We continue our rant against the mainstream media for a short while. It is unbelievable how major publications give room to self-proclaimed security experts who have never come closer than 500 miles to a Stuxnet-infected installation, not to speak about having any clue of what an industrial controller is. We have also learned that the major interest of the media is the question who may be behind Stuxnet, which is usually answered by a mysterious ‘we will never know’ (meaning: I, the journalist, will never know, because I have no desire to figure it out). However, we will know. Stuxnet and its surroundings contain so many traces that sooner or later the organizations behind it will be identified beyond reasonable doubt. Let’s give some hints for those who are really interested in following the traces.
Anyone who develops the most sophisticated piece of malware in history in order to attack specific targets is not playing around. We’re talking about attackers who are really, really serious about achieving mission success. If operation Myrtus had failed because some geniuses in Hamburg, Germany figured out the plot too early, allowing some admins in Iran to defuse the cyber weapon in time, there was a plan B. It would not have been like ‘shoot, we missed it only a week before the blow, now let’s all get drunk quickly and forget about that whole Iranian nukes business’. The only logical plan B would have been an air strike, as had been practiced two years ago. Chances are preparations for such had been visible for someone looking for it in the middle East at the end of August: More tankers and AWACS airborne than usual, fighter jets out of the bunkers with crews strapped in their seats and ready to start engines, CSAR copters deployed etc. Plan B had involved two major players: Israel and the US.
Let’s get back to plan A, a.k.a. Stuxnet, or operation Myrtus. The main factors to analyze who is behind it are, as always, motivation and capability. Determining who has the motivation to cripple Iran’s nuclear program is not a big deal. Israel, for sure. Then look at the 5+1 talks on Iranian nukes that are going on. The US can be found here, too. Now let’s look at the second factor, capability. Some of the different pieces of Stuxnet could be developed by many. Many actors are able to steal digital certificates, or to buy these on the black market. Few actors are able to figure out the four zero-days vulnerabilities and to combine that with the peer-to-peer update functionality. The most telling part, however, is Stuxnet’s digital warhead, the PLC code injections.
When Ralph told a reporter from BBC Worldwide that presently, perhaps ten people on the globe would be able to invent and implement this attack vector, and three of them could be found in Langner’s office, the reporter was smart enough to ask: Did you do it? No, we didn’t. But the guy got the point here. Anyone who is interested in determining the forces behind Stuxnet has a good chance of success in following this trace. As another hint, as far as our experience and crystal ball goes, neither Israel nor the US presently have this capability. If you are a movie buff, think about that old black & white movie with Orson Welles, The third man. ‘There was a third man.’ But his name is not Harry Lime.