Stuxnet, the risk increases that these more capable for-hire teams’ efforts may be informed by the Stuxnet design,” Kurt Baumgartner, a senior security researcher at Kaspersky Lab, told Threatpost.