Weaponised Malware Poses New Security Threat

The recent Stuxnet attack on an Iranian nuclear facility sounded like just another attack, but there was more to it, says Jeff Hudson

The headlines seemed all too familiar – “New malware attack”.  How many times have we seen this before?  Digital security threats have become commonplace in our interconnected and IT-dependent world. Something was different with this news, however.

The attack occurred at an Iranian nuclear facility.  Okay so now I am hooked.  What was going on?  What is the so-called Stuxnet virus?  Where did it come from, who was behind it, how did it work, when will it show up on other systems, and what can be done to defend against this form of attack in the future?

This was no ordinary attack. As researchers later discovered, the attack utilised four different Zero Day exploits on Windows platforms.  In addition to the Zero Day attacks, the payload included a stolen digital certificate that was issued by Verisign.  The virus was self-propagating and spread to numerous machines, and was to locate and operate a valve or control module that was a critical part of the nuclear facility’s infrastructure, with the intent of disabling or damaging the facility. In other words: to act as a weapon.

Malware as a weapon

The traditional, malicious approach to damaging the facility would have been a conventional weapon (i.e. a bomb). The astonishing difference is that this malware, the Stuxnet virus, was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own.  The virus was designed specifically to accomplish the work of a weapon and has therefore earned the dubious classification as Weaponised Malware.

The Stuxnet malware is estimated to have taken ten man-years to develop, and has an extremely sophisticated code base. The tools used, the timestamps on the binaries and the number of modules all suggest multiple development teams working in tandem. The origin of the malware is unverified but the security community has concluded that it was probably developed by a nation state or states attempting to disrupt the Iranian nuclear program.

It is a well-established fact that many weapons developed by nation states for military use eventually become available to other non nation-state entities, like terrorists and criminal organisations. Examples include night-vision goggles, GPS systems, airborne drones, fully automatic rifles, Kevlar body armor, and shoulder-launched missiles. These are just a few of the technologies developed for national militaries that are now routinely employed by criminal gangs, terrorists, and rogue nation states.

The pertinent question is: when will the Weaponised Malware and its derivatives be used by these entities to destroy, disable or steal valuable assets and information from other nations, utilities, banks, or telecommunication companies?  The answer is that we do not know when but we are sure that it will happen.  How can threatened organisations assess and address this new security risk?