The Stuxnet virus / trojan / attack has been receiving a lot of press and there’s lots of speculation as to who’s behind it.  This, of course has greased the gears in my tiny little scheming paranoid mind and I’ve assembled a timeline of world events and some factoids about Stuxnet for your reading pleasure.  Use at your own risk.

Backstory:

In the event you’ve been living under a rock (or aren’t in IT), Stuxnet is a computer virus / worm that is very sophisticated and attacks specific software controlling specific control systems that are used in all kinds of industrial plants.  It has huge potential to do large scale horrible things.  Many security professionals / industry experts say this was the work of a nation-state, attacking another.  Up to speed?  Super.

Theory:

So if you happen to be a nation-state, how do you launch a cyber attack without giving up your own arsenal?  Consider traditional warfare (handgun version):  Good guy shoots bad guy.  Bad guy has possession of the bullet, good guy keeps the gun.  Without the gun, the bullet is useless.  Compare this to cyber war:  Good guy exploits a zero-day vulnerability on bad guy’s system.  Bad guy collects evidence and analyzes/evaluates the attack and now has the capability to exploit the same system.  The equivalent of reverse engineering a gun out of a bullet – now bad guy has the capability to attack similar systems.  See a problem there?  It’s quite likely that good guy is also running the same systems, running the same software, supporting similar infrastructure within his own country.  Seems to me that before this is actually done in the real world, somebody would launch a test shot; somewhat harmful, but not intended to absolutely destroy the adversary.  Just to see how the vendors, community, and world at large would react.

And as my friend and real, actual rocket scientist, Doctor Bob has pointed out, war college teaches that successful strategies involve multiple attack vectors.

Is stuxnet a sophisticated, multi-facted proof of concept?  And who dunnit?  Judge for yourself.  I’ve highlighted what I think are key concepts.

Timeline:

February 25, 2009 this photo shows an error indicating unlicensed software running at Iran’s newest power plant.  Yes, it’s the software that was attacked, and happens to have emerged four days after one of the time stamps on the signed files.  The plant is being built by Atomstroyexport, a Russian firm.
June 25, 2009 Michael Jackson is (errantly) reported dead
July 23, 2009 US Cyber Command created by US Defense Secretary Robert Gates under the command of General Keith Alexander
July 31, 2009 Three American anti-war, social justice and Palestinian solidarity activist hikers arrested in Iran by border guards and held on espionage charges
November 8, 2009 Fearmongering media outlet 60 minutes airs “Cyberwar: Sabotaging the System” chock full of half-truths and crap, but airs it nonetheless.
January 28, 2010 Marines announce their Cyberspace Command at the National Cryptologic Museum.
February 21, 2010 CNN airs “We Were Warned – Cyber Shockwave”.
March 17, 2010 Jesse James totally blows it by cheating on that goddess Sandra Bullock.  Totally, totally blows it.  Moron!
April 2010 US (and Russia, China, France, Britain and Germany) puts pressure on the UN to impose sanctions on Iran due to their nuclear program
April 26, 2010 Lindsay Lohan fired from “The Other Side” because she’s not “bankable”.
May 21, 2010 Intial Operations Capability acheived at CYBERCOM.
June 16, 2010 Florida declares war on the Medfly which is infesting local guava crops.
June 17, 2010 Mark Weatherford (former Naval Officer) replaces Michael Assante as Chief Information Secuirty Officer at the North American Electric Reliability Corporation.
June 27, 2010 Uber-hottie Russian spy Anna Chapman arrested.
July 8, 2010 US announces “Perfect Citizen” program to help defend industrial networks. Anna Chapman deported to Russia for a spy-swap, from which we got a bunch of ugly fat guys back (you’ve won this round, commrade!).
July 10, 2010 First of five Lunatic rants released, starring Mel Gibson. That’s “Lunatic” with a capital L.
July 13, 2010 Iranian nuclear scientist Shahram Amiri, missing since May 2009, surfaces – he had taken refuge in the Iranian interests section of Pakistani Embassy in Washington, D.C.   Conflicting claims made (supported by video) that he was kidnapped by the CIA from Saudi Arabia, versus in Arizona going to college.
July 16, 2010 first Stuxnet infections discovered in Iran announced
July 21, 2010 Clue found in code disclosed:  “b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb” is found in one of the drivers.
July 22, 2010 China announces its Information Security Base, a defensive cyber security team for the People’s Liberation Army.
August 31, 2010 Officials state Iran’s newest nuke plant will be delayed.  They say extereme temperatures.  But isn’t it always extremely hot there?

Supporting Factoids:

From what I can find by examining everything online, is that the “words” used in the file naming and dll routines are in english.

The USB malware stops infecting after three systems.  It’s like they didn’t want this to get out of control – just attack the single target.  Three times.

Guava was frequently used in military rations in WWII.  There are groves of guava trees on Guantanamo Bay Naval Air Station.

Conclusion:

US Cyber Command launched an attack targetting Iran’s newest power plant in order to hamper the nuclear program.  They did it by having Anna Chapman coerce one (or more) Atomstroyexport contractors to swap infected USB drives (likely ones that look and maybe are labelled just like the other presumed “safe” drives) with existing ones.  Michael Jackson in his new role as special operative was the chief architect behind the software, his gloved hand tipped by his love of Guavas.  Currently, US Cyber Command is monitoring this situation carefully, to determine how quickly the community reacts so it can time future attacks.  Mel Gibson and Lindsay Lohan are not suspects in this case.

There may be some inaccuracies in the conclusion.  For example, I’m not sure Michael Jackson still wears the glove.  And Weatherford at NERC – …coincidence?

To quote Pogo: “We have met the enemy, and he is us.”