2010

Cyber Weapons

In June 2010, an antivirus company called VirusBlokAda publicly reported a highly sophisticated computer worm expanding its presence on computers running Microsoft Windows, with most of the early infected systems located in Iran.

Interest grew as more security experts looked at the code. Whereas viruses and worms typically spread when a person runs a program, this one spread when a person opened Windows folders containing the infected files. This program could also spread using previously unknown vulnerabilities in the Windows printer subsystem. Once activated, it installed a sophisticated “rootkit,” making the program invisible to antivirus programs. It then sought software designed to control industrial systems such as motors, pumps, and compressors, and if it found the correct software, it installed a carefully crafted flaw.

That flaw, analysis later revealed, attacked computer-controlled motors manufactured by two specific vendors located in Finland and Iran, placing significant mechanical strain on the motors and anything connected to them. All this activity would be invisible to software controlling the drive.

Symantec®, a US-based antivirus company, named the malware Stuxnet, based in part on files that the malware carried. In the weeks that followed, both Symantec and the Russian antivirus firm Kaspersky published detailed analyses of Stuxnet. The program exploited four previously unreported vulnerabilities in the Windows operating system. The flaws, the attacks on the computer-controlled motors, and the fact that Stuxnet was mostly spreading in Iran, led many observers to conclude that the software had been written by a state sponsor.

Stuxnet is now generally regarded as the world’s first cyber weapon that had physical effects—at least, the first that was caught and publicly analyzed. Why was it caught? It seems that a programming error resulted in Stuxnet spreading much further than intended, and important aspects of the program were not encrypted, making it dramatically easier to analyze.

Writing in the journal International Security, Cornell professor Rebecca Slayton calculates that in the end, Stuxnet cost its sponsors between $11 million and $67 million to develop, while the total impact on Iran was just $4 million in additional cybersecurity costs, $5 million in lost productivity, and $1.8 million in centrifuge replacement, for a total of $11 million.

SEE ALSO Morris Worm (1988)

Logic bombs, physical bombs . . . In the world of the computer, it’s all the same.