Cyber warfare Gains in Sophistication
Stuxnet and more recent types of malicious software, or malware— particularly Duqu, Flame, and Gauss—herald a frightening new era in cyberwarfare. China, Russia, the United States, and other nations have been engaging in cyberw arfare for several years, and these four types of malware represent a major technological escalation. All four types are so sophisticated and complex that they appear to have been developed by nation states for use in ongoing (as of mid-2013) cyberespionage operations. Stuxnet, first launched in June 2009 and discovered in July 2010, is malware that targets industrial supervisory control and data acquisition systems. In particular, Stuxnet targets Siemens SCADA systems that are configured to control and monitor specific industrial processes. In fact, security experts around the world suspect that the malware’s target was the uranium enrichment industrial infrastructure in Iran. On November 29, 2010, Iran confi rmed that its nuclear program had been damaged by Stuxnet. The malware may have damaged Iran’s nuclear facilities in Natanz and eventually delayed the start-up of the Bushehr nuclear power plant. Whoever constructed Stuxnet must have possessed an indepth knowledge of nuclear industrial processes. Stuxnet appears to have impaired Iran’s computer-controlled uranium centrifuges, which mysteriously lost 30 percent of their production capacity, thereby delaying any plans to produce a nuclear weapon. After infecting Iran’s nuclear facilities, Stuxnet spread rapidly throughout the country, affecting more than 30,000 Internet Protocol addresses. This problem was compounded by the malware’s ability to mutate, meaning that new versions of Stuxnet continued to spread. Stuxnet is believed (but not known) to have been written through a partnership between Israel and the United States. Duqu is a type of malware discovered in 2011 on computers in Iran, Sudan, and other countries that was designed to steal documents and other data from infected computers. Duqu appeared to gather intelligence specifically about the design of SCADA systems. The malware does not actually cause damage to infected computers; rather, it gathers information required for future attacks. Duqu creates a back door into computer systems that remains open for only 36 days, at which time the malware deletes itself. The reason for this short time period is probably to limit discovery. Another sophisticated type of malware, called Flame, has been detected infecting systems in Iran, Israel, Palestine, Sudan, Lebanon, Saudi Arabia, and Egypt. Flame was officially discovered by Kaspersky Lab (www.kaspersky.com) in 2012 when the United Nations International Telecommunications Union asked the fi rm to look into reports that computers belonging to the Iranian Oil Ministry and the Iranian National Oil Company had been infected with malware that was stealing and then deleting information from infected systems. Although Flame has both a different purpose and composition than Stuxnet and it appears to have been written by different programmers, its complexity, the geographic scope of its infections, and its behavior strongly indicate that it is related to Stuxnet. Flame appears to be designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations, and keystrokes. Flame has several cyberespionage functions. It turns on the internal microphone of an infected computer to secretly record conversations that occur either over Skype or in the computer’s vicinity; it scans for Bluetooth-enabled devices in the vicinity of an infected computer to gather names and phone contacts from the contacts folder; it captures and stores frequent screenshots of activity on infected computers, such as instant messaging and e-mail communications; and it opens a backdoor to infected systems. Flame does not replicate automatically by itself. The spreading mechanisms are turned off by default and must be switched on by the attackers before the malware will spread. This feature is likely intended to control the spread of the malware and to decrease the likelihood that it will be detected. Another type of malware, called Gauss, is closely related to Flame and Stuxnet. Gauss blends cyber-surveillance with an online banking Trojan horse. It can steal access credentials for various online banking systems and payment methods, as well as browser history, social networking and instant messaging information, and passwords. It can also intercept cookies from PayPal, Citibank, MasterCard, American Express, Visa, eBay, Gmail, Hotmail, Yahoo!, Facebook, Amazon, and some Middle Eastern banks. Gauss appears to target Lebanese banks as well as Citibank and PayPal, according to Kaspersky Lab. At the time of this writing (mid-2013), Gauss had infected some 2,500 systems in 25 countries, with the majority of infected computers located in Lebanon. Like Flame and Duqu, Gauss is programmed with a built-in time-to-live. Once that time limit is reached, Gauss deletes itself completely from an infected system. Unfortunately, the techniques used in sophisticated, nationbacked malware are trickling down to less-skilled programmers who target regular Web users and their online accounts or credit card details. As a result, we are all at greater risk from cybercriminals. Sources: Compiled from “Iranian News Agency Reports Another Cyberattack by Stuxnet Worm Targeting Industries in South,” Associated Press, December 25, 2012; T. Simonite, “Stuxnet Tricks Copied by Computer Criminals,” MIT Technology Review, September 19, 2012; “Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload,” KurzweilAI.net, August 11, 2012; E. Nakashima, “U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Offi cials Say,” The Washington Post, June 19, 2012; “Flame Malware Makers Send ‘Suicide’ Code,” BBC News, June 8, 2012; C. Mims, “Stuxnet and Cyberwarefare,” MIT Technology Review, June 4, 2012; D. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, June 1, 2012; “Meet ‘Flame,’ the Massive Spy Malware Infiltrating Iranian Computers,” KurzweilAI.net, May 31, 2012; T. Erdbrink, “Iran Confi rms Attack That Collects Information,” The New York Times, May 29, 2012; K. Zetter, “‘Flame’ Spyware Infiltrating Iranian Computers,” Wired, May 29, 2012; R. Cohen, “New Massive Cyber-Attack an ‘Industrial Vacuum Cleaner for Sensitive Information,” Forbes, May 28, 2012; C. Albanesius, “Massive ‘Flame’ Malware Stealing Data Across Middle East,” PC Magazine, May 28, 2012; D. Lee, “Flame: Massive Cyberattack Discovered, Researchers Say,” BBC News, May 28, 2012; B. Schneier, “Another Piece of the Stuxnet Puzzle,” www.schneier.com, February 23, 2012; “Experts Say Iran Has ‘Neutralized’ Stuxnet Virus,” Reuters, February 14, 2012; D. Talbot, “New Malware Brings Cyberwar One Step Closer,” MIT Technology Review, October 20, 2011; K. Zetter, “Son of Stuxnet Found in the Wild on Systems in Europe,” Wired, October 18, 2011; R. Vamosi, “Son of Stuxnet,” Forbes, October 18, 2011; M. Schwartz, “Stuxnet Iran Attack Launched from 10 Machines,” InformationWeek, February 14, 2011; G. Keizer, “Stuxnet Struck Five Targets in Iran, Say Researcher,” Computerworld, February 11, 2011.
1.Discuss the implications of the precisely targeted nature of the Stuxnet, Duqu, Flame, and Gauss attacks.
2. Analyze the statement: “Nations use malware such as Stuxnet, Duqu, Flame, and Gauss when their only alternative is to go to war.”
3.Discuss the implications that these four types of malware have for all of us