FacebookTwitterGoogle+RedditEmail

Stuxnet Unbound

by BILL BLUNDEN

After its initial discovery in 2010 by a little-known antivirus vendor from Belarus, the culprit behind the Stuxnet computer worm has been revealed. Last week, based on information leaked by inside sources [1], an article in the New York Times reported that the United States and Israel had secretly embarked on a joint project (code-named Olympic Games) which developed the malware we know as Stuxnet [2]. Despite the ruckus that members of the establishment make in public about foreign hackers (e.g. warning that China is a “threat to world order” [3]), the U.S. is admittedly one of the most active players in this field. While coverage in the press may adopt a seemingly congratulatory tone, there are reasons why this is an unsettling state of affairs.

Containment and control are not trivial issues. As the White House discovered first-hand, once you deploy offensive software there’s no guarantee that it won’t find its way out into the wild and infect otherwise uninvolved third parties. Will the CIA be covering the costs incurred from Stuxnet breaches outside of Iran? What about the tax-payer money spent by the likes of the DHS to analyze and dissect the CIA’s creation [4]? And do you suppose there’s a risk that some enterprising Black Hat out there on the Internet will scavenge captured components from U.S-sponsored malware for their own purposes? These types of concerns are exactly what discouraged the Pentagon from launching a cyber-attack against Saddam Hussein’s financial system before the invasion of Iraq [5].

Then there’s also the matter of efficacy. Was the Stuxnet attack actually as debilitating as a conventional military strike? Or have decision makers merely shown their hand and tipped off the Iranians. When Iranian military leaders originally assigned blame to the U.S. and Israel many people probably dismissed the accusation as a wild conspiracy theory [6]. The Iranians don’t seem so paranoid after all, do they?

One aspect of Stuxnet, which has been corroborated at length by forensic investigators, is that the worm leveraged unpatched software flaws (also known as zero-day attacks) to do its job. It’s generally known among Black Hats that the United States is a principal customer in the underground market for zero-day exploits [7]. As Bruce Schneier notes, the very existence of a market like this undermines our collective security [8]:  “The new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched. These range from law-enforcement agencies (like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools, to military organizations who are trying to build cyber-weapons.”

The end result is security for the 1%, who reside behind the shroud of secrecy, and relative insecurity for everyone else.

Finally, and most importantly, Stuxnet has once again exposed American exceptionalism. Espionage and sabotage are presented as intolerable criminal transgressions, normally causing our elected officials and military leaders to erupt in fits of righteous indignation. That is, unless the United States is doing the spying and the sabotaging (in which case we’re seemingly rather proud of our status as leading rogue state). By crossing the Rubicon, our leaders have irrevocably lost the moral high ground. Not a wise decision for a country that, itself, depends heavily on the same buggy software that it regularly subverts.

Bill Blunden is the author of The Rootkit Arsenal and the primary investigator at Below Gotham Labs. 

Notes. 

[1] Evan Perez and Adam Entous, “FBI Probes Leaks on Iran Cyberattack,” Wall Street Journal, June 5, 2012

[2] David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012

[3] Jamie Metzl, “China’s Threat to World Order,” Wall Street Journal, August 17, 2011,

[4] Tabassum Zakaria, “Idaho laboratory analyzed Stuxnet computer virus,” Reuters, September 29, 2011

[5] John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,” New York Times, August 1, 2009.

[6] “Iran blames U.S., Israel for Stuxnet malware,” Associated Press, April 16, 2011

[7] Andy Greenberg, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012.

[8] Bruce Schneier, “The Vulnerabilities Market and the Future of Security,” June 1, 2012.

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.

More articles by:
May 24, 2016
Sharmini Peries - Michael Hudson
The Financial Invasion of Greece
Jonathan Cook
Religious Zealots Ready for Takeover of Israeli Army
Ted Rall
Why I Am #NeverHillary
Mari Jo Buhle – Paul Buhle
Television Meets History
Robert Hunziker
Troika Heat-Seeking Missile Destroys Greece
Judy Gumbo
May Day Road Trip: 1968 – 20016
Colin Todhunter
Cheerleader for US Aggression, Pushing the World to the Nuclear Brink
Jeremy Brecher
This is What Insurgency Looks Like
Jonathan Latham
Unsafe at Any Dose: Chemical Safety Failures from DDT to Glyphosate to BPA
Binoy Kampmark
Suing Russia: Litigating over MH17
Dave Lindorff
Europe, the US and the Politics of Pissing and Being Pissed
Matt Peppe
Cashing In at the Race Track While Facing Charges of “Abusive” Lending Practices
Gilbert Mercier
If Bernie Sanders Is Real, He Will Run as an Independent
Peter Bohmer
A Year Later! The Struggle for Justice Continues!
Dave Welsh
Police Chief Fired in Victory for the Frisco 500
May 23, 2016
Conn Hallinan
European Union: a House Divided
Paul Buhle
Labor’s Sell-Out and the Sanders Campaign
Uri Avnery
Israeli Weimar: It Can Happen Here
John Stauber
Why Bernie was Busted From the Beginning
James Bovard
Obama’s Biggest Corruption Charade
Joseph Mangano – Janette D. Sherman
Indian Point Nuclear Plant: It Doesn’t Take a Meltdown to Harm Local Residents
Desiree Hellegers
“Energy Without Injury”: From Redwood Summer to Break Free via Occupy Wall Street
Lawrence Davidson
The Unraveling of Zionism?
Patrick Cockburn
Why Visa Waivers are Dangerous for Turks
Robert Koehler
Rethinking Criminal Justice
Lawrence Wittner
The Return of Democratic Socialism
Ha-Joon Chang
What Britain Forgot: Making Things Matters
John V. Walsh
Only Donald Trump Raises Five “Fundamental and Urgent” Foreign Policy Questions: Stephen F. Cohen Bemoans MSM’s Dismissal of Trump’s Queries
Andrew Stewart
The Occupation of the American Mind: a Film That Palestinians Deserve
Nyla Ali Khan
The Vulnerable Repositories of Honor in Kashmir
Weekend Edition
May 20, 2016
Friday - Sunday
Rob Urie
Hillary Clinton and Political Violence
Andrew Levine
Why Not Hillary?
Paul Street
Hillary Clinton’s Neocon Resumé
Chris Floyd
Twilight of the Grifter: Bill Clinton’s Fading Powers
Eric Mann
How We Got the Tanks and M-16s Out of LA Schools
Jason Hirthler
The West’s Needless Aggression
Dan Arel
Why Hillary Clinton’s Camp Should Be Scared
Robert Hunziker
Fukushima Flunks Decontamination
David Rosen
The Privatization of the Public Sphere
Margaret Kimberley
Obama’s Civil Rights Hypocrisy
Pete Dolack
We Can Dream, or We Can Organize
Chris Gilbert
Corruption in Latin American Governments
Dan Kovalik
Colombia: the Displaced & Invisible Nation
Jeffrey St. Clair
Fat Man Earrings: a Nuclear Parable
Medea Benjamin
Israel and Saudi Arabia: Strange Bedfellows in the New Middle East
FacebookTwitterGoogle+RedditEmail