Cybersecurity officials have discovered a widely disseminated piece of malicious software called Stuxnet, which they say establishes a new precedent in the sophistication and threat of cyberwarfare. It's unclear exactly what Stuxnet was designed to do, but officials say the software had embedded itself across computer systems at a number of power facilities and factories over the past year. It appeared to have the ability, if activated, to briefly wrest control of industrial components away from human operators. Analysts say it's possible this could destroy the targeted facility by causing explosions and fires. Wired's Kim Zetter explores the technical analysis and processes in-depth. It's unknown who created it, to what end, and what exactly Stuxnet would have done if it had not been discovered. But here's what we know and the implications.
- Hot Stuxnet Works The Financial Times' Joseph Menn and Mary Watkins write, "The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes. Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do. While cyber attacks on computer networks have slowed or stopped communication in countries such as Estonia and Georgia, Stuxnet is the first aimed at physical destruction and it heralds a new era in cyberwar."
- What It Was Designed To Do The Christian Science Monitor's Mark Clayton calls it "A cyber weapon created to cross from the digital realm to the physical world – to destroy something. ... Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown. ... Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says [German cybersecurity expert Ralph] Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world."
- Who Made It? Computerworld's Gregg Keizer writes, "The Stuxnet worm is a 'groundbreaking' piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals." The Christian Science Monitor's Mark Clayton writes, "Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems. ... [It was] probably created by a team working for a nation state." Wired's Kim Zetter writes, "If Iran was the target, the United States or Israel are suspected as the likely perpetrators — both have the skill and resources to produce complicated malware such as Stuxnet."
- Was It Targeting Iran's Nuclear Program? Computerworld's Gregg Keizer writes, "Iran was hardest hit by Stuxnet, according to Symantec researchers, who said in July that nearly 60% of all infected PCs were located in that country." The Christian Science Monitor's Mark Clayton reports, "At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat." Wired's Kim Zetter warns, "that’s based on circumstantial evidence" and mostly just speculation. However, Zetter suggests the Iranian enrichment facility at Natanz may be a more likely target than the plant at Bushehr.
- Do Cyberattacks Constitute Warfare? Foreign Policy's Dan Drezner raises an interesting question. "Now, I'm very uncomfortable with a lot of the rhetoric surrounding the notion of 'cyberwarfare.' it needlessly equates actions in cyberspace with real-world warfare, when I'm not at all sure that either the logic of consequences or the logic of appropriateness are the same in both spheres. That said, I do wonder about the long-term effects of this kind of cyberattack. The very way the FT is reporting this story suggests that some kind of line has been crossed. Not to mention the fact that the news coverage itself suggests that this gambit has run its course."