The Stuxnet legacy

Malware

Call it cyber-warfare, call it state-sponsored malware, call it industrial espionage if you like. Whilst the terminology you use to describe Stuxnet may be open for debate, there is no denying that this complex worm broke new ground in the world of IT security.

Amongst the 'firsts' attributed to the Stuxnet worm were the use of a programmable logic controller rootkit, the fact that it both 'spied' upon and attempted to subvert industrial systems, the inclusion of no less than four highly valuable (on the cybercrime dark market) zero day exploits in its construction, and the first time that US and Israeli personnel were confirmed to have been behind the creation and deployment of such a thing. But now, two years on, what has happened since Stuxnet was discovered, what related attacks has it spawned and what lessons can we learn as a result?

Although Stuxnet was by no means the first nation-state sponsored cyber-attack to hit the headlines, anyone remember the media storm that exploded online after the Russian DDoS attack targeted Estonian and Georgian business and government systems in 2007/2008 for example, it was still a milestone event.

As professor David Stupples, director of the Centre for Cyber and Security Sciences at City University London, points out it was not only successful in its primary mission but "also demonstrated that malware could be used more effectively than covert sabotage teams" and that "it was possible to circumvent even the best firewall and anti-virus protection". Professor Stupples explained that analysis has shown that Stuxnet was highly modular, and could easily have been deployed in an "orderly piecemeal fashion" with an initial root element building up the program by calling forward modules in accordance with a predefined build strategy.

"The root element was probably loaded by a rogue employee using a USB stick or utilising a rootkit path" Professor Stupples concludes.

Stuxnet begot Duqu and Flame, which begot Gauss...

Talking to professor Stupples it quickly becomes clear that one of the big problems with Stuxnet was that it contained no 'kill command' in order to self-destruct. This was a problem, ultimately, for the US and Israeli governments as it allowed the codebase to be analysed and evidence regarding its construction, purpose and deployment to be revealed.

However, the even bigger problem is revealed by professor Stupples when he says that it has also meant the "source code is generally available free of charge to hacker groups, the criminal fraternity and rogue governments. With some modification a potentially lethal malware sabotaging agent can be employed to damage vulnerable computing systems around the world."

As Harry Sverdlove, CTO at Bit9, points out "during the past two years, we have seen dozens of high-profile cyber-espionage attacks successfully targeting thousands of companies, nearly every vertical, both private and public, and across every major country. Stuxnet begot Duqu, then Flame was discovered which begot Gauss". Modifications to the Stuxnet code were found in the 2011 Flame malware for example, which shared both some of the same code and some of the same functionality; albeit tweaked to harvest data rather than sabotage infrastructure.

Middle Eastern countries including Iran were amongst the targets, which has led to speculation given the similarities to Stuxnet that this was another Israeli-developed espionage weapon. And then there is Gauss, which appeared earlier this year and is a direct development of Flame. Gauss, also primarily found in the Middle East at present, has proven harder to decipher so far courtesy of the sheer number of object-oriented structures it contains as well as the heavy encryption involved. Let's not forget Duqu which is also modular in construction, closely linked to Stuxnet and used in a whole manner of nefarious ways from gathering industrial infrastructure data through to stealing digital certificates and their private keys.

Lessons learned and ignored

"The greatest legacy of Stuxnet is the hype around advanced persistent threats," according to Marcus Carey, a security researcher with Rapid7. And he could well be right, especially given the amount of column inches and strategic thinking devoted to APTs. Carey agrees that some organisations have every right to be worried about the APT threat, but he is adamant that the greatest danger here to the majority is simply the preoccupation with them which over-shadows the security basics of import for everyone.

"The lack of basic patching continues to present an opportunity for all attackers, whether they are state sponsored, criminals, or hacktivists. Attacking unpatched systems is like shooting-fish-in-a-barrel for attackers," says Carey. And this, says Sophos senior technology consultant Graham Cluley, is one lesson that should have been learned from Stuxnet. After all, Microsoft issued a patch which provided protection against the most damaging aspects of Stuxnet pretty quickly. Another lesson, Cluley says, is that organisations need to "think before connecting unknown devices - such as USBs - to a computer network" and insists that "it is in this basic protection that the real significance of Stuxnet can be found". Indeed, when you consider that the likes of Anonymous and others are quite capable of pulling entire websites offline and exposing user data, these basics pose far more of a real threat to the average organisation than any state-sponsored malware threats.

But Sverdlove disagrees and reckons the biggest lesson learned is also the biggest lesson ignored, namely that of companies requiring a new strategy for defending their information and their electronic borders as a result of Stuxnet and its descendants. "Many companies have started to invest in their own security operations centres (SOC) for tracking and responding to unknown threats," Sverdlove explains, continuing "they recognise that, given the rise and success of targeted attacks, the enemy is likely already within their borders. Knowing if you are under attack is as important as defending against future attacks".

Unfortunately, too many companies have been either slow to respond or don't yet believe they could be a victim. While Stuxnet, Duqu, Flame and Gauss targeted a specific region of the world (the Middle East), other attacks such as Aurora, Night Dragon, Shady RAT and Nitro were far less discriminating. "In today's interconnected world, it's not just what you know, it's who you know" Sverdlove adds, concluding "we've seen companies targeted solely to get to their customers or contacts. The reality is that every company is now sitting on the cyber battlefield, whether they are a willing or reluctant participant".

Indeed, with Stuxnet code now well and truly leaked into the Dark Market, and so providing a template for attacking just about any target even if it is thought to be safely air-gapped, the possibilities for criminal use are boundless.

"Organisations need to be more proactive, stop thinking theyre immune to attack, and take immediate and continuous steps to prevent malicious malware," warns Don Smith, director of technology at Dell SecureWorks. "This has to be the biggest lesson we've learnt from Stuxnet," he concluded.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.