There are several ways that malware is pinned on a responsible party, i.e.:
* the idjit signs it or otherwise self-identifies.
* the code or mindset is identified via similarities to prior art.
* inadvertent identifiers left behind, i.e. debugging comments.
* tracing back infection spread routes.
Stuxnet is unusual, not only in it's complexity, but in the lack of typical origin pointers.
* it may have been quietly spreading for a year before it was originally detected. Time has likely obliterated original infections.
* several experts have commented on how clean the code is. A couple have suggested that there was a deliberate effort not to leave identifiers behind.
The bolded (my emphasis) part in the following quote from the Symantec pdf is a cited basis for the Israel involvement.
In the driver file, the project path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb was not removed.
Guavas are plants in the myrtle (myrtus) family genus. In addition, according to Wikipedia, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire...The Jews went on to kill only their would-be executioners.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.
The caution in the last sentence seems reasonable as that is the only (public) 'identifier' left by the coders. Accident or deliberate misdirection? Or double bluff? Given the rest of the complexity involved why not here as well...
Ralph Langner is the German security researcher whose words caused mainstream media to go bonkers - and forget the 'highly speculative' heading to his blog entry:
Ralph's theory -- completely speculative from here
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/N...in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells.
Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. Check who comissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company too doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (removed web address) that tries to download stuff from a malware site that had been shut down more than two years ago (removed web address). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange.
Note: bold emphasis mine.
Let's get back to plan A, a.k.a. Stuxnet, or operation Myrtus. The main factors to analyze who is behind it are, as always, motivation and capability. Determining who has the motivation to cripple Iran's nuclear program is not a big deal. Israel, for sure. Then look at the 5+1 talks on Iranian nukes that are going on. The US can be found here, too.
Now let's look at the second factor, capability. Some of the different pieces of Stuxnet could be developed by many. Many actors are able to steal digital certificates, or to buy these on the black market. Few actors are able to figure out the four zero-days vulnerabilities and to combine that with the peer-to-peer update functionality. The most telling part, however, is Stuxnet's digital warhead, the PLC code injections.
When Ralph told a reporter from BBC Worldwide that presently, perhaps ten people on the globe would be able to invent and implement this attack vector, and three of them could be found in Langner's office, the reporter was smart enough to ask: Did you do it? No, we didn't. But the guy got the point here. Anyone who is interested in determining the forces behind Stuxnet has a good chance of success in following this trace.
As another hint, as far as our experience and crystal ball goes, neither Israel nor the US presently have this capability. If you are a movie buff, think about that old black & white movie with Orson Welles, The third man. 'There was a third man.' But his name is not Harry Lime.
Something that is surprisingly hard to nail down is actual infections. There are three input sources:
1. the various AV companies.
Unfortunately their customer numbers per country will vary greatly. Unless you can pool several major vendors data including market share in each country the margin of error will be substantial.
In studying this from the outside comes the further complications that no two companies release data in the same format or the data logic may be unclear.
2. Stuxnet's callbacks to it's two (known) command and control (C&C) servers.
Unfortunately we only know about those after discovery, perhaps an entire year after. We may only be seeing escallating remnants long after real target attacked.
3. self-identification by infected organisations (highly variable and unreliable).
For instance Symantec released infection numbers are based on the traffic to the Stuxnet command and control servers since 20-July-2010.
* by geographic location of infection:
Iran 58.85%, Indonesia 18.22%, India 8.31%, Azerbaijan 2.57%, USA 1.56%, Pakistan 1.28%, Others 9.20%.
* by percentage of infected Hosts with Siemens software installed:
Iran: 67.6%, South Korea 8.1%, USA 4.98%, UK 2.18%, Indonesia 2.18%, Taiwan 1.56%, India 1.25%, Others 12.15%.
Kaspersky released numbers based on infected clients in each country.
Note: I calculated percentages for easier comparisons.
India 49%, Indonesia 19.39%, Iran 8.05%, Russia 4.49%, Kazakhstan 3.59%, Afghanistan 1.75%, Syria 1.66%, Uzbekistan 1.6%, Pakistan 1.57%, Azerbaijan 1.46%, Bangladesh 1.41%, Others 6.03%.
You will notice quite a difference in the data sets. And no mention of what number of these clients have Siemens software installed.
One interesting stat from Kaspersky is the rate of change comparing September to July:
* Afghanistan: -55%
* Azerbaijan: -73%
* Bangladesh: +370% (in comparison with August)
* India: -5%
* Indonesia: -41%
* Iran: -75%
* Iraq: +35%
* Kazakhstan: +1711%
* Russia: +308%
* Pakistan: +2%
* Syria: +47%
* Uzbekistan: -37%
Some final words from the Symantec pdf:
Analyzing the different types of samples Symantec has observed to date has shed some light on how long this threat has been under development and/or in use. The development of the threat dates back to at least June of 2009. The threat has been under continued development as the authors added additional components, encryp-
tion, and exploits. The amount of components and code used is very large. Inaddition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is not a teenage hacker coding in his bedroom type operation.
Stuxnet represents the first of many milestones in malicious code history – it is the first to exploit four 0-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator. Whether Stuxnet will usher in a new generation of malicious code attacks towards real-world infrastructure - overshadowing the vast majority of current attacks affecting more virtual or individual assets - or if it is a once- in-a-decade occurrence remains to be seen.
Stuxnet is of such great complexity - requiring significant resources to develop - that few attackers will be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar in sophistication to suddenly appear. However, Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines.
The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.
So we have just had a tiny taste of what cyberwar might look like. We are fortunate that this attack actually has done very little, surprisingly little actual damage.