The Hackers Behind Stuxnet

Via Symantec Security Response Blog -

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

• The attackers discovered and used a zero-day vulnerability affecting all versions of Microsoft Windows.
• They developed and used a rootkit to hide their presence.
• They targeted software which is used to control industrial assets and processes; deep knowledge on the product internals was utilized.
• The hackers were able to sign their files using a legitimate digital certificate from an innocent third party. This digital certificate expired in June but a new driver appeared in July; it was also digitally signed using a digital certificate from another company. Both of these companies have offices in Taiwan. The hackers either stole private keys or were able to get their files signed. The attackers may have more compromised digital signatures.
• The hackers did not use a targeted means of attack. Instead, the threat replicates to USB keys and can infect any Windows computer.

The zero-day vulnerability, rootkit, main binaries, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets. The combination of these factors makes this threat extremely rare, if not completely novel.