Stuxnet: After the hype

By now most readers of this blog will be aware of the now infamous Stuxnet virus that allegedly targeted the Iranian nuclear program, was allegedly written by Israel, Russia, China, the US and Iran itself, had no fewer than 4 zero day attacks, cost over a million dollars to write, but was clearly an amateur job, which succeeded and failed. It has disabled security systems throughout the world and there are no confirmed reports of it breaking anything.

As with many media firestorms, the analysis has tended to run in advance of the facts. And when the facts didn't fit it was the facts that were ignored rather than the analysis.

I have not looked at the Stuxnet code directly, but I have spoken with several experts who have and they all tell me the same story: The code consists of a distribution mechanism and a payload. Both are targeted to a particular group of machines but the distribution mechanism is set to infect particular groups of windows machines while the payload appears to be set to target one very specific installation.

The code appears to have been written in a modular fashion with different attacks being written by different hands. The code is layered and we are not sure that all its secrets have been revealed even now.

As with many high profile attacks, various parties have taken the distribution vector and repackaged it to attack targets of their own choice. Those parties may or may not include the original authors.

The only firm geographic information we have is that the code has employed signed code components signed under two separate code signing certificates, both issued to Taiwanese companies. I think this is a particularly significant piece of evidence since there are not very many code signing certificates in circulation. It is not something a hacker is likely to come across unless they are looking for it. And whoever was looking for the code signing certs was almost certainly able to read Chinese.

That said, the modular nature of the code suggests that the virus was written by many hands. I suspect that the task of writing the code was outsourced to several independent contractors, none of whom would have needed to know the ultimate purpose. They may well have outsourced the task of obtaining code signing certificates to Chinese or Taiwanese hackers to throw investigators off the trail.

Anyone with sufficient money and criminal connections could have written the distribution code. The payload is rather different. It appears to be very closely focused on one single target. This was initially suggested to be the Iranian centrifuge enrichment plant but my sources suggest that the Iranian Bushehr nuclear power plant is a more likely target.

One of the reasons for thinking that the target was Iran was that the Iranians themselves complained about being subjected to a Western cyber attack. Then they suddenly stopped complaining and denied that there had been any impact whatsoever.

Whatever the target was, we are pretty sure that the code did not target any major installation that the operators were willing to admit was the target. It is possible that Stuxnet targeted a European or US plant, but I very much doubt that this could have been kept secret. We are also fairly certain that whoever wrote Stuxnet had a very good reason for wanting to disable the plant, even though this was unlikely to succeed for more than a few months.

This last aspect of the attack makes it very unlikely that Israel or any Western country would be responsible. Whatever the target, it is highly unlikely that any cyber-attack against a well designed control system can achieve more than a temporary denial of service. Whoever wrote the Stuxnet code was revealing that they knew a very great deal about the design of the target. It is not very likely that any intelligence agency would want to put such a valuable strategic asset at risk for the sake of some casual vandalism that would be repaired in a few months.

Even more compelling is the fact that the Bushehr plant is not yet operational. Disabling a running plant is one thing, disabling a plant that is not yet commissioned would require considerably greater and more detailed inside knowledge.

If the target was the Iranian centrifuges, the knowledge could only have come from inside Iran itself. That is not impossible, there is certainly a complex power struggle going on within the regime. But it seems very unlikely.

The Iranian Bushehr reactor seems a much more likely target than the centrifuges. At least two parties had access to detailed knowledge of the plant's design - the Iranians and the Russian's who designed it. It is also possible that there are plants in other countries built to the same design and that a third party could have learnt some of the details from them. I find this unlikely however since respect for Russian nuclear engineering was severely damaged after Chernobyl. Other than the Iranians, it is unlikely that the Russians have had many recent customers.

Why would Russia sabotage a plant they built themselves? Well it used to be standard operating procedure during the days of the Soviet Union. Countries would buy all manner of technology from Russia and then learn that it was not so much an outright purchase so much as a lease. Selling the Iranians a power plant and then sabotaging it to force the Iranians to pay for repairs is the way the Soviet Union did business and is the way that Russia does business today - as European countries buying Russian natural gas have found to their cost.

We certainly do not have conclusive proof, but the Russia theory is the only one that fits all the facts we know and is the best fit to those facts. Russia has built its cyber-warfare capability through an alliance with organized crime, commissioning the deployment code is certainly well within the type of favor that Kremlin-sponsored criminal groups such as the Russian Business Network have performed in the past.  The payload was probably written separately and tested out on an actual Russian power plant with the identical control system - presumably with the plant shutdown or otherwise safe.

In conclusion, the Stuxnet attack appears to me to be a highly professional attack perpetrated by the Russian government on their ally to coerce Iran into agreeing to accept Russia's proposal to reprocess Iranian fuel. This would allow Russia to recoup the cost of the attack through revenues from the reprocessing and would ensure that Iran remained dependent on Russian technology in the future.

Iran agreed to the reprocessing deal in 2005 and then backed out. A few months ago Iran changed course again and agreed to honor their earlier agreement. The Bushehr Nuclear plant began to be loaded with fuel on 21st August and is scheduled to begin generating power in the near future.