Officials at the Department of Homeland Security warned lawmakers this week that
we may not have seen the last of Stuxnet, the infamous worm
that wound its way through SCADA systems
just over a year ago.
In a statement published on Tuesday, Sean P. McGurk and
Roberta Stempfley of the DHS’ Office of Cyber Security and Communications
warned that as the makeup of Stuxnet becomes increasingly more public; attackers
could cultivate their own copycat variants of the worm.Their statement was part of a hearing by the House Subcommittee on Oversight and Investigations on Tuesday.
Last July Stuxnet made headlines as it swept through SCADA
systems undetected, infecting programmable logic controllers (PLCs). This
week U.S. officials warned that going forward a new variant of Stuxnet could
take aim toward “broader installations” of programmable equipment in control
systems.
“Looking ahead, the Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems. Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now. ICS-CERT and the NCCIC remain vigilant and continue analysis and mitigation efforts of any derivative malware,” the officials said in their testimony.
Kurt Baumgartner, a senior security researcher at Kaspersky
Lab, suggests that for-hire offensive security groups could have the advanced
technical know-how to pull off an attack similar to Stuxnet.
“With the growing public body of knowledge on Stuxnet, the
risk increases that these more capable for-hire teams’ efforts may be informed
by the Stuxnet design,” Baumgartner said.
While the worm was built as a modular package, replacing
vendor specific system codes for its redeployment would be challenging and easier said than done.
“The individual modules require very specific and targeted
skill sets and concrete knowledge for development,” Baumgartner added, describing
the sophistication of the worm.
Baumgartner regards the statement from the DHS as making
good on their security mission by better defining the role of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Protecting the nation’s infrastructure from Stuxnet copycats falls under this
role.
German researcher Ralph Langner, who first realized that
Stuxnet was infecting PLCs, raised the possibility of Stuxnet variants last
fall on his blog.
“Stuxnet story
will raise a lot of attention in the hacker community where people may now
start to try using the attack vector for much more trivial motivations,” Langner posited.
He even went as far as to e-mail the DHS about his research
last September, alerting them that black hats could write exploit code that
could be adapted to the nefarious worm.
“MANY lights will go off,” Langner warned.