Imagine, if you will, a worm that is the result of a kind of malware Manhattan Project. Malware that was clearly developed by a highly skilled team of programmers over a period of months. Malware that was developed using resources only a major corporation or a government could muster. Now imagine that this malware was sent forth to infect a specific target, and to remain undetectable until it had accomplished its mission.
It may sound like the plot for a detective novel, but in reality, this could be the story of a worm that's being called Stuxnet. Nobody knows for sure who developed it, and they don't really know how it was deployed. About all that's known is that it seems to be targeted at Iran's nuclear program, and that it seems to be designed to affect only the types of equipment that Iran is believed to be using to build nuclear weapons.
At this point, remarkably little is known for sure about Stuxnet. It does have the ability to quietly take control of specific Siemens process-control machinery, which it reaches through the Windows computers that issue the commands. It's able to travel by at least a half-dozen vectors from flash drives, through the Internet and through other means that aren't clear. And it takes advantage of a series of previously undisclosed vulnerabilities in Windows. This worm even uses stolen security signatures so that Windows Vista and Windows 7 will load it.
The worm enters a computer silently, it hides itself from anti-malware software very effectively, and it can install itself and then lie in wait for a command. How the command is delivered remains a mystery, but in the year since it reached Iran, it has infected at least the 50,000 machines that Iran has admitted to, and probably many times that. In what might be a coincidence, Iran has had to put off the start-up of a new reactor. Iranian officials claim it's not related, but who knows?
What's worse is that the actions of the software are extremely hard to detect. Only one company, NitroSecurity, a spinoff of the Idaho National Labs, has managed to build a SIEM (Security Information and Event Management) package that can analyze the historical logs of process-control systems for the kind of anomalous behavior that Stuxnet produces. If you don't have something like that, you may never even know you've been infected.
There are two things about Stuxnet that give security experts pause. The first is that this appears to be a major escalation in cyber warfare. While there have been government-sponsored attacks many times in the past, Stuxnet is an order of magnitude beyond those in seriousness. The second is that Stuxnet is able to control items in the physical world. Depending on the target, whoever is controlling Stuxnet could order the worm to close a valve controlling the flow of cooling water in a nuclear power plant, or to throw a switch, taking an entire city off the power grid. Any such system using computer-operated controllers has the potential for being affected.
But what's more scary is the one thing that no one wants to talk about. What if the developers of Stuxnet have taken what they've learned to the next level? Stuxnet is already able to spread itself in a large number of ways, and it's extremely hard to detect and harder to remove. Once it infects a computer, it's nearly invisible, and its ability to infect seems to be nearly unlimited.
But if whoever turned Stuxnet out into the wild was really just building a prototype? Is there a layer of cyber warrior software just out of sight, waiting, undetectable, for the command to destroy something? And if there were, would we ever know before it's too late to matter?