The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities and so sophisticated in its multipronged approach that the security researchers who tore it apart believe it may be the work of state-backed professionals.
"It’s amazing, really, the resources that went into this worm," said Liam O’ Murchu, manager of operations with Symantec’s security response team. "I’d call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.
First reported in June by a little-known security firm based in Belarus, Stuxnet gained notoriety a month later when Microsoft confirmed that the worm was targeting Windows PCs that managed SCADA systems. At the time, researchers believed that Stuxnet exploited just one un-patched (zero-day) vulnerability in Windows and spread through infected USB flash drives.
Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly 60 percent of all infected PCs were located in that country.
On August 2, Microsoft issued an emergency update to patch the bug that Stuxnet was then known to exploit in Windows shortcuts. But unbeknownst to Microsoft, Stuxnet could actually use three other zero-day vulnerabilities to gain access to corporate networks. Once it had access, it would seek out and infect the specific machines that managed SCADA systems controlled by Siemens software. But the Stuxnet wonders didn’t stop there. The worm also exploited a Windows bug patched in 2008 – the same vulnerability used to devastating effect by the Conficker worm in late 2008 and early 2009 – to infect millions of machines.
Once within a network – initially delivered via an infected USB device – Stuxnet used the vulnerabilities to commandeer any connected SCADA software. The attack code seemed legitimate because Stuxnet contains at least two signed digital certificates. "The organization and sophistication to execute the entire package is extremely impressive," said Schouwenberg. "Whoever is behind this was on a mission to get into whatever company or companies they were targeting."
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that neither believe it could be the work even of an advanced cyber crime gang. "They weren’t just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery," O’ Murchu said.
And the fact that Iran was the main target is significant. "All the different circumstances, from the multiple zero-days to stolen certificates to distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. "This sounds like something out of a movie, but I would argue it’s plausible, suddenly plausible, that it was nation-state-backed."