Stuxnet is Much Older than We Thought

Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here.

What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.

Posted on March 15, 2013 at 5:46 AM • 25 Comments

Comments

wiredogMarch 15, 2013 5:54 AM

Just remember, "cyberwar" is just a scam to get more power for the government because we all know that you can't cause harm in the real world just using software.

Right?

fatblokeMarch 15, 2013 7:19 AM

Ah, Stuxnet. The 'poster child' for the entire 'cyber con'. And so we see that 'cyber' really is nothing new after all. It's the same old Infosec we've been banging on about for years.

All the vendors jumping on the 'cyber bandwagon' and all the 'cyber experts', come in, your time is up.

Now, if we can only get the politicians and legislators to listen...

Clive RobinsonMarch 15, 2013 8:10 AM

The evidence actually goes back a bit further than that, it would appear 2000/2001 were the start dates for some of the software.

Which means that there was an active campaign prior to 9/11 and may actually be pre-GWB...

Which raises a question or two of it's own seeing as back then the US and Wests relations with Iran were actually better than they had been since the deposing of the then monarch, and restrictions on Iranian people at there lowest...

@ wiredog,

You might want to read this...

It appears some in the administration don't share your optimism,

http://www.nextgov.com/defense/2013/03/...

DilbertMarch 15, 2013 8:16 AM

@fatbloke, I'm sure everyone here knows that "CyberSecurity" is the sexy new term for "Information Security"... nothing to see here, move along.

APT, just a new term for the old "low and slow" attacks of the previous decade. Nothing to see here either, move along.

Electronic Pearl Harbor?
Cyber 9/11?

Puhleeeze! /rolling eyes/

wiredogMarch 15, 2013 8:24 AM

@clive
I was being facetious. Using software attacks to cause physical damage goes back decades. Supposedly the CIA "accidentally" caused a Soviet gas pipeline to explode by feeding bad software to Soviet agents who thought they were stealing Valuable Industrial Secrets.

I wonder what happened to the KGB officers who delivered that software?

Marc EspieMarch 15, 2013 8:48 AM

I like the current developments a lot.

For years, people saying that computer security was important have been seen as wildly paranoid, and speculative about potential security holes.

Now, it turns out we were right all along, and that the attacks are at least as advanced as we theorized they might be.

I see this as some kind of vindication.

Now, I'm waiting for the other shoe to drop, because, right now, outside of the security community, and a few buzzword articles, it doesn't look like anybody has really understood the real implications of the current situation (e.g., most corporate entities are in much deeper shit than they thought, and not secure at all).

Maybe it's the other side of _the transparent society_, that in the end, there's no actual privacy to be had for *anyone* be they individuals or corporate entities ?

Clive RobinsonMarch 15, 2013 9:45 AM

@ wiredog

I was being facetious.

Sorry I realised so, and likewise I was being facetious in return it just didn't come across as well.

Speaking of which,

I wonder what happened to the KGB officers who delivered that software?

I assume he got fired.

Just like the pipeline.

Peter MaxwellMarch 15, 2013 10:52 AM

What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then.

Really? I'd read discussion boards in 1999 talking about "uber viruses", essentially what Stuxnet is. I would have been more surprised if state bodies hadn't created that sort of capability back then.


OldFishMarch 15, 2013 11:41 AM

The level of capability in 2005 is no surprise considering the budgets wielded by the agencies under question. No surprise at all.

Necessary_TrollMarch 15, 2013 4:49 PM

@Colin Robbins

Well, using certain phrases from some of the recent NSA whistleblowers, I think really advanced side-channel attacks is where the capabilities are focused these days. Still, no one really pays attention to timing attacks or power monitoring. Not even getting into the low level hardware issue.

Clive RobinsonMarch 15, 2013 6:42 PM

@ Necessary_Troll,

Still, no one really pays attention to timing attacks or power monitoring

Some of us on this blog do quite seriously as, and in some respects some of us were well ahead of the game back in the 1980's.

In other respects I suspect that these days some academics and private small companies are ahead of the game.

Simply because for all the likes of the NSA, GCHQ et al tell their potential recruits, the jobs they offer are little more than bureaucratic jobs with the only reward at the end of the day being a government pension. And thus they have little to offer the better minds these days. Further as is becoming clear as a private contractor you can do the fun things like hunt zero days and then sell them at very high dollar value to some government agencies, so you get your cake and eat it while it still tastes sweet.

Aside from "side channel" attacks it's fairly reasonable to think they are going to try manipulating the likes of standards and their associated protocols (it's what the UK Gov did with the for runners of what are now our base telecommunication standards in Europe).

But one area I suspect they have dug into very very deeply without it realy being that visable to others is weaknesses in Random Number Generators used in commercial products. The output of RNGs is what in many cases underpins many of our assumptions about crypto security. It's certainly an area that should be of interest to the academic community due to the number of failings they have found. But for some strange reason it's a subject that appears to stall and splutter it's way along.

Another area which the academics have by and large ignored but is going to be a ripe hunting ground is "Fault Injection by non contact means".

Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect.

AdrianMarch 15, 2013 7:47 PM

@wiredog

"Just remember, 'cyberwar' is just a scam to get more power for the government because we all know that you can't cause harm in the real world just using software."

You're thinking of sabotage, not war.

WikiLeaks: The Spy FilesMarch 16, 2013 1:58 AM

WikiLeaks: The Spy Files
http://wikileaks.org/the-spyfiles.html

The WikiLeaks Spy Files are more than just about ’good Western countries’ exporting to ’bad developing world countries’. Western companies are also selling a vast range of mass surveillance equipment to Western intelligence agencies. In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last ten years systems for indiscriminate, mass surveillance have become the norm. Intelligence companies such as VASTech secretly sell equipment to permanently record the phone calls of entire nations. Others record the location of every mobile phone in a city, down to 50 meters. Systems to infect every Facebook user, or smart-phone owner of an entire population group are on the intelligence market.

Melzeebub92March 18, 2013 8:22 AM

@wiredog

'you can't cause harm in the real world just using software.'

Amanda Todd.....

I'm aware that the topic is different but are some of the lessons transferable?
Perhaps if we say the bully is American hackers and Amanda is the target country we can, potentially, see how harrassment through software could cause significant damage to the way a country operates and therefore the individuals that live in the target country.

JasonMarch 19, 2013 8:28 AM

It's interesting we always believe our government is so incompetent. If you read Body of Secrets you are quickly lead to the same conclusion... wow, if they could do that then.. what are they doing now?

Pseudonymous CowardMarch 19, 2013 11:51 AM

What do all of the victims of Operation Olympic Games (and every other known state-sponsored malware attack) have in common?

Serious brain damage, apparently. How else might one explain their decision to run critical military infrastructure on MS Windows?

No one is fighting a "cyber war." Everybody is playing cyber laser tag. Avoid defeat by refusing to wear the buzzer vest. The only winning move is not to play. Don't play the NSA's game: use a real operating system! Preferably one where the target CPU can be of local manufacture, and all core binaries are small enough to audit manually and statically.

In addition to braindead security flaws, MS Windows has genuine back doors, but none of them have been used (to date.) For the same reason that Winston Churchill let Coventry burn. Sometimes, the most valuable secret is the very existence of a capability. (And before you fire up IDA and go hunting, the backdoors are kleptographic - that is to say, 100% plausibly-deniable. Publish a result, and you will be branded a crackpot and ignored.)

PhredMarch 20, 2013 9:09 AM

"What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then."

What really impresses me is what Israel was doing in the 1980's. According to the book "Robert Maxwell, Israel's SuperSpy," Maxwell stole code for a sophisticated (for the time) U.S. government developed law enforcement database. Israel added code. Then Maxwell sold it to a number of intelligence agencies, including friendly western agencies and some Soviet Block agencies. The extra code was a backdoor for Israel's intelligence service.

Exculse me if this is old information to this forum.

Necessary_TrollMarch 21, 2013 1:04 PM

@ Clive Robinson

"Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect. "

On the contrary, you should shared some very valuable info I was previously unaware of, and now I am genuinely curious about those subjects. Thanks for the spur.

Necessary_TrollMarch 21, 2013 1:05 PM

@ Clive Robinson

"Any way there are a few other ideas, but you will probably feel they lack the drive or ommph you would expect. "

On the contrary, you shared some very valuable info that I was previously unaware of, and now I am genuinely curious about. Thanks for the spur.

Clive RobinsonMarch 21, 2013 3:26 PM

@ Dave, Nick P,

buggedplanet.info

Yes it's a nice little resource but lacking in certain respects.

For instance it has my favourit example of "supping with the Devil then kissing Gods feet" DATONG.

Many years ago they made Ham Radio Kits and were fairly successfull. One of the kits they made was a four antenna "direction finding" system you could connect to just about any receiver that had an antenna connector and audio output jack.

This got them one or two definatly non amateur customers including some Gov Orgs doing surveilance and counter surveillance. The very lucrative profit on such contracts caused them to develop more products in that area.

Then it all went pear shaped. They got a contract to design a very high current multiple output pulse generator with sub nanosecond rise times. For some reason they were not suspicious, and then got burnt when a US intel operation linked them via the two people who fronted the contract back to a dodgy middle east country with nuclear aspirations...

Needless to say they spent some time in the wilderness over that before they managed to get back the lucrative surveillance contracts etc with various WASP nation Govs.

The problem they face these days is at the technical level they opperate at such stuff is now "childs play" and can be done as undergraduate projects. They don't (or didn't) possess the contacts etc to knock it up a notch or five to go into custom chip manufacture which would get them off of their current "coal face" income back to the "gold seam" income of times past.

Also they appear to have "big boss syndrome" where the directors take and expect ever increasing salaries, pensions and other perks year on year which are not justified by company performance...

I for one won't be buying their shares ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..