The Stuxnet virus, which infiltrates the systems used to run factories, may have been discovered only in June this year but has been labelled by some researchers as a "groundbreaking" piece of malware. We look at why Stuxnet could be the 'best' malware ever.
One way that the attackers minimised the risk of discovery was to put a counter in the infected USB that allowed it to spread to no more than three PCs. "They wanted to try to limit the spread of this threat so that it would stay within the targeted facility." O Murchu said.
And they were clever, said Schouwenberg.
Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. "There's no logging in most SCADA networks, and they have limited security and very, very slow patch cycles," Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.
Put all that together, and the picture is "scary," said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn't be the work of even an advanced cybercrime gang.
"I don't think it was a private group," said O Murchu. "They weren't just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage."
The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.
"This threat was specifically targeting Iran," he continued. "It's unique in that it was able to control machinery in the real world."
"All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group," said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the number one target is telling.
"This sounds like something out of a movie," Schouwenberg said. "But I would argue it's plausible, suddenly plausible, that it was nation-state-backed."
"This was a very important project to whoever was behind it," said O Murchu. "But when an oil pipeline or a power plant is involved, the stakes are very high."
And although Siemens maintains that the 14 plants it found with infected SCADA systems were not affected or damaged by Stuxnet, O Murchu and Schouwenberg weren't so sure.
NEXT PAGE: When did attacks begin?