June 29, 2018 - Monocle Research Department
When first discovered by cyber-security companies in 2010, the Stuxnet virus was unlike anything that experts had ever before encountered. In a talk at Stanford University, the Chief Architect of software and security company Symantec, Carey Nachenberg, said that the virus was roughly 50 times larger than any typical virus and perhaps “the most complicated piece of malicious software ever built”. The creators of the Stuxnet virus have never been definitively identified, although forensic investigations performed by the largest cyber-security companies in the world have come to some confident conclusions – the target of the virus was the Natanz nuclear facility in Iran; the operation was coordinated by at least one nation state; and that a team of cyber-attack specialists known as the Equation Group, a unit linked to the US National Security Association (NSA), was involved in testing and developing Stuxnet.
Simultaneously utilising four different zero-day hacks – as system exploits that have previously never been recognised by anyone in the cyber-security industry, and often sold on the black market for hundreds of thousands of dollars because of their rarity, potential for great harm and virtual undetectability – the complexity of this cyber-weapon was unprecedented. So advanced was this cyber-attack for its time that even seven years later in 2017, the founder of the McAfee cyber-security company John McAfee still ranked it the biggest hack of all time. McAfee ranks this attack above other equally impressive and incredibly bold hacks, including that of the US Office of Personnel Management systems that went undetected for at least two years and that resulted in the theft of detailed information on every employee and consultant in the American government for the last 50 years, including the most high-level security personnel in the FBI, CIA and the NSA. In this case, the hackers were also never identified.
As explained by Nachenberg, although the Stuxnet virus is incredibly infectious – using up to seven different means of spreading from one system to the next – it also remains brilliantly targeted and near undetectable, seeking out only the targeted computers to infect and with the ability to delete itself from existence in a set amount of time. The core purpose of the virus, as surmised by its code, was to spread from an external source onto the computers used by the scientists on site at the Natanz facility, over an air-gapped perimeter, and onto the Siemens programmable logic controller (PLC) systems of the nuclear plant. These targeted PLC systems were responsible for controlling, monitoring and giving feedback for the thousands of nuclear centrifuges that were used for the purpose of enriching uranium to nuclear weapon-grade level. Once in the PLC system, the virus was designed to manipulate the speed of the centrifuge machines with the intention of causing them critical damage, all while sending feedback to monitoring systems to report that nothing out of the ordinary was taking place.
For years, the western world had been concerned by Iran’s intentions to develop nuclear capabilities. Harsh sanctions and various nuclear deals had failed to effectively restrict Iran’s push towards nuclear weapon development, with terms being agreed upon in theory but then often completely ignored. And despite not being directly attributed to the US, numerous investigations by security experts point to its involvement, alongside the expertise of Israeli contingents. Whoever was responsible, Stuxnet resulted in the destruction of at least a thousand of the Iranian centrifuge machines at Natanz. Although only representing about 10% of all centrifuge machines at the facility, the virus did manage to significantly set back the advancement of Iran’s nuclear capabilities.
Despite the debatable success of the Stuxnet mission, what it represents for geopolitical relations is far more significant. The reality is, we now live in a connected world, for better or worse. Thanks to the Internet of Things (IoT), physical objects are increasingly being linked to networks that are in turn linked to even larger networks, all of which can be compromised and exploited with the right set of skills. What this means is that hackers, as those with the greatest knowledge and experience in breaching network security barriers, will become governments’ most valuable soldiers in a new kind of war.
Leading the arms race in this modern warfare are nations like Israel and Russia. In Israel, the infamous Unit 8200 is a well-funded government agency with several thousand recruits from the best schools and universities in the country, dedicated to both defensive and offensive cyber-security strategies. In Russia, there exists a powerful and matured military-industrial complex that was fostered by Stalin’s Soviet Union, largely thanks to the creation of hundreds of polytechnical schools that raised generations of engineers for use by the government. Today, this tradition carries on into the cyber-realm, with many of the brightest minds in Russia becoming computer science and information technology experts. What has developed in Russia over the last few decades, however, is a popular hacker subculture, exemplified by massive events like PHDAYS (Positive Hack Days), where hackers actively compete in live hacking challenges. These challenges include everything from hacking into car systems like those of BMW and Tesla vehicles on the conference floor, to hacking ATMs, and the grand spectacle of a team versus team hacking event with the aim of penetrating a massive smart-city model that includes connected reservoirs, train services, telecommunication networks, and even a nuclear power station.
As explained by the event organiser, Andrew Bershadsky, “if it can be hacked here, it can be hacked in the wild.” This is terrifying not only to governments and nation states, which now face the threat of external forces that could effectively take a whole city offline, left without power or water, but it should also be particularly concerning for modern companies. With the rise of flexible working conditions and with each employee owning multiple devices that connect to a company’s servers, every user endpoint becomes a gateway for hackers to access their systems. And adding to an already concerning situation, going forward, companies will likely have to become more accountable for their cyber-security oversights.
For every security breach, there will be legal and reputational consequences, not only in terms of being liable for sensitive client information being stolen, but perhaps even the physical and life-threatening damage that can be caused through the hacking of network connected infrastructure systems. What this means for companies and their future employees is hard to envision, yet proactive steps will have to be taken by business. This proactive mindset will necessitate not only keeping up with legislation, which severely lags behind the pace of technological advancements, but also in terms of taking a clear moral stance with regard to accountability and responsibility for the safety of employees and clients, both online and offline.