Stuxnet Attack Shows Signs of Nation-State Involvement, Experts Say

SAN FRANCISCO–The Stuxnet attack has been making headlines for several weeks now, thanks to the fact that includes a pair of zero-day vulnerabilities and also has drivers signed by a stolen digital certificate. However, the real story of this novel malware attack may not be its tactics but its creator, which security experts say could be a nation-state.

SAN FRANCISCO–The Stuxnet attack has been making headlines for several weeks now, thanks to the fact that includes a pair of zero-day vulnerabilities and also has drivers signed by a stolen digital certificate. However, the real story of this novel malware attack may not be its tactics but its creator, which security experts say could be a nation-state.

Virtually all of the malware that’s prevalent on the Internet today is designed with one goal in mind, and that’s to make money for its creators. Banker Trojans, bot clients, rootkits, keyloggers, they all are meant to make money, either directly or indirectly. Some malware, such as banker Trojans and keyloggers, cut right to the chase and simply steal online banking credentials and other financial information. Others, such as bot clients, are pieces of larger puzzle in which the attackers make money either through renting slices of the botnet to other attackers or by threatening to launch DDoS attacks against a specific site unless the owner pays a fee.

Attackers and malware writers have become very adept at finding new ways to make money over the years, and the risk of prosecution is very low in most cases. That’s one of the reasons that the Stuxnet malware stands out: there’s no clear immediate financial gain for its creators. The Stuxnet attack is designed to be as stealthy as possible and targets mainly SCADA systems, some of the highest value machines in the world.

The attack exploits a zero-day vulnerability in the way that all currently supported versions of Windows handle LNK files and is spread initially through USB sticks. Once an infected USB drive is attached to a PC, the attack on the machine is essentially automatic and there is little indication to the user that anything bad has happened. But that’s just one piece of the puzzle. Stuxnet also exploits a vulnerability in Siemens’ WinCC SCADA control software, which runs on industrial control systems in utilities, power plants, manufacturing facilities and other key environments.Once on the machines, the malware attempts to contact a remote server and join a botnet.

Stuxnet’s sophistication and its lack of any real money-making component are leading experts to believe the attack is likely the work of a national government or intelligence agency.

“This is the most sophisticated attack that we have seen to date, by far,” Roel Schouwenberg, a malware researcher at Kaspersky Lab, said at the company’s Virus Analyst Summit here Tuesday. “The involvement of a nation-state is the most likely scenario. This is a highly advanced attack.”

The topic of national governments and intelligence agencies being involved in offensive attacks online has been a touchy one for years, and while many security experts and analysts say that it’s simply a fact of life in the modern world, there has been little in the way of evidence of actual attacks.

[block:block=47]

Microsoft issued an emergency patch for the LNK flaw on Monday, after reports surfaced of other existing malware families, such as Sality, beginning to exploit the flaw, as well. In addition to the USB exploitation method, the LNK flaw also can be exploited via a drive-by download.

Schouwenberg, who has been researching Stuxnet for several weeks, said that although the first public reports of the malware’s existence only appeared in recent weeks, he now believes the malware itself is much older.

“We went back and looked at our samples and found Stuxnet samples from 2009,” he said. “No one knows what it was doing before it became public a few weeks ago.”

Suggested articles

New Bug in Internet Explorer Used in Targeted Attacks

There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.

Microsoft Warns of Attacks Against ASP.NET Flaw

Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle vulnerability in ASP.NET and is encouraging them to implement a workaround that will help protect against the publicly disclosed exploit for the bug.

Discussion

  • Ken Rut on

    Planning a blog on this, but generally this should be no surprise.  Once Control systems stopped being isolated, they became vulnerable...there is too little investment in real security of our key infrastructure...Security by obsurity, as it was called when Control systems were in physical nw isolation has been replaced by "insecurity by connectivity".  Hopefully Stux will be a wake up call...

  • Anonymous on

    And microsoft didn't patch the WinCC systems which are still open to attacks
  • Anonymous on

    Perhaps IF enough machines are compromised - with carefull, patient planning - America could be in some serious trouble all across the nation.

  • Anonymous on

    "And microsoft didn't patch the WinCC systems which are still open to attack"

    WinCC isn't Microsoft software. It's from Seimens AG, who hard-coded an admin password, which subsequently appeared on a German Web site--several years ago. Icrosoft was guilty of a bit of their usual stonewalling, with a deceptive initial description of the problem They claimed the shortcut had to be clicked, when they had been told that it only had to be displayed), as well as the vulnerability itself. That behavior is all too common from Microsoft, but in this case there's plenty of blame to go around, and Seimens has deployed at least as much FAIL. Even Wired has now published that password. Seimens will finally have to fix their software.

    Another thing to consider is that this isn't proven to be the smoking gun of the Cyberwar that gets so much hype, with so little proof, due to the attribution problem. Industrial espionage could easitly provide a financial motive. At the very least, I'd have to know more about what sort of data this attack could provide, and from who. For instance, what if this attack could yield statistical process control data from a complex manufacturing process--chip manufacturing comes to mind. In that case, equipment costs are enormous, per-device margins are often thin, and the value of that data set would be enormous.

    Yet another slant is that it could be industrial espionage, and still involve a nation-state. NSA isn't forbidden by law (or at least wasn't 10 years ago) from engaging in industrioal espionage. They meerly claimed that they didn't. Now--who knows? A presidential Finding can make it legal, and the public would know nothing about it. That's only a single *US* nation-state actor, and this attack was uncovered in eastern Europe.

    Nation-state, or well-resourced criminal organization? Financial, or infrastructure attack? Or developed as part of a multi-purpose library? This could even be something leaked from a white hat security team that does penetration testing. Dropping the odd thumb drive in a hall is an old trick. People are curious: they'll likely have a look even if they were planning to take it to Lost and Found. Which is why security people have recommended turning autoexec off for some time. And even that annoys users, who in addition to clicking on any link in a mail or IM, or clicking on tinyurls that could land them in the Ukraine[1], seemingly can't be bothered to actually click on something in removeable media that they just inserted.

    That last is why Microsft downplaying the problem was heinous. It could lead admins or users to believe that if autoexec was off, they were safe. Microsoft deserves quite a bit of blame, fror multiple reasons. But not *your* reason. Security guys are often compulsive educators, and I just had to post this.

    [1] Why do this, unless it's intended for twits onTwitter? To be cool? In a security context, Twitter is part of the problem--like most social media. I'd like to see posted policies, at least at security sites, that shortened URLs will always point to the domain you're currently on. You can't tell from inspecting the URL--it could be a redirector implemented in several ways, either client- or server-side. I see security researcher blogs (including blogs from people who have done good work) use them all the time. Trying to win the cool war, living on a free blogging host, and becoming, in some small way, part of the problem.

  • loni hamilton on

    well, i am the only one that knows what the hacker and worm was doing since aug 2008.  the reason it surfaced in the last couple weeks cause cause there are times when i can get through all the decoys and reroutes put by the hacker that i found out works at the department of transpertation at the pentagon that goes by the name of bill parks and uses the alias of floyd harper the third.    after 2 years of no response from thousands of attempts to call for help and warn, this last month returned 3 responses, so i took another try at contacting a news agent to look up the name bill parks that i cant validate through my systems.  

     

    i can tell you how the worm started, the hackers intent every step of  the way and how he did it.

    this hacker used backup of backup including psychological planing and downsizing due to the knowledge  that i figured who he was. 

    the botnet was real, but small.   it was 1 attempt to redirect attention from the proof hes been covering up since i discovered the backdoor to every system that pings constantly that raised traffic used to influence the outcome of a law called <rootlaw>.  this rootlaw has the main intent of allowing a specific protocall added that allows him to do his hidden intents.  whats scary is that the dns joint forces include people from countrys that we are at war with that this hacker is best buds.  everything about the worm was to downsize the facts that could lead to his arrest.  i sent a distress call apr 3rd after i learned the conficters were decoys yet held parts of the bigger worm.  they decoys took blame for the lags and screwups that i experienced and later everyone else while the main worms sets in.    the backdoor comes from a pixel error on a copy of windstream site that allows him to use our graphics memory as a virtual computer.  this is why the worm used both sides of the connection and not monitored.

     

    i seen all what the hacker was doing..

    its best to find a way to contact me locally due to intercepts. 

    i am loni at 406-591-4321 

    i live in acton montana  at 7730 buffalo springs rd     59002.  unless someone comes here, this worm wont end.  you can see the worm. and phone and hubs are used to split the connection

  • Anonymous on

    <quote>The topic of national governments and intelligence agencies being involved in offensive attacks online has been a touchy one for years, and while many security experts and analysts say that it's simply a fact of life in the modern world, there has been little in the way of evidence of actual attacks.</quote>

    Real analysts would say that governments' involvements are just myths created by the propaganda divisions of certain intelligence agencies.

  • Anonymous on

    Who do you think made this.....Iran, China, Noth Korea?????? We did. The good old US of A.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.