FacebookTwitterGoogle+RedditEmail

Stuxnet Unbound

by BILL BLUNDEN

After its initial discovery in 2010 by a little-known antivirus vendor from Belarus, the culprit behind the Stuxnet computer worm has been revealed. Last week, based on information leaked by inside sources [1], an article in the New York Times reported that the United States and Israel had secretly embarked on a joint project (code-named Olympic Games) which developed the malware we know as Stuxnet [2]. Despite the ruckus that members of the establishment make in public about foreign hackers (e.g. warning that China is a “threat to world order” [3]), the U.S. is admittedly one of the most active players in this field. While coverage in the press may adopt a seemingly congratulatory tone, there are reasons why this is an unsettling state of affairs.

Containment and control are not trivial issues. As the White House discovered first-hand, once you deploy offensive software there’s no guarantee that it won’t find its way out into the wild and infect otherwise uninvolved third parties. Will the CIA be covering the costs incurred from Stuxnet breaches outside of Iran? What about the tax-payer money spent by the likes of the DHS to analyze and dissect the CIA’s creation [4]? And do you suppose there’s a risk that some enterprising Black Hat out there on the Internet will scavenge captured components from U.S-sponsored malware for their own purposes? These types of concerns are exactly what discouraged the Pentagon from launching a cyber-attack against Saddam Hussein’s financial system before the invasion of Iraq [5].

Then there’s also the matter of efficacy. Was the Stuxnet attack actually as debilitating as a conventional military strike? Or have decision makers merely shown their hand and tipped off the Iranians. When Iranian military leaders originally assigned blame to the U.S. and Israel many people probably dismissed the accusation as a wild conspiracy theory [6]. The Iranians don’t seem so paranoid after all, do they?

One aspect of Stuxnet, which has been corroborated at length by forensic investigators, is that the worm leveraged unpatched software flaws (also known as zero-day attacks) to do its job. It’s generally known among Black Hats that the United States is a principal customer in the underground market for zero-day exploits [7]. As Bruce Schneier notes, the very existence of a market like this undermines our collective security [8]:  “The new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched. These range from law-enforcement agencies (like the FBI and the German police who are trying to build targeted Internet surveillance tools, to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools, to military organizations who are trying to build cyber-weapons.”

The end result is security for the 1%, who reside behind the shroud of secrecy, and relative insecurity for everyone else.

Finally, and most importantly, Stuxnet has once again exposed American exceptionalism. Espionage and sabotage are presented as intolerable criminal transgressions, normally causing our elected officials and military leaders to erupt in fits of righteous indignation. That is, unless the United States is doing the spying and the sabotaging (in which case we’re seemingly rather proud of our status as leading rogue state). By crossing the Rubicon, our leaders have irrevocably lost the moral high ground. Not a wise decision for a country that, itself, depends heavily on the same buggy software that it regularly subverts.

Bill Blunden is the author of The Rootkit Arsenal and the primary investigator at Below Gotham Labs. 

Notes. 

[1] Evan Perez and Adam Entous, “FBI Probes Leaks on Iran Cyberattack,” Wall Street Journal, June 5, 2012

[2] David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012

[3] Jamie Metzl, “China’s Threat to World Order,” Wall Street Journal, August 17, 2011,

[4] Tabassum Zakaria, “Idaho laboratory analyzed Stuxnet computer virus,” Reuters, September 29, 2011

[5] John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk,” New York Times, August 1, 2009.

[6] “Iran blames U.S., Israel for Stuxnet malware,” Associated Press, April 16, 2011

[7] Andy Greenberg, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012.

[8] Bruce Schneier, “The Vulnerabilities Market and the Future of Security,” June 1, 2012.

More articles by:

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.

CounterPunch Magazine

minimag-edit

bernie-the-sandernistas-cover-344x550

zen economics

July 26, 2017
John W. Whitehead
Policing for Profit: Jeff Sessions & Co.’s Thinly Veiled Plot to Rob Us Blind
George Capaccio
“Beauty of Our Weapons” in the War on Yemen
Ramzy Baroud
Fear and Trepidation in Tel Aviv: Is Israel Losing the Syria War?
John McMurtry
Brexit Counter-Revolution Still in Motion
Ted Rall
The Democrats Are A Lost Cause
Pete Dolack
Trump’s Re-Negotiation Proposal Will Make NAFTA Worse
Tom Gill
Is Macron Already Faltering?
Ed Kemmick
Empty Charges Erode Trust in Montana Elections
Rev. William Alberts
Fake News? Or Fake Faith?
James Heddle
The Ethics and Politics of Nuclear Waste are Being Tested in Southern California
Binoy Kampmark
Slaying in Minneapolis: Justine Damond, Shooting Cultures and Race
Jeff Berg
Jonesing for Real Change
Jesse Jackson
The ‘Voter Fraud’ Commission Itself is Fraudulent
July 25, 2017
Paul Street
A Suggestion for Bernie: On Crimes Detectable and Not
David W. Pear
Venezuela on the Edge of Civil War
John Grant
Uruguay Tells US Drug War to Take a Hike
Charles Pierson
Like Climate Change? You’ll Love the Langevin Amendment
Linda Ford
Feminism Co-opted
Andrew Stewart
Any Regrets About Not Supporting Clinton Last Summer?
Aidan O'Brien
Painting the Irish Titanic Pink
Rob Seimetz
Attitudes Towards Pets vs Attitudes Towards the Natural World
Medea Benjamin
A Global Movement to Confront Drone Warfare
Norman Solomon
When Barbara Lee Doesn’t Speak for Me
William Hawes
What Divides America From the World (and Each Other)
Veteran Intelligence Professionals for Sanity
Was the “Russian Hack” an Inside Job?
Chandra Muzaffar
The Bilateral Relationship that Matters
Binoy Kampmark
John McCain: Cancer as Combatant
July 24, 2017
Patrick Cockburn
A Shameful Silence: Where is the Outrage Over the Slaughter of Civilians in Mosul?
Robert Hunziker
Extremely Nasty Climate Wake-Up
Ron Jacobs
Dylan and Woody: Goin’ Down the Road Feelin’ Bad
Dan Glazebrook
Quantitative Easing: the Most Opaque Transfer of Wealth in History
Ellen Brown
Saving Illinois: Getting More Bang for the State’s Bucks
Richard Hardigan
The Media is Misleading the Public on the Al-Asqa Mosque Situation
Matthew Stevenson
Travels in Trump’s America: Memphis, Little Rock, Fayetteville and Bentonville
Ruth Fowler
Fire at Grenfell
Ezra Kronfeld
The Rights of Sex Workers: Where is the Movement to Legalize Prostitution
Mark Weisbrot
What Venezuela Needs: Negotiation Not Regime Change
Binoy Kampmark
From Spicy to the Mooch: A Farewell to Sean Spicer
Wim Laven
Progress Report, Donald Trump: Failing
Weekend Edition
July 21, 2017
Friday - Sunday
Kevin Zeese
Green Party Growing Pains; Our Own Crisis of Democracy
Jeffrey St. Clair
Red State, Blue State; Green State, Deep State
Paul Street
“Inclusive Capitalism,” Nancy Pelosi, and the Dying Planet
Anthony DiMaggio
Higher Education Fallacies: What’s Behind Rising Conservative Distrust of Learning?
Andrew Levine
Why Republicans Won’t Dump Trump Anytime Soon
Michael Colby
Ben & Jerry’s Has No Clothes
FacebookTwitterGoogle+RedditEmail