Digital Detectives: The Disassembly of a Cyber Missile

Digital_DetectivesThe ever-present threat of infection by vicious viruses hangs like a Sword of Damocles over anyone using a computer. The dark art of remote infiltration is shrouded in secrecy. It employs obscure language understood by only the nerdiest of geeks. The motives of those deploying malware vary from the predictable (personal or organisational gain) to the incomprehensible. Cybercrime is a fast-moving field requiring constant vigilance by armies of technical experts – often recruited from the ranks of the evildoers. It takes a thief to catch a thief. Some things just never change.

Unfortunately, information about cyberattacks is often only released reluctantly and then mostly after havoc has already been wrought: victims – be it governments or corporations – are seldom keen to reveal the extent to which their systems have been compromised. This made it all the more striking when five years ago news broke of the first publicly-disclosed cyber-weapon – the Stuxnet virus. This is an ambitious, powerful, yet subtle, piece of computer code that works not unlike a guided missile. It was used to wreck production equipment at Iran’s nuclear facilities. It reportedly also infected a nuclear power plant in Russia.

It is widely believed that the US and Israeli governments are behind the design and release of the virus. Cyber security experts estimate that Stuxnet was made by a group of between thirty and fifty highly competent programmers who would have needed at least six months to produce the complex, yet elegant and compact, code that allows the virus to sabotage only Windows computers running Siemens Process Control System 7 software – kit used at nuclear facilities.

The virus is equipped with elaborate safeguards and a self-destruct mechanism that would not normally be used and point to input from legal professionals concerned with liability issues. Stuxnet is harmless to computers not running the targeted Siemens process control software.

The Stuxnet virus is cleverly designed to be inconspicuous. The first hint of its existence came to light in June 2010 when the virus infected the computer of a contractor working in Iran, causing it to become stuck in a reboot loop – unable to start. He handed his computer, now rendered useless, to a small cyber security firm for repairs. Here, it was discovered that a previously unknown vulnerability in the Windows operating system had allowed the malware to infect the system.

The firm duly reported its findings to Microsoft and posted them on a public security forum. Microsoft named the virus Stuxnet and computer experts worldwide promptly started picking away at the complex task of decrypting and deconstructing it.

Initially, Stuxnet looked like a routine case of industrial espionage, but as Liam O’Murchu, a young Irishman working at Symantec’s California office, wrote on his blog: “What made Stuxnet particularly earth shattering was that it was designed to take a never-before-seen leap from the digital world into the physical world. Sure, plenty of malware is designed to steal information and pilfer banking accounts, both of which have indirect impacts on our real-world lives. However, Stuxnet went well beyond that. Its purpose was to reprogram industrial control systems – computer programmes used to manage industrial environments such as power plants, oil refineries, and gas pipelines.”

The Stuxnet virus seems specifically designed to target Iran’s nuclear uranium enrichment processes. As such, it was intended to reduce the lifetime of Iran’s centrifuges without raising alarms by making the control systems behaviour erratic and incomprehensible. A version of Stuxnet was also developed to attack North Korea’s nuclear installations. This, however, failed as it could not be introduced into the systems – the isolation of the hermit nation protected it from the virus.

Penetration testing and reverse engineering malicious code to discover how it works, and how to defeat it, are challenges that require digital detectives to get into the mind-set of the attackers. Just as hackers need excellent coding skills and a creative streak, besides a deep understanding of the systems they are trying to crack, so must the codebreaker. For the latter it is also handy to know what motivates their opponents and what a virus aims to accomplish.

As the secrets of Stuxnet were gradually uncovered, it became evident that the resources employed in its design could only have been mustered by a Western government. This realisation came as a shock to the digital detectives. Publicising the work of intelligence services carries certain elements of risk. The wider geopolitical implications of their findings made the codebreakers think very carefully about going public. In the end, most opted for full disclosure in the knowledge that the more information people have, the better they are able to protect themselves against similar attacks that could follow.

Stuxnet has already spawned even more sophisticated offspring. The short-lived Flame virus was developed from the Stuxnet platform to spy on computers in a number of Middle Eastern countries. Meanwhile, the Duqu virus – yet another incarnation of Stuxnet – is used to collect data that prepares a digital highway to carry future cyberattacks.