There is a bit more information about the Stuxnet worm on the Wikipedia site.
Update 2010sep26: Here is a bit from a NY Times article:
Given the sophistication of the worm and its aim at specific industrial systems, many experts believe it is most probably the work of a state, rather than independent hackers. The worm is able to attack computers that are disconnected from the Internet, usually to protect them; in those cases an infected USB drive is plugged into a computer. The worm can then spread itself within a computer network, and possibly to other networks.Here is one tech specialist's opinion about this computer worm:
The semiofficial Mehr news agency in Iran on Saturday quoted Reza Taghipour, a top official of the Ministry of Communications and Information Technology, as saying that “the effect and damage of this spy worm in government systems is not serious” and that it had been “more or less” halted.
But another Iranian official, Mahmud Liai of the Ministry of Industry and Mines, was quoted as saying that 30,000 computers had been affected, and that the worm was “part of the electronic warfare against Iran.”
But the Iranians have reason to suspect they are high on the target list: in the past, they have found evidence of sabotage of imported equipment, notably power supplies to run the centrifuges that are used to enrich uranium at Natanz. The New York Times reported in 2009 that President George W. Bush had authorized new efforts, including some that were experimental, to undermine electrical systems, computer systems and other networks that serve Iran’s nuclear program, according to current and former American officials.
The program is among the most secret in the United States government, and it has been accelerated since President Obama took office, according to some American officials. Iran’s enrichment program has run into considerable technical difficulties in the past year, but it is not clear whether that is because of the effects of sanctions against the country, poor design for its centrifuges, which it obtained from Pakistan, or sabotage.
“It is easy to look at what we know about Stuxnet and jump to the conclusion that it is of American origin and Iran is the target, but there is no proof of that,” said James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington and one of the country’s leading experts on cyberwar intelligence. “We may not know the real answer for some time.”
Based on what he knows of Stuxnet, Mr. Lewis said, the United States is “one of four or five places that could have done it — the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can’t rule out the Russians and the Chinese.”
Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.Update 2010dec25: Here is some interesting info about this attack from Tom Ricks' The Best Defense blog:
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates
Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers
Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence
What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it's all solid, reliable engineering -- attack engineering.
By Jay Holcomb
Best Defense infowar columnist
I believe this event should be looked at from a much wider view … the Stuxnet worm (threat vector) certainly should be considered a "game changer" … the folks who are conducting the forensics analysis have been somewhat successful in gaining high level public/government attention to this issue.
While most folks seem to unofficially agree this worm likely targeted Iranian facilities -- if we look wider -- this "attack" … or perhaps a better classification "sabotage" … contains so many complex cyber elements combined into one package that it is absolutely fascinating. I do not believe it is hyperbole to say the Stuxnet worm is "revolutionary" in terms of what we should be expecting to see in future high quality cyber threat vectors.
For example, a few of the well publicized items used by the Stuxnet worm include:
At least four zero-day vulnerabilities were used. Remember, these were classified as "zero-days" once we found out about them back in June/July -- which means the folks that discovered the vulnerabilities could have been using them/testing them for 12-24 months(?) before we even knew they existed. Discovering a single previously unknown vulnerability and using it successfully against a target is impressive!
Used "legitimate certificates stolen from two certificate authorities" to digitally sign Stuxnet code to be installed on target machines -- this was needed to prevent Microsoft Windows from alerting the computer user that a suspicious file is trying to install on the computer. This is huge! Imagine if someone was able to steal a genuine SSL/TLS certificate for YOUR online bank from VeriSign or Entrust and set-up a web site that was an exact clone of YOUR online bank. If you accessed the cloned web site -- your web browser would NOT alert you to any problems with the fake web site because the site uses a valid certificate -- the entire Internet online commerce model is based on this "trust" of Certificate Authorities.
Sound unrealistic … how about this … anyone else remember 10 years ago when VeriSign issued two Microsoft certificates to someone posing as a Microsoft employee? Imagine what they could have done with those certificates … perhaps create their own "special" Microsoft Windows patch … how many folks would download and install? We often trust major companies and our systems will trust the process if the source file is using a "trusted" Certificate Authority (VeriSign for example) security certificate to sign the files! To further highlight this issue … to this day the only two "Untrusted Publishers" certificates installed in our Internet Explorer browsers are for Microsoft from VeriSign!
Numerous propagation methods -- USB drives, network shares, other peer-to-peer methods, etc. Interesting to see the Conficker vulnerability (MS08-067) was one of the Stuxnet propagation options. Depending on what type/version/patch level of Windows the worm is residing determines which propagation method it will use. (Amazing)
Command and Control options -- via Internet or peer-to-peer if Internet access is no longer available.
Very specific configuration of the target environment is needed to activate the Stuxnet payload (manufacturer, specific product type, and unique product configuration are examples) … the intelligence and reconnaissance needed of the target must have been incredible.
The goal does not seem to have been destruction -- rather interruption/delay. The payload modified the speed of very specific high speed motors and at seemingly random intervals. How many people knew weapons-grade uranium enrichment requires long periods of constant high speed motor action?
These examples do not include the many other specific SCADA asset features the worm is targeting to validate prior to payload release/action -- amazing!
With the complexity of this cyber "event" it should change how we view future potential threat vectors -- from both the government (at varying levels and organizations) and civilian perspective. The possibility of this type of complex/specifically targeted cyber threat has now been proven in the wild. It is only a matter of time before we identify a similar event has occurred or is occurring right now.
The potential targets are only limited by our imaginations. I would expect both Nation States and common Cyber Criminals have been analyzing the same materials we are and developing new ingenious complex threat vectors into critical infrastructure, defense assets (government and civilian), financial environments, technology resources, and numerous other industries depending on the target niche market.
The goal would not have to be "global domination" or "nation destruction" -- in fact, I would propose the most dangerous outcome of this event will be the smaller -- highly sophisticated/complex -- threats that are successful but stay under the radar. They launch, are successful, and either destroy themselves or are jettisoned as expendable. (From both Nation States and common Cyber Criminals)
One interesting "pie in the sky" future item -- will Cyber Criminals be able to pull together a team of experts similar to the Stuxnet team (Cyber Mercenaries … a field that we can assume is growing quickly!) to create the civilian Stuxnet equivalent -- perhaps for historic financial gain or nearly any other historic event. Sounds like a Hollywood movie doesn't it … I assume everyone has seen "Live Free of Die Hard"…
Finally, here are some additional background resources and great reading if interested:
Jay Holcomb is an assistant professor in the cyber/information assurance depart of the National Defense University.