Vanity Fair: Stuxnet Is 'Something New Under the Sun'

Vanity Fair, which does some of the best general-interest, magazine-length journalism in the country, published an exhaustive 11-page article for its April issue on Stuxnet.

Author Michael Joseph Gross nails the central issue when he concludes that Stuxnet is "something new under the sun." Although some critics accuse Gross of breathlessness in his declaration that "Stuxnet is the Hiroshima of cyber-war," the statement seems warranted. It's fairly obvious that Gross isn't arguing that Stuxnet threatens Armageddon the way the uranium bomb on Hiroshima did in 1945. A sympathetic reading is that Stuxnet represents the point when something previously theoretical or only lab-tested is unleashed in pursuit of national aims and changes future geopolitical calculations.

In leading up to that conclusion, Gross does a solid job of showing how the murky intent behind Stuxnet appears to have put Western governments in conflict. Even as evidence emerges that points strongly to the United States and Israel as the sources of the complex code that probably targeted the Natanz nuclear facility in Iran, the apparent desire for plausible deniability put many U.S. allies in a state of relative panic in the early days of Stuxnet's discovery. Not knowing what the code did or who it came from gave other Western governments reason to be concerned about their infrastructure.

Gross provides interesting character sketches for some of the key players, including Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, and Frank Rieger of Berlin's Chaos Computer Club. Although, for what it's worth, one character so sketched is quite unhappy with his portrayal: Ralph Langner, a key figure in the drama of unwinding Stuxnet.

When I wrote about Stuxnet in September, I argued that Microsoft partners' best hope is that Microsoft wasn't so shockingly short-sighted as to allow itself to be involved. Should governments and businesses outside the United States become convinced that Microsoft is willing to collaborate with U.S. intelligence agencies to coordinate attacks, Microsoft's international operating system business could disintegrate awfully quickly.

In that light, Gross had an inflammatory statement from Kaspersky, who is quoted as saying, "We are coming to the very dangerous zone. The next step, if we are speaking in this way, if we are discussing this in this way, the next step is that there were a call from Washington to Seattle to help with the source code."

Given the extremely odd phrasing of that quote, and given Langner's complaints about his treatment by the writer, I suspect that Kaspersky was being led out onto a long ledge of hypotheticals by Gross.

The more important aspect of what Gross accomplishes in the article is a relatively detailed timeline from the quiet damage Stuxnet began inflicting in the summer of 2009 to its discovery by an obscure security firm in Belarus in June 2010 up through the developments of recent months.

Even better is the fuller picture this narrative approach to the story allows Gross to draw of the multi-faceted Stuxnet attack. As researchers understand it, Stuxnet originally infected computers at an Iranian nuclear facility via a witting or unwitting contractor with a USB stick. Contained on the USB drive was a rootkit dropper and a heavily encrypted injector. The components hid themselves as soon as they got to the host, apparently so effectively that it took more than a year for vigilant security researchers to even get wind of the package. The code exploited an unprecedented four zero-day Windows flaws. Zero-day vulnerabilities are so valuable that a single vulnerability can command up to $100,000 on the black market, according to the article. Another new element: Stuxnet used a stolen digital signature from Realtek to conceal itself.

A few details highlight the full-spectrum nature of the attack. While the worm's sophisticated coding made it highly self-sufficient, it had ongoing assistance from somewhere. At least three variants were released -- in summer 2009, in March 2010 and in April 2010. The worms phoned home to command and control servers in Denmark and Malaysia. Once the digital signature from Realtek was detected, Stuxnet's creators had another stolen digital signature from JMicron ready to replace it. On a day in July 2010 when Stuxnet's existence became widely known, someone launched a distributed denial-of-service attack on a Web site for an important global mailing list about industrial control security. Then there are the November bombing assassinations of two nuclear scientists in Iran, which have been speculatively linked to the Stuxnet project.

Back to the code itself, Gross makes a strong case for government involvement in citing security researchers who believe they've found the programming styles of at least 30 different programmers and estimate the project took at least six months of coding work. The code targeted programmable logic controllers or PLCs, the little boxes that run industrial processes from spinning uranium centrifuges to filling Oreo cookies. Stuxnet was coded to seek industrial control software from Siemens of Germany and a particular configuration of frequency converter drives (for controlling centrifuges) made by Fararo Paya of Iran and Vacon of Finland. Those specific targets show the combination in the code of digital work (think NSA writing the weaponized worm) and human intelligence (think CIA or Mossad providing the details of Natanz' infrastructure). Finally, the Vanity Fair article makes a compelling argument that Stuxnet shows evidence of bureaucratic lawyering in the limit of infections to three systems and a self-destruct date of June 24, 2012.

Despite some questions about the reporting, the whole article is well worth a read as a fairly nuanced narrative of what's known and what's widely suspected to this point about one of the most significant events yet in cyber espionage.

Posted by Scott Bekker on March 22, 2011