For those of you who have no idea what stuxnet is, Stuxnet was a multitier malware code aimed at stopping the enrichment of the Iranian uranium supply. It did this by targeting specific machine parts using machine language drivers to increase or decrease the rpms of the cylinders used in the enrichment process.
Stuxnet did quite a bit more than simply target the machine drivers, and what was particularly interesting was it’s method. It targeted machines and analyzed the machine components, lay in wait while observing, passed itself along to other machines within the network, and hid it’s activity by sending false readings of the machine parts operations.
Incidently the malware crippled over 1000 machines – before escaping into the wild like some kind of super ninja code snippet.
It was introduced via usb drive within the target network to devastating effect – and no agency has yet stepped forward to claim responsibility.
Granted much of this is available on the linked wikipedia page.
What probably isn’t as immediately obvious is that this particular brand of malware used mostly simple coding and a variety of zero day exploits 4 of them according to Nova, an educational program entitled “Rise of The Hackers” was instrumental in the writing of this piece.
Among other details regarding Stuxnet; It found it’s way onto over 100,000 Microsoft Windows Computers which were presumably not being used to enrich uranium… and did so by utilizing the plug and play type interaction that most computers use when introduced to other machines within a network.
Stuxnet has a sort of celebrity status among hackers and security personell due mostly to it’s success, and while it doesn’t make an ideal model for every type of hack, it certainly gives us an overview that reads like a fairy tale warning to Little Red Riding Hood – except the warning is precisely, “Plugging unknown devices into your computer can lead to pretty much anything.”
Chances are if you work anywhere that uses computers (without pictures of french fries on them,) you have some familiarity with the ubiquitous; “Don’t do that on these computers” speech. It comes somewhere between personal emails and not stealing lunches from the office refrigerator speech.
According to Semantec: 75% of the USB devices discovered in an office setting with company branding end up “somehow” plugged in to the office computer, cd/dvds with any implied data (especially financial) that number approaches 100%. If you wondered why your IT guy hates you it’s because he imagines you doing this literally constantly.
Stuxnet is not the ideal model for every kind of hack, it is however almost the fantasy level hack for anyone who aspires to change a few odds and ends and cripple all of the banks, or power plants. It would probably be a fairly hellish scenario if it had been tailored to attack cell towers or other types of infrastructure.
I use the past tense terminology because much of the operational code has by now been studied and patches have been written to eliminate it’s functionality. Stuxnet does demonstrate what is possibly lurking in some nearby business somewhere on a usb or dvd. The attack vectors were personalized down to the specific type of machine, even the type of desired outcome was assured due to the PLC language being easily scripted.
What would have prevented Stuxnet?
Obviously not plugging in that usb drive or dvd would have eliminated the threat entirely unless the hacker was working within that environment, in which case:
Augmented topography – using smaller networks with possibly Linux machines that can be set up to detect changes within the existing networks. Everything from running processes to old school style tiger integrity checks could have potentially mitigated Stuxnet.
Smaller bullseye factor – Not being a country that isn’t trusted with nuclear weapons might have prevented anyone from bothering to handcraft the malware with the kind of precision implied.
Packet monitoring system – While I haven’t seen the specific attack vectors I can imagine that spreading from machine to machine would be preventable if those ports had active monitoring. Port mirroring enables the administrator to keep close track of switch performance by placing a protocol analyzer on the port that’s receiving the mirrored data. Port mirroring is a generic term. Various switch manufacturers each have their own names for the technology. For example, Cisco calls port monitoring SPAN, which stands for Switched Port Analyzer. Courtesy of This Link
Hindsight is 20/20 of course and most of us would never anticipate a hack of this magnitude on one of our networks but it happens. It helps to be somewhat informed and above all else knowlegable of how real the threat can be.
I do have a book about some of this stuff if you enjoyed the article.