While Tom Ricks is away from his blog, he has selected a few of his
favorite posts to re-run. We will be posting a few every day until he returns.
This originally ran on December 7, 2010.

Tom R.: For a long time I thought "infowar" or "cyberwar" was
nonsense, mainly a gambit to make money in the defense consulting complex. But expert comments like this one
on Stuxnet have me reconsidering. 

By Jay Holcomb

Best Defense infowar columnist 

I believe this event should be looked at from a much wider view … the Stuxnet
worm (threat vector) certainly should be considered a "game changer" … the folks
who are conducting the forensics analysis have been somewhat successful in
gaining high level public/government attention to this issue.

While most folks seem to unofficially agree this worm likely targeted Iranian
facilities -- if we look wider -- this "attack" … or perhaps a better
classification "sabotage" … contains so many complex cyber elements combined
into one package that it is absolutely fascinating. I do not believe it is
hyperbole to say the Stuxnet worm is "revolutionary" in terms of what we should
be expecting to see in future high quality cyber threat vectors.

For example, a few of the well publicized items used by the Stuxnet worm
include:

At least four zero-day vulnerabilities were used. Remember, these were
classified as "zero-days" once we found out about them back in June/July --
which means the folks that discovered the vulnerabilities could have been using
them/testing them for 12-24 months(?) before we even knew they existed.
Discovering a single previously unknown vulnerability and using it successfully
against a target is impressive!
Used "legitimate certificates stolen from two certificate authorities" to
digitally sign Stuxnet code to be installed on target machines -- this was
needed to prevent Microsoft Windows from alerting the computer user that a
suspicious file is trying to install on the computer. This is huge! Imagine if
someone was able to steal a genuine SSL/TLS certificate for YOUR online bank
from VeriSign or Entrust and set-up a web site that was an exact clone of YOUR
online bank. If you accessed the cloned web site -- your web browser would NOT
alert you to any problems with the fake web site because the site uses a valid
certificate -- the entire Internet online commerce model is based on this
"trust" of Certificate Authorities.

Sound unrealistic … how about this …
anyone else remember 10 years ago when VeriSign issued two Microsoft
certificates to someone posing as a Microsoft employee? Imagine what they could
have done with those certificates … perhaps create their own "special" Microsoft
Windows patch … how many folks would download and install? We often trust major
companies and our systems will trust the process if the source file is using a
"trusted" Certificate Authority (VeriSign for example) security certificate to
sign the files! To further highlight this issue … to this day the only two
"Untrusted Publishers" certificates installed in our Internet Explorer browsers
are for Microsoft from VeriSign!
Numerous propagation methods -- USB drives, network shares, other
peer-to-peer methods, etc. Interesting to see the Conficker vulnerability
(MS08-067) was one of the Stuxnet propagation options. Depending on what
type/version/patch level of Windows the worm is residing determines which
propagation method it will use. (Amazing)
Command and Control options -- via Internet or peer-to-peer if Internet
access is no longer available.
Very specific configuration of the target environment is needed to activate
the Stuxnet payload (manufacturer, specific product type, and unique product
configuration are examples) … the intelligence and reconnaissance needed of the
target must have been incredible.
The goal does not seem to have been destruction -- rather
interruption/delay. The payload modified the speed of very specific high speed
motors and at seemingly random intervals. How many people knew weapons-grade
uranium enrichment requires long periods of constant high speed motor action?

These examples do not include the many other specific SCADA asset features
the worm is targeting to validate prior to payload release/action -- amazing!

With the complexity of this cyber "event" it should change how we view future
potential threat vectors -- from both the government (at varying levels and
organizations) and civilian perspective. The possibility of this type of
complex/specifically targeted cyber threat has now been proven in the wild. It
is only a matter of time before we identify a similar event has occurred or is
occurring right now.

The potential targets are only limited by our imaginations. I would expect
both Nation States and common Cyber Criminals have been analyzing the same
materials we are and developing new ingenious complex threat vectors into
critical infrastructure, defense assets (government and civilian), financial
environments, technology resources, and numerous other industries depending on
the target niche market. 

The goal would not have to be "global domination" or "nation destruction" --
in fact, I would propose the most dangerous outcome of this event will be the
smaller -- highly sophisticated/complex -- threats that are successful but stay
under the radar. They launch, are successful, and either destroy themselves or
are jettisoned as expendable.  (From both Nation States and common Cyber
Criminals)

One interesting "pie in the sky" future item -- will Cyber Criminals be able
to pull together a team of experts similar to the Stuxnet team (Cyber
Mercenaries … a field that we can assume is growing quickly!) to create the
civilian Stuxnet equivalent -- perhaps for historic financial gain or nearly any
other historic event. Sounds like a Hollywood movie doesn't it … I assume
everyone has seen "Live Free of Die Hard"…

Finally, here are some additional background resources and great reading if
interested:

http://www.wired.com/threatlevel/2010/11/stuxnet-clues/

http://www.wired.com/threatlevel/2010/09/stuxnet/

http://www.symantec.com/business/theme.jsp?themeid=stuxnet

http://www.tofinosecurity.com/blog/stuxnet-mitigation-matrix