A computer worm that has been dubbed by some analysts the world’s first cyber super weapon has reportedly made its way to China.
Stuxnet, which was first discovered in June this year and is reportedly the first worm known to have been used to target critical infrastructure, is said to have already infected millions of personal computers in China.
The worm gained worldwide notoriety last month when international media began reporting that it had made its way into Iran’s industrial complexes, including nuclear facilities, prompting speculation that it was being used as a weapon by Israel or the United States to cripple the country’s nuclear programme.
Stuxnet is said to be different from previous malware in two ways. First and untypically, it’s delivered through a USB port, meaning systems don’t have to be connected to the Internet to become infected. But perhaps more interestingly—and uniquely—it seizes control of a targeted facility’s supervisory control and data acquisition system (SCDA) and is therefore able to disable it.
Now, official Chinese media is reporting that the worm has already infected 6 million PCs and about 1000 corporate computers.
The official Xinhua News Agency on Friday quoted Wang Zhantao, an engineer at the Beijing-based Rising International Software Co. Ltd., as saying that Stuxnet ‘can break into computers and steal private information, especially from industrial firms, sending it back to a server in the United States.’
He’s also quoted as saying that the virus exploited a bug in Siemens auto-control systems used in industrial manufacturing to skip the security check. ‘Hackers may take control of a company's machinery run under computers infected by Stuxnet, and give dangerous orders causing serious damage,’ he’s reported as saying.
So, did the attack really originate in the United States, as has been stated in some reports? I asked Marcus Sachs, executive director for National Security and Cyber Policy at Verizon in Washington, D.C. and a former member of the White House Office of Cyberspace Security, how easy attribution of such attacks is.
‘Attribution in cyberspace is always very hard. There are too many ways to be anonymous and too many ways to spoof another person or system,’ he told me. ‘The basic protocols of the Internet don’t allow for positive attribution, which is great for free speech, but makes things hard for law enforcement.’
Sachs, who is also director of the SANS Internet Storm Center, said much of the talk about Stuxnet being a cyber super weapon is hyperbole, but admitted that the malware is complicated and will pose China and others problems.
‘It will be interesting to see how they respond, and how transparent they are in reporting on it,’ he said. ‘What's different for them is being able to publicly discuss the impact of these tools on their systems and what they are doing to mitigate it. Here in the USA anybody can blog, speak, or publish whatever they please. That doesn't mean that what comes from us is truthful. But it's definitely hard to figure out what to believe in terms of statements coming from China.’
The issues of who is responsible for Stuxnet and why China may have been targeted also raise the interesting question of whether China itself is capable of such an attack. There’s periodic speculation in the media about Chinese cyber capabilities and how involved the government is in any attacks that take place on foreign entities, be they governments or companies.
This year alone has seen numerous reports on China’s supposed cyber war intentions, including in March, when the Times of London reported NATO and the European Union had issued urgent warnings that intelligence materials needed to be protected from a surge in cyber attacks originating in China.
The paper quoted one US analyst of saying that ‘neither the US nor any of its Western allies had formed an effective response to the Chinese threat…The West’s own cyber offensives have so far been directed largely at terrorists rather than nation states, giving China virtually free rein to penetrate Western systems with its own world-class hackers and increasingly popular Chinese-made components.’
I asked Sachs how much evidence there was of a centrally-co-ordinated effort from China.
‘There’s most likely a "formal" government or military coordinated capability, as there is in most developed countries—think about our new Cyber Command,’ he said. ‘But there's also the millions of Chinese citizens online, and a very large population of young, technically educated, and inquisitive users.
‘Most of the threats we see coming from China are not from the government or military, but from hacking groups and clubs, and from organized crime. There's a lot of misconceptions about China and often here in the USA we are quick to make them into the boogie man of cyberspace.’
And, he made sure to point out, it all goes back to the problem of attribution. ‘It's very easy to make it look like an attack is coming from China when the actual human on the keyboard might be sitting in Moscow or Memphis.’