“Stuxnet is definitely not a military code, at least not a Western one” said Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. “Stuxnet is a sophisticated and highly advanced code, but it lacks certain elements commonly associated with military operations” Blitzblau explains that the broad, indiscriminate attack on industrial computers launched by Stuxnet is not characteristic to a military operation, where the nation launching the attack tries to minimize collateral damage and focus on a specific target.
“Every student can write a module discriminating the target computer and localizing the attack to a specific target” Blitzblau added, “The fact that this sophisticated code does not have such elements, and certain aspects of the functionality of the malicious code, allege to the creators’ aiming Stuxnet to target Siemens industrial systems on a broad base, rather than a specific application as reported by the media.” In addition, a high level code aimed at Network Intelligence Operations would have an anti-anti debug mechanism to avoid forensic analysis.
Who could be the perpetrators behind this attack and what were their goals?
Blitzblau describes an act of ‘Advanced Industrial Espionage’ a deliberate cyber sabotage launched by someone against Siemens – this could be a competitor or service-provider, seeking to exploit the situation for business opportunities – first create the problem and then – help fixing it. But there are also other aspects to the attack that could tell a different story. “This could also be a ‘general test’, prior to a planned attack, or a proof of concept, initiated by an academic group – in the past we witnessed such attacks, for example, one attack was launched from Japan, on video drivers.” According to Blitzblau a military test going out of control is not an option here. “Military offensive cyber ops are not conducted this way and even when an intelligence agency conducts such tests they will go a long way to ensure that the test is limited to a specific volume and not spread it worldwide.” He said. Blitzblau attributes the widespread infection of industrial networks in Iran to low level of security and, apparently the high popularity of Siemens systems in the country. In fact, Stuxnet could have propagated from Belarus, and Russia unintentionally by Russian system engineers, using USB devices to update and program Siemens systems in Iran, Indonesia and India. The intensity of attack in Iran could illuminate the intensity of their activities associated with the nuclear projects in Natanz and Bushehr.
While the media attributed Stuxnet as a cyber weapon launched by Israel or the USA against Iran’s nuclear facilities, the possibility of it being a cyber weapon developed and launched by international terrorists’ organization has not been tackled seriously by the media. Yet, Blitzblau has a grim outlook as to the potential value of such cyber weapon in the hands of terrorist organizations. “International terrorist organizations certainly have the will, and means to launch such an attack, and they could gain the most from it – creating mega events like bringing airports, disrupting train traffic, cutting power supplies and utilities. “Even if they did not create it, they now have access to such a weapon, as Stuxnet is now in their reach, like a loaded gun. Despite the countermeasures developed by Microsoft and Siemens, there are many networks that have not been patched yet – some will never be protected. Blitzblau warns that the current attack will probably set the route for new vectors for cyber terror, as the malicious code is modified and manipulated into a range of new forms and variants. The vulnerabilities highlighted by the current attack will undoubtedly set the course for more attacks aimed at industrial controllers and embedded systems. With that, the risk of compromising military systems will grow dramatically; as such elements are widely used in military weapon systems.