It’s hard to think of a story in the last few years that has generated more hype, conjecture, posturing, hyperbole and misdirection than Stuxnet, with the possible exception of the Aurora attacks. The commentary and hype around Stuxnet has shifted and morphed over the last few months, and now it seems to have coalesced around the idea that the malware was the work of Israeli intelligence and targeted specifically at Iran’s nuclear program. But this line of thinking fits together all too easily and has a number of inherent flaws.

Stuxnet is a fascinating piece of malware on a number of different levels, even without taking into account the possible nation-level involvement in the attack. The malware itself is, by all accounts, highly sophisticated, both in terms of its design and the systems that it targets. Everyone knows by now that Stuxnet had exploits for several bugs that were previously unknown (or at least not known very widely), including one in a Siemens software package that is used in industrial control systems.

The combination of these factors, as well as some circumstantial evidence such as the high number of Stuxnet infections in Iran and clues in Stuxnet’s code, have led many to conclude that the worm was the brainchild of programmers in Israel and was specifically designed to cripple Iran’s nuclear program.

What the sophistication of Stuxnet shows is a level of professionalism and seriousness that normally is attributed to governments and their intelligence agencies. They have the motive, the means and the opportunity to create a piece of malware of the magnitude of Stuxnet and pinning this on the government of Israel is perhaps a logical conclusion, given some of the evidence. There’s a hidden reference in the worm’s code to a date on which an Iranian Jew was executed, as well as some vague Biblical connections. Iran and Israel have a hostile, complicated history, and Israel also is thought to have elite offensive information security capabilities. And Iran had a huge number of Stuxnet infections, including at its Bushehr nuclear plant, which Israel presumably has a vested interest in damaging. Add that all together and you get a seemingly solid case for Israel having unleashed Stuxnet on Iran.

But when you remove the politically and religiously charged aspects of the discussion, this storyline begins to fall apart a bit. The politics, in fact, are mostly beside the point. Change the names of Stuxnet’s alleged target and creator from Iran and Israel to Company A and Hacking Crew B, and very little of the current narrative makes sense.

First, for the sake of this discussion, let’s stipulate that Stuxnet is the work of a professional, well-funded group of skilled developers. If that’s so, then the first question we need to ask is, what was their motive? The answer right now is that no one knows. People working under the assumption that the Bushehr plant was Stuxnet’s intended target work backward from there and make the secondary assumption that the motive was to disrupt the plant’s operations and/or steal some confidential data about the way the plant works. That leads to questions of who would want to attack the Bushehr plant, and that leads to Israel.

The problem here is that we don’t know for sure that Bushehr was the actual target. Machines in the plant were infected, but so were machines in more than a dozen other industrial plants running the vulnerable Siemens software, as well as thousands of Windows machines around the world. Bushehr was one infection point, but it’s virtually impossible to know for sure whether it was the main target and everything else was collateral damage.

Given our stipulation above about the creators of Stuxnet, it would serve absolutely no purpose for the malware’s creators to leave any kind of clue behind that might link the worm back to them. There doesn’t seem to be any sort of mechanism in Stuxnet that points to it being designed to make money, so if the worm truly was meant to attack a nuclear plant, its creators would have every reason to hide their own fingerprints. These are not amateurs looking for fame and props from their peers. Intel agencies are in the business of keeping their activities as quiet and unobtrusive as possible. In that world, noisy is bad.

There are no clear benefits that would accrue to Stuxnet’s creators if they made it easy for people to identify them. In fact, there are some major deterrents, including possible retaliation from the target.

On the other hand, the Israel-Iran story is a very easy one for people to process. It makes sense on a lot of levels and it’s much more comfortable than any of the alternatives. There are a number of other countries that have no desire to see Iran bring a nuclear plant on line–including the United States, the U.K. and their allies. And there are likely plenty of professional attackers with the skills to create Stuxnet, perhaps with their eye on an entirely different target.

Unless Stuxnet’s creator steps forward, we’ll likely never know for certain. But we’re also likely to see many more incidents like Stuxnet in the coming years, and they won’t all fit into a cookie-cutter narrative.

Categories: Malware, Vulnerabilities

Comments (17)

  1. Anonymous
    1

    What if the creators of Stuxnet knew that the code would be analyzed and implanted the references to lead everyone astray? Maybe Iran created the code and rolled it out to give them a reason to attack Israel?

    Perhaps just stick to the technical analysis of the worm and the conspiracy folks will work their own magic in their own way. You’ll be better off.

     

     

     

  2. Anonymous
    2

    Thank you for expressing a voice of reason in this turbulent environment.  Anyone who understands the implications of Stuxnet, at either a theoretical or technical level, is rightfully impressed and disturbed.  I know I am.  Despite that, however, it is utterly irresponsible for generalists, and especially the experts, to engage in this sort of speculation.  In today’s world, people die over things like this, and now Iran’s has announced the arrests of Stuxnet ‘spies’.  I can only hope that is propaganda, but regardless, the media and anyone who publishes needs to have responsibility for and awareness to the implications of the content.  I would say shame on the main-stream media, for this and numerous other violations.  However, that is sort of like scolding a dog for getting excited and having an ‘accident’, they just can’t help it but thats because the owners often don’t train the dog out of that behaviour.  We certainly have not trained the media out of this sort of agrandizing and reckless endangerment.  Thank you again for your article, and hopefully as an industry expert, you can help drive the conversation back toward a more productive direction, such as how are all the industries effected across the various critical infrastructures going to address this now confirmed threat?  Who among us would survive if the power went off and didn’t come back on again?  Not so many…

  3. Anonymous
    3

    well one starts to see the powers of these infected computers, and how vulnerable we all are.

    Looking into my own computer, I also have a lot of programs installed that can auto-update without me knowing anything. E.g. Adobe Reader, Adobe Flash, Java, Windows Updates etc. Well it’s a bit far-off, but it IS however a tool that might become handy in any war for spying on users/information purposes.

  4. Anonymous
    4

    Interesting article.  Above all, you’re right that nobody can say with any degree of certainty who wrote the package and how it was delivered.  Cause and effect is the modus operandi of logicians, and while the effect points to some cause, such hindsight can lead to some incorrect conclusions, specifically when so much is unknown about Stuxnet.  On the other hand, unlike the US criminal justice system, international law and foreign policy never operate with the same presumption of innocense.

    I would point out, though, that (and this muddies the waters even moreso) silent operation should not be assumed to be a priority of the programmers.  Perhaps Israel (or whomever) wanted Iran to be aware of their vulnerability.  Nothing like a good clap on the back from an antagonist to ensure that the target knows that they’re wide open.

  5. Anonymous
    5

    Even after all this. Why would one want to run a non-open source Operating System/ Application ?.

  6. Anonymous
    6

    Why has nobody traced back the C&C servers? Somebody paid for those, if it wasn’t with a stolen CC# then you have a chance at finding them. Also there are source IPs for managing the whois records out there as well as DNS records.

    If they slipped up just once, you have source IP of real attacker. And if they didn’t you could try and follow the proxy chain.

    Why is everybody looking in  the code for answers, look to the C&C servers!

  7. Anonymous
    7

    Let me see if I’m following:

    So there’s a popular narrative that makes sense, but let’s assume that that’s not what’s going on. Now as we attempt to draw conclusions from this assumption, things make a lot less sense. Therefore, we should assume that nothing makes sense.

    Do I have that right?

  8. Anonymous
    8

    The Russians did it!

    Why don’t we just blame Israel and Mossad then no one will be prosecuted even by the United Nations or the International Criminal Court. It’s just a computer virus, a bit of overtime will fix it. Nothing will bring those murdered on the Freedom Flotilla back to life.

  9. Anonymous
    9

    Always Remember Occam’s Razor ( although not 100% fool proof  it will definately help explain who Stuxnet’s creators are)

    Occam’s razor. “The simplest explanation is usually the correct one” 

    When one starts to make up convolluted, improbable, hyperbolic  explanations, like the Russian Mafia, or Siemen’s competators, or space aliens just having fun then you know they trying to decieve and deflect blame ……  

    In addition humans are not perfect….Pride and arrogance have been one of our major downfalls proved time and again from eons of history. Pride and arrogance are the simplest explanation why files were named 19790509 (date of the execution of the Prominent Iranian Jew) and Myrtus(Esther which refers to an ancient myth of foiling a Persian attack against the hebrews)

    Target: Computer systems controlling Iranian Uranium  Centerfuges at Natanz

    Wow I cannot believe that threatpost would engage in red-herring, false flag-esq type of commentary that would deflect from the true culprits behind this dangerous weapon.. the createors of this software, and everyone in the world agrees except charlatens, has now endangered so many industrial facilities accross the globe…  An indian intelastat sattallite was disabled becuase of this software…blowback should be on its way

  10. Be your own investator
    10

    Dudes! do your own investigation…The Stuxnet Command and Control  Computers which are

    mypremierfutbol.com  and Todaysfutbol.com

    If you do a whois on these two names they lead back to “Domains by Proxy” an Arizona based company that hides client names…Unfortunately  they can only divulge identities via

     

    Instructions:

    1. do a whois lookup for mypremierfutbol.com  and Todaysfutbol.com.

    2. Study the details(dates of inception,

    3. investigate domainsbyproxy.com which holds those current names

    4. come to your own conclusion…..

    In light of the comical explanation of this article..I am going to state that disgruntled space alien who live in Arizona are responsible….or just use Occams razor and know the truth

     

     

  11. Be your own investator
    11

    Dudes! do your own investigation…The Stuxnet Command and Control  Computers which are

    mypremierfutbol.com  and Todaysfutbol.com

    If you do a whois on these two names they lead back to “Domains by Proxy” an Arizona based company that hides client names…Unfortunately  they can only divulge identities via

     

    Instructions:

    1. do a whois lookup for mypremierfutbol.com  and Todaysfutbol.com.

    2. Study the details(dates of inception,

    3. investigate domainsbyproxy.com which holds those current names

    4. come to your own conclusion…..

    In light of the comical explanation of this article..I am going to state that disgruntled space alien who live in Arizona are responsible….or just use Occams razor and know the truth

     

     

  12. Dennis Fisher
    13

    That uncertainty is exactly what I was getting at. I’m not attributing the worm to one country or group, just trying to point out that there’s a lot we don’t know in all of this.

  13. Dinah Kanser
    17

    tool say what?

      Keeping a blockade in place to prevent know terrorists from acquiring weapons is the right thing to do.

    If “civilians” try to run the blockade and cause an incident after being given several warnings, then they deserve just what happened.

    Look at the videos of the conflict again before you run your mouth and post propaganda.

Comments are closed.