Sunday, February 13, 2011

Anonymous Claims Possession Of Stuxnet Virus

Anonymous Hollywood Scientology protest
Image by scragz via Flickr

Houston, we have a problem. Or should I say, “Iran, we have your problem?” Last night, a member of hacker group Anonymous – a devious 4chan-spawned Internet coalition known for increasingly serious web-based attacks – announced on Twitter that the group was in possession of the Stuxnet virus.
Stuxnet is one of the more powerful viruses to ever spread across the internet. As Bruce Schneier detailed for Forbes, the worm crippled Iran’s nuclear facility by infiltrating a Siemen’s control system for industrial centrifuges. As I wrote late last year, the Stuxnet virus is a stark example of how cyber attacks can affect brick and mortar institutions.

“Anonymous is now in possession of Stuxnet – problem, officer?” tweeted user by the name of Topiary. Topiary’s profile describes the user as an online activist and a “Supporter of Anonymous Operations, WikiLeaks, and maintaining freedom on the Internet.”
To me, two huge questions arise from Anonymous’ claim:
  1. Are they actually in possession of Stuxnet?
  2. Can they do anything with it?
The answer to both questions, of course, is maybe. But let’s dive a little deeper.
Recently, Anonymous has been in the news for its high profile attacks on software security firm HBGary, after Aaron Barr, the CEO of HBGary’s sister firm HBGary Federal, claimed to have acquired the names of senior Anonymous members and threatened to release them to the public. Forbes’ Parmy Olson has done a fantastic job covering that affair.

This is where the possibility for Anonymous getting its hands on Stuxnet increases. In a post this morning, Olson quotes a source from Anonymous who briefly rattles off the contents of a slew of emails uncovered during the HBGary takedown. “Three different malware archives, two bots, an offer to sell a botnet, a genuine stuxnet copy, and various malware lists,” are supposedly among the contents.
Could this be pure posturing? Sure. But it doesn’t seem out of the question that a security firm would have high level information on one of the most threatening viruses out there.
So let’s pretend that Anonymous does, in fact, have a copy of the Stuxnet worm in their possession. Can they do anything with it? We’ve already seen Stuxnet’s efficacy in attacking  Siemens Supervisory Control And Data Acquisition (SCADA) systems attached to very specific industrial machinery. The complexity of the worm allowed it to infiltrate deep into Iran’s nuclear facilities before unleashing its payload. A report by Symantec today updated their September dossier on the virus and revealed that the attacks started in June of 2009 and ended in May 2010, around a month before the attacks were even noticed.
The worm’s complexity, however, could also render it mostly useless in Anonymous’ hands. I’ll let Schneier get into the weeds on some of the details, since he does a great job of explaining:
Here’s what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four “zero-day exploits”: vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)
Stuxnet doesn’t actually do anything on those infected Windows computers, because they’re not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines–and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.
If it doesn’t find one, it does nothing.

So, unless the Anonymous hackers want to control industrial centrifuges, we should be alright? Not so fast. Theoretically, it would be possible to dismantle the virus and implant a separate payload, effectively piggy-backing another virus on the Windows-based attack code. This is no walk in the park coding exercise, to be sure, but Anonymous has proven their impressive abilities in the past. If such a deconstruction and reconstruction were to be pulled off, it could have wide-reaching consequences. In August 2010, the Stuxnet virus was reportedly infecting over 60,000 computers in Iran, not causing any harm but eager to spread until it found a place to release its payload.
For now, we’re largely dealing in hypotheticals. Since Stuxnet has been discovered, efforts are being put against it at high levels to prevent such attacks in the future. But if Anonymous does, in fact, have possession of the worm, it could have massive repercussions for both online and offline security. As Mort Zuckerman said late last year, though, “Malicious programmers are always able to find weaknesses and challenge security measures. The defender is always lagging behind the attacker.”

1 comment: