Symantec has found evidence of Stuxnet variants from way back in 2005. That’s much older than the 2009 creation date we originally thought it had. More here and here.
What’s impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.
fatbloke • March 15, 2013 7:19 AM
Ah, Stuxnet. The ‘poster child’ for the entire ‘cyber con’. And so we see that ‘cyber’ really is nothing new after all. It’s the same old Infosec we’ve been banging on about for years.
All the vendors jumping on the ‘cyber bandwagon’ and all the ‘cyber experts’, come in, your time is up.
Now, if we can only get the politicians and legislators to listen…
Colin Robbins • March 15, 2013 7:42 AM
If the attack capabilities were that advanced in 2005, it instantly leads to speculation as to where the capability now lies.
Clive Robinson • March 15, 2013 8:10 AM
The evidence actually goes back a bit further than that, it would appear 2000/2001 were the start dates for some of the software.
Which means that there was an active campaign prior to 9/11 and may actually be pre-GWB…
Which raises a question or two of it’s own seeing as back then the US and Wests relations with Iran were actually better than they had been since the deposing of the then monarch, and restrictions on Iranian people at there lowest…
@ wiredog,
You might want to read this…
It appears some in the administration don’t share your optimism,
Dilbert • March 15, 2013 8:16 AM
@fatbloke, I’m sure everyone here knows that “CyberSecurity” is the sexy new term for “Information Security”… nothing to see here, move along.
APT, just a new term for the old “low and slow” attacks of the previous decade. Nothing to see here either, move along.
Electronic Pearl Harbor?
Cyber 9/11?
Puhleeeze! /rolling eyes/
wiredog • March 15, 2013 8:24 AM
@clive
I was being facetious. Using software attacks to cause physical damage goes back decades. Supposedly the CIA “accidentally” caused a Soviet gas pipeline to explode by feeding bad software to Soviet agents who thought they were stealing Valuable Industrial Secrets.
I wonder what happened to the KGB officers who delivered that software?
TimK • March 15, 2013 8:29 AM
Interesting article at arstechnica on ‘gauss’ and how it seems to be targetting specific but unknown targets.
Marc Espie • March 15, 2013 8:48 AM
I like the current developments a lot.
For years, people saying that computer security was important have been seen as wildly paranoid, and speculative about potential security holes.
Now, it turns out we were right all along, and that the attacks are at least as advanced as we theorized they might be.
I see this as some kind of vindication.
Now, I’m waiting for the other shoe to drop, because, right now, outside of the security community, and a few buzzword articles, it doesn’t look like anybody has really understood the real implications of the current situation (e.g., most corporate entities are in much deeper shit than they thought, and not secure at all).
Maybe it’s the other side of the transparent society, that in the end, there’s no actual privacy to be had for anyone be they individuals or corporate entities ?
Clive Robinson • March 15, 2013 9:45 AM
@ wiredog
I was being facetious.
Sorry I realised so, and likewise I was being facetious in return it just didn’t come across as well.
Speaking of which,
I wonder what happened to the KGB officers who delivered that software?
I assume he got fired.
Just like the pipeline.
Peter Maxwell • March 15, 2013 10:52 AM
What’s impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.
Really? I’d read discussion boards in 1999 talking about “uber viruses”, essentially what Stuxnet is. I would have been more surprised if state bodies hadn’t created that sort of capability back then.
OldFish • March 15, 2013 11:41 AM
The level of capability in 2005 is no surprise considering the budgets wielded by the agencies under question. No surprise at all.
Necessary_Troll • March 15, 2013 4:49 PM
@Colin Robbins
Well, using certain phrases from some of the recent NSA whistleblowers, I think really advanced side-channel attacks is where the capabilities are focused these days. Still, no one really pays attention to timing attacks or power monitoring. Not even getting into the low level hardware issue.
Clive Robinson • March 15, 2013 6:42 PM
@ Necessary_Troll,
Still, no one really pays attention to timing attacks or power monitoring
Some of us on this blog do quite seriously as, and in some respects some of us were well ahead of the game back in the 1980’s.
In other respects I suspect that these days some academics and private small companies are ahead of the game.
Simply because for all the likes of the NSA, GCHQ et al tell their potential recruits, the jobs they offer are little more than bureaucratic jobs with the only reward at the end of the day being a government pension. And thus they have little to offer the better minds these days. Further as is becoming clear as a private contractor you can do the fun things like hunt zero days and then sell them at very high dollar value to some government agencies, so you get your cake and eat it while it still tastes sweet.
Aside from “side channel” attacks it’s fairly reasonable to think they are going to try manipulating the likes of standards and their associated protocols (it’s what the UK Gov did with the for runners of what are now our base telecommunication standards in Europe).
But one area I suspect they have dug into very very deeply without it realy being that visable to others is weaknesses in Random Number Generators used in commercial products. The output of RNGs is what in many cases underpins many of our assumptions about crypto security. It’s certainly an area that should be of interest to the academic community due to the number of failings they have found. But for some strange reason it’s a subject that appears to stall and splutter it’s way along.
Another area which the academics have by and large ignored but is going to be a ripe hunting ground is “Fault Injection by non contact means”.
Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect.
Adrian • March 15, 2013 7:47 PM
@wiredog
“Just remember, ‘cyberwar’ is just a scam to get more power for the government because we all know that you can’t cause harm in the real world just using software.”
You’re thinking of sabotage, not war.
WikiLeaks: The Spy Files • March 16, 2013 1:58 AM
WikiLeaks: The Spy Files
http://wikileaks.org/the-spyfiles.html
The WikiLeaks Spy Files are more than just about ’good Western countries’ exporting to ’bad developing world countries’. Western companies are also selling a vast range of mass surveillance equipment to Western intelligence agencies. In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last ten years systems for indiscriminate, mass surveillance have become the norm. Intelligence companies such as VASTech secretly sell equipment to permanently record the phone calls of entire nations. Others record the location of every mobile phone in a city, down to 50 meters. Systems to infect every Facebook user, or smart-phone owner of an entire population group are on the intelligence market.
Melzeebub92 • March 18, 2013 8:22 AM
@wiredog
‘you can’t cause harm in the real world just using software.’
Amanda Todd…..
I’m aware that the topic is different but are some of the lessons transferable?
Perhaps if we say the bully is American hackers and Amanda is the target country we can, potentially, see how harrassment through software could cause significant damage to the way a country operates and therefore the individuals that live in the target country.
Jason • March 19, 2013 8:28 AM
It’s interesting we always believe our government is so incompetent. If you read Body of Secrets you are quickly lead to the same conclusion… wow, if they could do that then.. what are they doing now?
Pseudonymous Coward • March 19, 2013 11:51 AM
What do all of the victims of Operation Olympic Games (and every other known state-sponsored malware attack) have in common?
Serious brain damage, apparently. How else might one explain their decision to run critical military infrastructure on MS Windows?
No one is fighting a “cyber war.” Everybody is playing cyber laser tag. Avoid defeat by refusing to wear the buzzer vest. The only winning move is not to play. Don’t play the NSA’s game: use a real operating system! Preferably one where the target CPU can be of local manufacture, and all core binaries are small enough to audit manually and statically.
In addition to braindead security flaws, MS Windows has genuine back doors, but none of them have been used (to date.) For the same reason that Winston Churchill let Coventry burn. Sometimes, the most valuable secret is the very existence of a capability. (And before you fire up IDA and go hunting, the backdoors are kleptographic – that is to say, 100% plausibly-deniable. Publish a result, and you will be branded a crackpot and ignored.)
Phred • March 20, 2013 9:09 AM
“What’s impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.”
What really impresses me is what Israel was doing in the 1980’s. According to the book “Robert Maxwell, Israel’s SuperSpy,” Maxwell stole code for a sophisticated (for the time) U.S. government developed law enforcement database. Israel added code. Then Maxwell sold it to a number of intelligence agencies, including friendly western agencies and some Soviet Block agencies. The extra code was a backdoor for Israel’s intelligence service.
Exculse me if this is old information to this forum.
Necessary_Troll • March 21, 2013 1:04 PM
@ Clive Robinson
“Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect. ”
On the contrary, you should shared some very valuable info I was previously unaware of, and now I am genuinely curious about those subjects. Thanks for the spur.
Necessary_Troll • March 21, 2013 1:05 PM
@ Clive Robinson
“Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect. ”
On the contrary, you shared some very valuable info that I was previously unaware of, and now I am genuinely curious about. Thanks for the spur.
Clive Robinson • March 21, 2013 3:26 PM
@ Dave, Nick P,
buggedplanet.info
Yes it’s a nice little resource but lacking in certain respects.
For instance it has my favourit example of “supping with the Devil then kissing Gods feet” DATONG.
Many years ago they made Ham Radio Kits and were fairly successfull. One of the kits they made was a four antenna “direction finding” system you could connect to just about any receiver that had an antenna connector and audio output jack.
This got them one or two definatly non amateur customers including some Gov Orgs doing surveilance and counter surveillance. The very lucrative profit on such contracts caused them to develop more products in that area.
Then it all went pear shaped. They got a contract to design a very high current multiple output pulse generator with sub nanosecond rise times. For some reason they were not suspicious, and then got burnt when a US intel operation linked them via the two people who fronted the contract back to a dodgy middle east country with nuclear aspirations…
Needless to say they spent some time in the wilderness over that before they managed to get back the lucrative surveillance contracts etc with various WASP nation Govs.
The problem they face these days is at the technical level they opperate at such stuff is now “childs play” and can be done as undergraduate projects. They don’t (or didn’t) possess the contacts etc to knock it up a notch or five to go into custom chip manufacture which would get them off of their current “coal face” income back to the “gold seam” income of times past.
Also they appear to have “big boss syndrome” where the directors take and expect ever increasing salaries, pensions and other perks year on year which are not justified by company performance…
I for one won’t be buying their shares 😉
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
wiredog • March 15, 2013 5:54 AM
Just remember, “cyberwar” is just a scam to get more power for the government because we all know that you can’t cause harm in the real world just using software.
Right?