FacebookTwitterGoogle+RedditEmail

Stuxnet Unbound

by BILL BLUNDEN

After its initial discovery in 2010 by a little-known antivirus vendor from Belarus, the culprit behind the Stuxnet computer worm has been revealed. Last week, based on information leaked by inside sources [1], an article in the New York Times reported that the United States and Israel had secretly embarked on a joint project (code-named Olympic Games) which developed the malware we know as Stuxnet [2]. Despite the ruckus that members of the establishment make in public about foreign hackers (e.g. warning that China is a “threat to world order” [3]), the U.S. is admittedly one of the most active players in this field. While coverage in the press may adopt a seemingly congratulatory tone, there are reasons why this is an unsettling state of affairs.

Containment and control are not trivial issues. As the White House discovered first-hand, once you deploy offensive software there’s no guarantee that it won’t find its way out into the wild and infect otherwise uninvolved third parties. Will the CIA be covering the costs incurred from Stuxnet breaches outside of Iran? What about the tax-payer money spent by the likes of the DHS to analyze and dissect the CIA’s creation [4]? And do you suppose there’s a risk that some enterprising Black Hat out there on the Internet will scavenge captured components from U.S-sponsored malware for their own purposes? These types of concerns are exactly what discouraged the Pentagon from launching a cyber-attack against Saddam Hussein’s financial system before the invasion of Iraq [5].

Then there’s also the matter of efficacy. Was the Stuxnet attack actually as debilitating as a conventional military strike? Or have decision makers merely shown their hand and tipped off the Iranians. When Iranian military leaders originally assigned blame to the U.S. and Israel many people probably dismissed the accusation as a wild conspiracy theory [6]. The Iranians don’t seem so paranoid after all, do they?

One aspect of Stuxnet, which has been corroborated at length by forensic investigators, is that the worm leveraged unpatched software flaws (also known as zero-day attacks) to do its job. It’s generally known among Black Hats that the United States is a principal customer in the underground market for zero-day exploits [7]. As Bruce Schneier notes, the very existence of a market like this undermines our collective security [8]:  “The new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched. These range from law-enforcement agencies (like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools, to military organizations who are trying to build cyber-weapons.”

The end result is security for the 1%, who reside behind the shroud of secrecy, and relative insecurity for everyone else.

Finally, and most importantly, Stuxnet has once again exposed American exceptionalism. Espionage and sabotage are presented as intolerable criminal transgressions, normally causing our elected officials and military leaders to erupt in fits of righteous indignation. That is, unless the United States is doing the spying and the sabotaging (in which case we’re seemingly rather proud of our status as leading rogue state). By crossing the Rubicon, our leaders have irrevocably lost the moral high ground. Not a wise decision for a country that, itself, depends heavily on the same buggy software that it regularly subverts.

Bill Blunden is the author of The Rootkit Arsenal and the primary investigator at Below Gotham Labs. 

Notes. 

[1] Evan Perez and Adam Entous, “FBI Probes Leaks on Iran Cyberattack,” Wall Street Journal, June 5, 2012

[2] David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012

[3] Jamie Metzl, “China’s Threat to World Order,” Wall Street Journal, August 17, 2011,

[4] Tabassum Zakaria, “Idaho laboratory analyzed Stuxnet computer virus,” Reuters, September 29, 2011

[5] John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,” New York Times, August 1, 2009.

[6] “Iran blames U.S., Israel for Stuxnet malware,” Associated Press, April 16, 2011

[7] Andy Greenberg, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012.

[8] Bruce Schneier, “The Vulnerabilities Market and the Future of Security,” June 1, 2012.

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.

More articles by:

CounterPunch Magazine

minimag-edit

bernie-the-sandernistas-cover-344x550

zen economics

March 30, 2017
William R. Polk
What Must be Done in the Time of Trump
Howard Lisnoff
Enough of Russia! There’s an Epidemic of Despair in the US
Ralph Nader
Crash of Trumpcare Opens Door to Full Medicare for All
Carol Polsgrove
Gorsuch and the Power of the Executive: Behind the Congressional Stage, a Legal Drama Unfolds
Michael J. Sainato
Fox News Should Finally Dump Bill O’Reilly
Kenneth Surin
Former NC Governor Pat McCory’s Job Search Not Going Well
Binoy Kampmark
The Price of Liberation: Slaughtering Civilians in Mosul
Bruce Lesnick
Good Morning America!
William Binney and Ray McGovern
The Surveillance State Behind Russia-gate: Will Trump Take on the Spooks?
Jill Richardson
Gutting Climate Protections Won’t Bring Back Coal Jobs
Robert Pillsbury
Maybe It’s Time for Russia to Send Us a Wake-Up Call
Prudence Crowther
Swamp Rats Sue Trump
March 29, 2017
Jeffrey Sommers
Donald Trump and Steve Bannon: Real Threats More Serious Than Fake News Trafficked by Media
David Kowalski
Does Washington Want to Start a New War in the Balkans?
Patrick Cockburn
Bloodbath in West Mosul: Civilians Being Shot by Both ISIS and Iraqi Troops
Ron Forthofer
War and Propaganda
Matthew Stevenson
Letter From Phnom Penh
James Bovard
Peanuts Prove Congress is Incorrigible
Thomas Knapp
Presidential Golf Breaks: Good For America
Binoy Kampmark
Disaster as Joy: Cyclone Debbie Strikes
Peter Tatchell
Human Rights are Animal Rights!
George Wuerthner
Livestock Grazing vs. the Sage Grouse
Jesse Jackson
Trump Should Form a Bipartisan Coalition to Get Real Reforms
Thomas Mountain
Rwanda Indicts French Generals for 1994 Genocide
Clancy Sigal
President of Pain
Andrew Stewart
President Gina Raimondo?
Lawrence Wittner
Can Our Social Institutions Catch Up with Advances in Science and Technology?
March 28, 2017
Mike Whitney
Ending Syria’s Nightmare will Take Pressure From Below 
Mark Kernan
Memory Against Forgetting: the Resonance of Bloody Sunday
John McMurtry
Fake News: the Unravelling of US Empire From Within
Ron Jacobs
Mad Dog, Meet Eris, Queen of Strife
Michael J. Sainato
State Dept. Condemns Attacks on Russian Peaceful Protests, Ignores Those in America
Ted Rall
Five Things the Democrats Could Do to Save Their Party (But Probably Won’t)
Linn Washington Jr.
Judge Neil Gorsuch’s Hiring Practices: Privilege or Prejudice?
Philippe Marlière
Benoît Hamon, the Socialist Presidential Hopeful, is Good News for the French Left
Norman Pollack
Political Cannibalism: Eating America’s Vitals
Bruce Mastron
Obamacare? Trumpcare? Why Not Cubacare?
David Macaray
Hollywood Screen and TV Writers Call for Strike Vote
Christian Sorensen
We’ve Let Capitalism Kill the Planet
Rodolfo Acuna
What We Don’t Want to Know
Binoy Kampmark
The Futility of the Electronics Ban
Andrew Moss
Why ICE Raids Imperil Us All
March 27, 2017
Robert Hunziker
A Record-Setting Climate Going Bonkers
Frank Stricker
Why $15 an Hour Should be the Absolute Minimum Minimum Wage
Melvin Goodman
The Disappearance of Bipartisanship on the Intelligence Committees
FacebookTwitterGoogle+RedditEmail