Living in Jack Bauer's World

| Thu Sep. 23, 2010 7:17 PM EDT

A couple of months ago I linked to a Stewart Baker post about a new computer virus. This wasn't your ordinary Windows trojan or worm, it was an extremely sophisticated piece of malware targeted specifically at SCADA systems — industrial control systems made by Siemens that are used in chemical plants and electric power plants and transmission systems worldwide.

Well, it now has a name — Stuxnet — and analysts know a lot more about it. As the Christian Science Monitor reports, a German cyber-security researcher named Ralph Langner has discovered that it's not aimed at SCADA systems in general. Rather, it has a built in "fingerprinting" capability and is aimed at one specific SCADA system:

Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance — a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

....Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.

"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

....A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat? Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons.

On the bright side, this strikes me as the kind of attack that can only work once. And if once it is, Bushehr seems like a worthy target. On the downside, however, this category of attack seems like it could have almost infinite possibilities. It suddenly makes all those implausible plot lines on 24 seems terrifyingly plausible after all.

(Via Stewart Baker, of course.)