Welcome to the SecAware blog

I spy with my beady eye ...

2 Jun 2012

Cyberwar Trojans - updated again

Are you surprised by the news that the US, in conjunction with Israel, was indeed responsible for attacking Iran's nuclear program using the Stuxnet worm/Trojan? Reports on Stuxnet and Duqu have previously pointed the finger at US and Israel as the likely culprits due to the obvious political connotations, so confirmation from the Whitehouse is hardly a shock on that score.

What is surprising is that this was officially disclosed, right now.

Possibly the US government had reached the point that its position, its continued denials and silence on this matter, was simply untenable. Perhaps the impending release of a book about the Stuxnet affair meant that  incriminating evidence was about to hit the streets, so releasing it (via the NY Times no less!) was a way for the Whitehouse to retain some control over the 'official' version of events.

Or perhaps this is all propaganda - the Stuxnet reports, the book, the official denials and pronouncements, the lot. Are we being fed the not-exactly-subtle line that the US has a proven, offensive, cyberwar capability, so foreign powers should be quaking in their cyberboots?

Doubtless a huge amount of work is going on behind the scenes in the US and elsewhere to bolster cyber defenses for Critical National Infrastructures, but realistically what has been achieved so far? I wonder if confirming Stuxnet may in fact be a calculated move to prompt those responsible for CNI security to up their game substantially. The specter of retaliatory cyberattacks by Iran or some hostile foreign power should focus the minds of those in charge of CNI security on improving defenses, with the added benefit that they would  also be guarding against cyberattacks from other quarters (terrorists, criminals and hactivists, for example). And those attacks, frankly, are every bit as credible and likely as all-out cyberwar.

Still one of the most fascinating aspects of the Stuxnet attack was that it involved jumping an air-gap to penetrate the Iranian's internal ICS/SCADA network which was (supposedly) totally isolated from the big bad Interweb. Air-gapping networks is an obvious defense mechanism. According to public reports, Stuxnet jumped over by dint of an infected USB stick with which someone naively bridged the gap.  

An outstanding keynote presentation by Mark Fabro at AusCERT on the forensic analysis of an ICS/SCADA malware infection suggests another possibility - namely that the ICS/SCADA systems may have been pre-infected before they were even delivered and installed. The air-gap between the Internet and internal networks, even coupled with rigorous controls over anything that might cross the gap, is moot if the  internal network is already compromised. Suddenly, the fuzzy background chatter about possible backdoors in compilers, CPUs and cryptosystems that we've heard for years comes into sharp focus: states with the resources to be designing and producing such high-tech stuff patently have the wherewithal to insert secret backdoors, giving them the power of control over anyone using their trusted kit. Is this the ultimate Trojan horse, the most insidious of insider threats?

Gary (Gary@isect.com)

PS  Given that the recently-discovered Flame malware, dubbed "the most sophisticated cyber weapon yet unleashed", appears to be stealing 'technical information from the Middle East', it doesn't take a rocket surgeon to  figure out a possible link to Stuxnet and hence the US Government - though that's mere conjecture of course.  As Kaspersky's blogger put it:
"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."
Perhaps the disclosure of Flame was the reason behind those revelations in the NY Times?

PPS (June 9th)  Seems disclosure of the US government's role in Stuxnet is being used for political gain, or at least for media exposure.

No comments:

Post a Comment