Stuxnet Attribution: War of Words

I wrote a bit about Stuxnet on my own blog last November, but we’ve not really addressed it here on Security Musings. By most accounts, this is one of the single-most important incidents in 2010, with the possibility to change the game. There has been a lot of discussion this week about attributing the source of Stuxnet, which is particularly interesting.

First, for a bit of background, check out Bill Brenner’s post over at CSO Online covering “Three takes on Stuxnet” as he includes a couple of the links I’d originally planned to use here. He links to presentations on Stuxnet from Symantec, Kaspersky, and – my personal favorite – Mikko Hyppönen, Chief Research Officer at F-Secure.

Given the scenario around which Stuxnet was identified, it seems to follow logically that there was a state-sponsored angle. It’s interesting, actually, to see how the debate is somewhat split on this topic (as we’ll see below). On the one hand, it seems exactly like the kind of mission for which “cyber warfare” (or, offensive cyber weapons) is ideal. On the other hand, there are questions about the quality of the code involved.

The first big question, as is common with most things in the “cyber warfare” realm, is that of attribution. Tracking back an attack to the true source in a manner to draw a definitive conclusion is very difficult. This situation was very evident in both the Estonian and Georgian DDoS attacks insomuch as they were traced back to Russian IP space, but there was really no way to definitively prove some sort of connection to the Russian government or military. While it may be safe to assume in some cases that civilian actions of that magnitude could not happen without express consent of the central government (e.g. “Operation Aurora” and the “advanced persistent threat” allegedly represented by China), making those leaps of logic are not legally conclusive.

There are two competing theories circulating today about the source of Stuxnet. The most mainstream theory attributes the attack to the U.S. and/or Israel. A recent article in the New York Times (“Israeli Test on Worm Called Crucial in Iran Nuclear Delay”) talks extensively about this possibility. Unfortunately, very little hard evidence is provided in the article to back up the claims. While it is a fairly logical theory, and one that has reasonably good history behind it (in particular because of Israel’s hacking a radar system in conjunction with their attack on the Syrian nuclear site in 2007), innuendo, nods, and smirks can only take an argument so far.

Perhaps the most interesting part of the NYT article is discussion of the research facility at Idaho National Labs (INL). INL has been involved in a significant amount of threat and vulnerability research around SCADA systems for the past decade or more. It was nice to see them receive some official recognition for their efforts, even if the context wasn’t necessarily the most positive.

The other major theory circulating comes from Jeffrey Carr over at Forbes (“Stuxnet’s Finnish-Chinese Connection”). He contends that China actually had a major incentive to perpetrate the attack and proceeds to lay out a credible case. In the end, while his argument includes more factual data than that in the NYT piece, it doesn’t feel any more concrete. Still, it’s a very interesting theory, and one that should be considered accordingly.

The second big question is, if the attack was really targeted at Iran, was it actually successful? For this question there are a couple citations worth considering. First, while the NYT pieces makes some claims about the effectiveness of Stuxnet as an attack, Carr challenges this assertion, backing it up with a very sound critique (“The New York Times Fails To Deliver Stuxnet’s Creators”). As is the case throughout this entire mystery, the source data is generally lacking. That said, one of the more interesting stories about the impact of Stuxnet is the report that Russian scientists working on the Bushehr facility are concerned that Stuxnet may cause a major nuclear meltdown when the plant is turned active in the next few months (“Stuxnet Virus Attack: Russia Warns of ‘Iranian Chernobyl'”). It may well just be a wait-n-see game at this point to see just what sort of impact Stuxnet might have had, at least on Iran’s nuclear power generation capabilities. Whether or not this will be reflective of the impact on their ability to generate enriched uranium is, of course, a different story altogether.

The third critique, phrased as a question, is: “if this was really a state-sponsored attack, then just how incompetent are these developers?” Specifically, Nate Lawson published an interesting critique of the code quality of Stuxnet this week in which he talks about the number of ways the code could have been vastly improved (see “Stuxnet is embarrassing, not amazing”). He raises some very interesting points about whether or not Stuxnet really is all that cutting-edge in nature due to a number of major deficiencies in code quality. While I think this discussion is interesting, I think he may have overlooked one small feature: it can’t be easy for a Western government/military to hire the best and brightest malware hackers, which means that code quality will suffer accordingly. Nonetheless, he raises very valid points.

Last, but not least, Stuxnet has continued to raise awareness over the general lack of preparedness – particularly amongst policy-makers – for dealing with issues of this magnitude. It’s led former deputy SecDef Franklin Kramer to suggest that it’s time to launch a public-private think tank that brings together policy-makers and security experts to start improving domestic policy around these key issues (“U.S. Needs Cybersecurity Skunk Works, Expert Says”). While I think there are some deficiencies with his comments, overall it probably makes sense to try doing something a little different in order to inject some sanity and clarity of thinking into Washington.