The term “computer virus” usually conjures up images of incompetent users, less-than-reputable websites and, at worst, lost data. However, the recent attack on Iran’s nuclear infrastructure by the Stuxnet virus may change the way we think about cyber security.
Having little in common with the viruses we have grown used to, Stuxnet may be the first in a new era of weaponized software. The BBC reports that the virus was first detected in June by the VirusBlokAda, a security firm based in Belarus, who suspect that the code “may have been circulating since 2009.”
The virus was not meant to spread through the Internet; it wasn’t designed to datamine, nor did it pester the user with pop-ups. Stuxnet was written to spread via removable storage devices and targeted systems that are not usually connected to the Internet. If it could not find a compatible system, it remained inactive.
Once it infects a computer, Stuxnet reports the name and address of the machine back to a command server. The server can then relay instructions to compromised machines using a peer-to-peer network. It infects important applications using “two stolen and forged digital certificates for authentication and targets specific Siemens Simatic software that is used [ . . . ] in industrial control and critical infrastructure environments like utilities.”
It was designed to infect programmable logic controllers (PLCs), which are essentially industrial-strength microcontrollers used to “turn on and off motors, monitor temperature [or] turn on coolers if a gauge goes over a certain temperature.” The Siemens modules it was meant to infect are reportedly being used in Iran’s Bushehr nuclear reactor.
Symantec, a leading digital security company, analyzed Stuxnet and found that it was “sophisticated, incredibly large, required numerous experts in different fields and mostly bug-free” — traits that are not usually found in run-of-the-mill malware. Many specialists are suggesting it was written by a government, as few individuals would have access to the resources needed to write such an expansive system.
Symantec’s analysis of the code would support this argument. Their Stuxnet dossier reports that the project would have taken six months with a development team of five to 10 people, assuming that a “highly efficient” managerial team and suitable test system were available.
In order to prove this was a “cyber attack” on infrastructure, Symantec analyzed the rates of Stuxnet infection by country. During the 72-hour test, Symantec found over 58 per cent of infected computers were based in Iran. In contrast, Indonesia was the second most infected with 18 per cent of total Stuxnet compromises. This suggests it very well could have been a deliberate and targeted attack.
Though the jump from PCs to PLCs may seem trivial, it has changed the way governments think about and react to computer viruses. The European Union is currently reconsidering its cyber-defence strategy, a trend that other countries would be wise to follow.
Udo Helmbrecht, the executive director of the European Network and Information Security Agency warns, “Now that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks.” Other analysts have reached the same conclusion. In an interview with NPR, Stephen Spoonamore, who is a longtime cybersecurity consultant, worried the virus will spawn copycat attacks. “Now that it’s released, numerous other people will take that and go, ‘aha.’ ”
Governments will now have to rethink what constitutes an act of war, as a viral attack on a nuclear reactor could prove just as damaging as a cruise missile. With so much of our infrastructure digitally controlled, wars in the 21st century may be waged not with guns, but with keyboards.