Stuxnet: Well-organized Cybercrime

Stuxnet was among one of the most interesting case of organized cybercrime. Most likely it is organized crime by government. I am going to discuss possibilities of how they start developing Stuxnet based on information available in media, blogs and technical articles and analyzing organized crime.

You should keep in mind information related to Iran’s nuclear program consider as confidential and top secret within the Iran’s nuclear agency and other related external sources like Siemens, IAEA and so on. You need to have certain clearance and access control to be able to access such information. In order to be able to damage Iran’s nuclear facilities using a computer malware, you should perfectly know the infrastructure of Iran’s nuclear facilities. In top secret places like Iran’s nuclear program, staff are highly train when it comes to access information and sharing them to people they know. They went through a deep background check through intelligence ministry and you couldn’t expect, they come to the office and visit Facebook or other internet website. For this reason, there is no way to access information related to Iran’s nuclear program through remote hacking the staff or placing spies because it would have a greater risk of exposing the infrastructure of Iran’s nuclear program. In addition, restrictions imposed on sharing and control information related to Iran’s nuclear program to third-parties who are working with Iran’s nuclear program including IAEA and Siemens through government agreements. However, Iran has less control over the information protection for third-parties outside Iran because they hosted in another country. The first phase of coming up with idea of Stuxnet was to understand the exact environment of Iran’s nuclear infrastructure. People who develop Stuxnet, look into information gathering of Iran’s nuclear operation and staffs. They gathered information like they are using Windows and PLC, it is possible to bring USB device from outside the nuclear facility and so on. Then they developed a worm which fit the environment. Now, the problem was how to get it inside the nuclear facility. Of course no one intentionally take infected USB inside the nuclear facility knowing all restrictions and monitoring and securities. So they target infecting PCs in Iran which is not a very difficult process. There are many Iranian who are living outside Iran and they visit their families once a while and just infecting a public computer which regularly being used by Iranian would have been easy to get this worm inside Iran. Since Iranian are the citizen of Iran , they aren’t difficult immigration inspection on them and if there is any immigration inspection no one would ask you to check your USB or removable devices and even they do , Stuxnet is still undetectable. One common way to get Stuxnet inside Iran is to infect a university’s public library PC with Stuxnet and one Iranian student insert a USB to visit check some document and Stuxnet would have been copied there. Therefore, Iranians who live outside Iran has been the first target of Stuxnet and to make investigation difficult. Because, they have no clue of their USB infection and it is difficult to find its origin. This way worm kept spread from one user to another users just when they inserted their USB in another PC. The timing of start infecting was also important, the cybercriminals probably look into immigration records to check when usually most Iranians who live abroad leave their country. For example for students, they usually travel to Iran during semester break so if you check immigration record of people with Iranian passport who leave the country and then return and they have resident permit like Student Visa or Work Permit, you could come up with idea of when and where you should spread Stuxnet to make it harder to investigate this case. The investigation would be hard when you have several suspects and you couldn’t easily filter out to few and since there is no conclusive evidence, you couldn’t issue arrest warrant.

With right timing, Stuxnet manage to infect several PCs just by spreading over USB device. It could be a flash memory, external hard disk or other device like a mobile phone and so on. Among all PCs who have been infected with Stuxnet, there was a high possibility that one of the infected PCs would have belong to someone who is working in Iran’s nuclear facility or their relatives. It is possible that they work from home and for security reason, they never transfer any data or code using internet but rather USB device due to security reason and just inserting one infected device would have infected the system. This way, one USB device of personnel of Iran’s nuclear facility have been infected and he or she allowed to bring USB inside the nuclear facility. Of course all devices from outside would have been scanned for malware but at that time Stuxnet was unknown and inserting the infected device would start infecting the Siemens PLC device and causing damage to the reactor. Stuxnet also try to establish connection to remote servers and it was just for redirecting the investigation and buy some times to cover up the incident. When Stuxnet discover and it code has been inspected, they discover these connection to remove servers and those servers just setup so investigator think they have to start the investigation with those servers. While they actual objective of Stuxnet was to work offline and without showing any connection or help to discover any conclusive evidence against developer of Stuxnet.

People who develop Stuxnet has a good knowledge of Microsoft Windows Operating System and they probably have access to Windows Source Code through some NDA agreement or through black market and they also has a good understanding of Siemens PLC and it was a group work of people expert in various field and such a team required a skilled team leader to have them coordinate and work closely and of course loyalty to their governments and making sure they won’t leak information regarding to Stuxnet.

Even though, Stuxnet was top secret government operation and will remain as a mystery for some time but it raise a big question in area of cybersecurity. When we will see the next Stuxnet and what would be the damage. If we look closely in Stuxnet, we will see there is a possibility to harm any devices which is using computer system. When we look closely into the Stuxnet, the next Stuxnet could be the one which paralyze the economics of a country. Just imagine a day you are going to an ATM and you are unable to withdraw money and this is an issue for all ATMs around the nation. It is scary but we could prepare.

Advertisements

Comments are closed.

%d bloggers like this: