At the IEEE Smart Grid Surivivability workshop held at SEI in Arlington, VA last week, we had a front row seat for a great presentation by Symantec's Liam O'Murchu, one of three Stuxnet reverse engineers Symantec has had on the case for over three months straight.
Though I've been following Stuxnet on the SGSB (first post HERE) since shortly after it surfaced (well after it was born circa 2009), Liam provided some insights that surprised all of us I think, including:
- To escape detection while targeting every Windows OS from 2000 to 7, the attack team purchased each and every version of all anti-virus products for each OS and then designed Stuxnet to ensure they wouldn't be noticed by any of them
- Stuxnet is evolving its capabilities to infect systems and replicate within an organization, yet its payload remains unchanged. Meaning: the target remains the same ... and maybe the attackers aren't yet satisfied they've accomplished their mission
- On the human-interest side, he noted that the reverse engineering paths he and his colleagues have been following are the same or similar to those blazed by the the team who crafted the attack.Though lots of evidence points that way, Symantec (unlike Ralph Langner and others) is not ready to say that Iran's nuclear operations are the only or primary target of Stuxnet. There are still several parts of Stuxnet they've yet to crack and their research continues
- In addition to phenomenal anti-virus evasion techniques, Stuxnet includes lots of other stealth approaches and myriad attack strategies for getting passed OS defenses, through firewalls, increasing its privileges, and much, much more
But the bad news is that for aspiring bad guys, Stuxnet is a master class, a surprising visit from "attacks of the future" to present day 2010 on how to do more damage than you ever thought possible. We'll see Stuxnet again, and if it's pointed at us (US utilities, other industrial operators) next time the payload may be quite different.
Written by Liam and team, Symantec's 51-page Stuxnet Dossier remains the definitive document on Stuxnet. We'll be hearing more from them as they (and others) make new discoveries, but there's already plenty of info available now on how to begin hardening your org against the future spawn of Stuxnet, even if those defenses might be less than complete.
Photo credit: Digipam on Flickr