Regardless of how well it worked, there is no question that Stuxnet is something new under the sun. At the very least, it is a blueprint for a new way of attacking industrial-control systems. In the end, the most important thing now publicly known about Stuxnet is that Stuxnet is now publicly known. That knowledge is, on the simplest level, a warning: America’s own critical infrastructure is a sitting target for attacks like this. That aside, if Stuxnet really did attack Iran’s nuclear program, it could be called the first unattributable act of war. The implications of that concept are confounding. Because cyber-weapons pose an almost unsolvable problem of sourcing—who pulled the trigger?—war could evolve into something more and more like terror. Cyber-conflict makes military action more like a never-ending game of uncle, where the fingers of weaker nations are perpetually bent back. The wars would often be secret, waged by members of anonymous, elite brain trusts, none of whom would ever have to look an enemy in the eye. For people whose lives are connected to the targets, the results could be as catastrophic as a bombing raid, but would be even more disorienting. People would suffer, but would never be certain whom to blame.
Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.
A Declaration of Cyber-War
by Michael Joseph Gross
(April 2011)
http://www.vanityfair.com/stuxnet-201104
Last summer, the world’s top software-security experts were panicked by the discovery of a drone-like computer virus, radically different from and far more sophisticated than any they’d seen. The race was on to figure out its payload, its purpose, and who was behind it. As the world now knows, the Stuxnet worm appears to have attacked Iran’s nuclear program. And, as Michael Joseph Gross reports, while its source remains something of a mystery, Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating.
**
All over Europe, smartphones rang in the middle of the night. Rolling over in bed, blinking open their eyes, civilians reached for the little devices and, in the moment of answering, were effectively drafted as soldiers. They shook themselves awake as they listened to hushed descriptions of a looming threat. Over the next few days and nights, in mid-July of last year, the ranks of these sudden draftees grew, as software analysts and experts in industrial-control systems gathered in makeshift war rooms in assorted NATO countries. Government officials at the highest levels monitored their work. They faced a crisis which did not yet have a name, but which seemed, at first, to have the potential to bring industrial society to a halt.
A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects. These controllers, or P.L.C.’s, perform the critical scut work of modern life. They open and shut valves in water pipes, speed and slow the spinning of uranium centrifuges, mete out the dollop of cream in each Oreo cookie, and time the change of traffic lights from red to green.
Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?
As long as the lights were still on, though, the geek squads stayed focused on trying to figure out exactly what this worm intended to do. They were joined by a small citizen militia of amateur and professional analysts scattered across several continents, after private mailing lists for experts on malicious software posted copies of the worm’s voluminous, intricate code on the Web. In terms of functionality, this was the largest piece of malicious software that most researchers had ever seen, and orders of magnitude more complex in structure. (Malware’s previous heavyweight champion, the Conficker worm, was only one-twentieth the size of this new threat.) During the next few months, a handful of determined people finally managed to decrypt almost all of the program, which a Microsoft researcher named “Stuxnet.” On first glimpsing what they found there, they were scared as hell.
スタックスネット(W32/Stuxnet)はMicrosoft Windowsで感染するコンピュータウイルス。インターネットから隔離されたスタンドアローンの産業用制御システムにおいても感染し、かつ実害を生じるという特徴がある。2010年6月ごろに出現し、イランの核施設を標的とした攻撃で有名となった。また、2011年秋に出現したトロイの木馬型マルウェアであるドゥークーやフレイムは、スタックスネットから派生したものと考えられている。
2010年6月17日、ベラルーシのVirusBlokAda社により初めて報告され、以後、ユーラシア圏を中心に世界中で報告が相次いだ。感染に地域的な偏りが生じていることが特徴であり、報告例の6割弱がイランに集中している。
インターネット経由で伝播し、接続されたコンピュータに感染して、潜伏する。またネットワーク経由でなくとも、感染したコンピュータに接続したUSBメモリを経由しても発症することから、インターネットから隔絶された、スタンドアローンのネットワークに対しても侵入可能である。Microsoft Windowsの脆弱性(MS10-046)を利用しており、Windows Explorerで表示しただけで感染する。また、スタックスネットは、MS10-046を含めて4件もの未知のセキュリティホール(ゼロデイ脆弱性)を悪用しており、後に配布された修正パッチを適用していない場合、感染防御は困難であった。
ドイツのシーメンス社が、同社製の遠隔監視制御・情報取得(SCADA)システムにおいてプログラマブルロジックコントローラ(PLC)に対するMicrosoft Windows側のインターフェース・ソフトウェアとして採用しているWinCC/PCS7を攻撃目標としている。2010年9月には、イランのエスファハーン州ナタンズに所在する核燃料施設のウラン濃縮用遠心分離機を標的として、スタックスネットを使ったサイバー攻撃が実施された。この際には、遠心分離機を制御するPLCがスタックスネットによって乗っ取られ、周波数変換装置が攻撃されたことにより、約8400台の遠心分離機の全てが稼働不能に陥った。またブーシェフル原子力発電所においても被害が生じたとされている。
シマンテックは「USBメモリで媒介される」として不用意な接続をしないよう呼びかけている。
ニューヨーク・タイムズ(2012年6月1日)は、NSA(アメリカ国家安全保障局)とイスラエル軍の情報機関であるUnit 8200(英語版)が、このワームをイラン攻撃用に作ったと報じた。また、元NSA職員のエドワード・スノーデンは、ドイツのシュピーゲル誌のインタビューに対し、NSAとイスラエルが共同で開発したと語っている。