The Stuxnet attack has been making headlines for several weeks now, thanks to the fact that includes a pair of zero-day vulnerabilities and also has drivers signed by a stolen digital certificate. However, the real story of this novel malware attack may not be its tactics but its creator, which security experts say is likely a nation-state.
Attackers and malware writers have become very adept at finding new ways to make money over the years, and the risk of prosecution is very low in most cases. That's one of the reasons that the Stuxnet malware stands out: there's no clear immediate financial gain for its creators. The Stuxnet attack is designed to be as stealthy as possible and targets mainly SCADA systems, some of the highest value machines in the world.
Stuxnet's sophistication and its lack of any real money-making component are leading experts to believe the attack is likely the work of a national government or intelligence agency.
"This is the most sophisticated attack that we have seen to date, by far," Roel Schouwenberg, a malware researcher at Kaspersky Lab, said at the company's Virus Analyst Summit here Tuesday. "The evidence points to involvement by a nation-state. This is a highly advanced attack."
The topic of national governments and intelligence agencies being involved in offensive attacks online has been a touchy one for years, and while many security experts and analysts say that it's simply a fact of life in the modern world, there has been little in the way of evidence of actual attacks.
Schouwenberg, who has been researching Stuxnet for several weeks, said that although the first public reports of the malware's existence only appeared in recent weeks, he now believes the malware itself is much older.
"We went back and looked at our samples and found Stuxnet samples from 2009," he said. "No one knows what it was doing before it became public a few weeks ago."
Symantec released a blog on July 29th which outlined several different variants of the Stuxnet malware. The reached a very similar conclusion:
Analyzing the different types of samples we have observed to date has shed some light on how long this threat has been under development and/or in use. The development of the threat dates back to June of 2009 at least. The threat has been under continued development as the authors added additional components, encryption and exploits. The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation.