Publication: Survival: Global Politics and Strategy February–March 2011
01 February 2011
The discovery in June 2010 that a cyber worm dubbed ‘Stuxnet’ had struck the Iranian nuclear facility at Natanz suggested that, for cyber war, the future is now. Stuxnet has apparently infected over 60,000 computers, more than half of them in Iran; other countries affected include India, Indonesia, China, Azerbaijan, South Korea, Malaysia, the United States, the United Kingdom, Australia, Finland and Germany. The virus continues to spread and infect computer systems via the Internet, although its power to do damage is now limited by the availability of effective antidotes, and a built-in expiration date of 24 June 2012.
German expert Ralph Lagner describes Stuxnet as a military-grade cyber missile that was used to launch an ‘all-out cyber strike against the Iranian nuclear program’. Symantec Security Response Supervisor Liam O Murchu, whose company reverse-engineered the worm and issued a detailed report on its operation, declared: ‘We’ve definitely never seen anything like this before’. Computer World calls it ‘one of the most sophisticated and unusual pieces of software ever created’.
These claims are compelling. Stuxnet has strong technical characteristics. Yet more important is the political and strategic context in which new cyber threats are emerging, and the effects the worm has generated in this respect. Perhaps most striking is the confluence between cyber crime and state action. States are capitalising on technology whose development is driven by cyber crime, and perhaps outsourcing cyber attacks to non-attributable third parties, including criminal organisations (see essay by Alexander Klimburg in this issue).
Worms as weapons
Stuxnet is a sophisticated computer program designed to penetrate and establish control over remote systems in a quasi-autonomous fashion. It represents a new generation of ‘fire-and-forget’ malware that can be aimed in cyberspace against selected targets. Those that Stuxnet targeted were ‘airgapped’; in other words, they were not connected to the public Internet and penetration required the use of intermediary devices such as USB sticks to gain access and establish control. Using four ‘zero-day vulnerabilities’ (vulnerabilities previously unknown, so that there has been no time to develop and distribute patches), the Stuxnet worm employs Siemens’ default passwords to access Windows operating systems that run the WinCC and PCS 7 programs. These are programmable logic controller (PLC) programs that manage industrial plants. The genius of the worm is that it can strike and reprogram a computer target.
First Stuxnet hunted down frequency-converter drives made by Fararo Paya in Iran and Vacon in Finland. These each respond to the PLC computer commands that control the speed of a motor by regulating how much power is fed to it. These drives are set at the very high speeds required by centrifuges to separate and concentrate the uranium-235 isotope for use in light-water reactors and, at higher levels of enrichment, for use as fissile material for nuclear weapons.