Cyber-warfare is a loosely used buzzword. Every major nation routinely snoops on cyber-communications. Most have specialised departments for the purpose. It would be naïve to assume that surveillance is done solely to track terrorists. Undoubtedly, many of those departments also possess the capability to disrupt communications and most nations also have contingency plans to maintain continuity of their own communications if they are attacked.
Despite the interplay of “Spy Vs Spy”, there have been few acts of active disruption initiated by governments. The first nation-nation conflict to feature cyber-warfare was the spat between Russia and Georgia that flared into a shooting war in the South Ossetia region in August 2008.
While it was never acknowledged as officially sanctioned, every Georgian government website was knocked offline by Denial of Service (DoS) attacks originating from Russian cyberspace. The Georgian Web presence was reduced to free email and free blogging platforms.
In the past year, a far more sophisticated cyber-attack has been directed at Iran’s nuclear facilities. The so-called Stuxnet worm crippled Iran’s Bushehr and Natanz nuclear facilities by targeting the supervisory control and data acquisition (SCADA) systems.
SCADA is integral to most industrial processes, in particular in the power industry, where it controls processes key to generation, transmission and distribution. Stuxnet can knock out individual power plants (along with other manufacturing units) and entire grids.
The worm exploited four previously unknown vulnerabilities in Windows operating systems to install rootkits. It can be spread by USB pendrives even if normal precautions are taken. A rootkit replaces normal programs with new programs that have the same functionalities, plus malicious functions, that can be remotely controlled. A rootkit will spoof the programs it replaces, until such time as it is activated to do damage.
Stuxnet can reprogram programmable logic controllers (PLCs) — specialised chips that control and automate electro-mechanical processes. PLCs are difficult to compromise and PLC rootkits are new to the malware lexicon.
The Stuxnet version identified in July 2010 had a date-stamped component from February 2010. It used stolen digital certificates to “convince” anti-virus programs it was legitimate. According to German security expert Ralph Langner of Langner Communications, the development may have cost several million dollars, “somewhere in the upper seven-digits”.
There was a very high rate of infection in Iran and, to a lesser extent, in Indonesia and India. In systems outside Iran, the rootkits remained dormant and were never activated. The worm specifically disrupted Siemens SCADA systems used in specific configurations in the Iranian power industry. The nuclear power plant in Bushehr and the uranium enrichment centre in Natanz were hit, according to Iranian reports.
According to IT security experts, such as Eugene Kaspersky of Kaspersky Labs, the level of sophistication that Stuxnet displays could only be attained with “nation-state support”. Langner, who has probably done the most detailed dissection of the worm, concurs.
While there are several Stuxnet-cleaners available, Langner points out, “The real threat is, Stuxnet provides a blueprint for aggressive attacks on control systems that can be applied generically. Such control systems may control the power plant that provides your electricity, the water utility that provides your water, the factory you work in, and the traffic lights. The technology of how to manipulate all such systems is now on the street.”
It may soon be possible to clone Stuxnet-type worms at far lower costs. In that case, a range of installations and facilities could be at risk of everything from terrorist strikes to malicious sabotage to extortion. Doomsday scenarios are, therefore, easy to envisage.
As in the case of the Russia-Georgia DoS attacks, complete deniability exists. It is impossible to hold a nation-state responsible for Stuxnet, though the finger points at a couple of obvious suspects. Stuxnet is likely to set off a new arms-race.
