This is a guest blog by Maarten Oosterink. Maarten is a managing consultant within Capgemini working on IT security.
The IT security industry is buzzing about cyberwar. And for good reason, because it’s real and it’s happening. The most widely known example is the attack on Estonia in 2007. But the most sophisticated publicly known attack is Stuxnet. Stuxnet is a virus that surfaced in June of this year was around for a year before that. Stuxnet exploits multiple vulnerabilities of which at least one was unknown before. It used a digital certificate stolen from Realtek to install itself. The virus spreads only via USB sticks. If you add all these facts up, this piece of malware is clearly the work of professionals – who find 0-day vulnerabilities, steal certificates from reputable vendors and are bold enough to leave physical traces when releasing their malware. They are not interested in someone’s home PC.
So what makes Stuxnet a weapon in cyberwar? Apart from the facts stated above, the actual payload is sophisticated. Malware experts have not been able to get to the bottom of it. But what is known (and confirmed by US government officials dealing with cyberwar) is that this virus was created to target a specific process control system somewhere in the world. The attacker must have had inside knowledge about the target system and how it is programmed. Only if a particular piece of code is found, does the payload become active. For the thousands of other infected systems, nothing happens.
It is not known yet what the effect will be and maybe we’ll never know. If this attack is effective, the victim may go to some lengths to hide the results.
What does this mean? It shows the enormous value of 0-day vulnerabilities. And, that the IT industry needs to take vulnerabilities as seriously as the hackers do.