In my last post I referenced a few different podcasts that got my mind thinking about cyber security. The one I want to highlight today is Darknet Diaries and in particular an episode about a virus called Stuxnet (podcast located here: https://darknetdiaries.com/episode/29/ or on a podcast app).
Stuxnet was a virus discovered back in 2010 that infected over 200,000 computers and was designed to target industrial computers, in particular Iran’s nuclear facilities. What makes this virus particularly interesting is that it was programmed to travel via USB flash drive which enabled it to infect computers that were segregated from outside networks. Furthermore it took advantage of four zero-day vulnerabilities, which is a vulnerability in a system or device discovered by hackers before the vendor has become aware of it. Because zero day vulnerabilities allow hackers to perform exploits on fully patched machines, these kinds of exploits tend to be extremely valuable to hackers (and quite pricey too, some zero days fetch more than $1 million) . A lot of viruses don’t even use a single zero-day vulnerability, instead they rely on known patched exploits and try to take advantage of machines that are behind in the patch cycle. More sophisticated viruses may use 1 or 2, but 4 is something almost unheard of. This is because if the virus is discovered, every included zero day may end up getting patched, which could have otherwise been used in future malware.
No one has ever been able to concretely point out who was behind Stuxnet but what is almost universally accepted is that a nation state was behind its creation (the most commonly believed theory is that it was a joint operation of the US and Israel). The cost of the zero days and the sophistication of the code makes it very unlikely a lone actor or small group of hackers could have pulled this kind of exploit off.
While the ethics of what Stuxnet was trying to accomplish can be debated (it’s purpose was to slow down the enrichment of Iranian uranium), what cannot be ignored is that it showed how critical cyber security is in the digital age. Stuxnet showed us: 1) Increasing involvement of nation state in attacks against rival nations and companies, 2) How industrial systems can be targeted to cause real world harm, and 3) How air gaping your network from the outside world isn’t sufficient to make sure you are secure. It took over three years after Iranian machines were infected by Stuxnet to be discovered, and even then it was discovered more or less by accident by a small security company outside of Iran, inside a machine the code was not supposed to effect. This poses an important question: how many more sophisticated Stuxnet’s are out there today 12 years later?