WHEN the Stuxnet virus was first detected back in June 2010, its true purpose was unknown.
Security experts were only able to confirm that it was a Windows worm that spread via USB sticks and once inside an organization, it could also spread by copying itself to network shares if they had weak passwords.
They knew that once in a system, it hid itself with a rootkit and saw if the infected computer was connected to a specific factory system. If not found, the virus did nothing. At the time, security experts did not know which factory the virus was looking for or if it had already found it.
On November 29, 2010 those details were revealed when the Iranian government confirmed that a computer worm affected centrifuges in the country's uranium enrichment program.
Since then speculation has been rife in the security industry over its origins, and given the complexity of the virus -- with its unusual file size (over 1.5MB) -- the list of most likely sources was a short one.
The speculation came to an end when reports released by The New York Times and The Washington Post in June of this year confirmed that Stuxnet, along with data-gathering malware Flame, was actually developed by the United States and its close ally Israel, under a project codenamed Operation Olympic Games.
The revelation came as no surprise to F-Secure’s chief research officer, Mikko Hypponen (pic, left) as he had already pointed out in an article he wrote for Ars Technica that these malware were “most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered.”
In an email interview with Digital News Asia (DNA), he admits that one thing did surprise him. “I was surprised that the United States confirmed it and took the blame for it. This had probably something to do with the fact that it’s an election year.”
Hypponen had long pointed to governments as a source of online attacks, most notably in his TED Talk presentation (click here to watch the video), stating that there are "three types of online attacks on our privacy and data and only two are considered crimes."
Despite instances of cyber-espionage increasing over that last two years, Hypponen does not believe that the world is in a new age of cyberwarfare, where nation-states are more proactive with fewer hesitations about “getting dirty.”
“We are in the middle of cyber arms race. War is a very strong word, and I wouldn’t categorize the current offensive attacks between nation-states as a war. Not yet,” he says.
It is the “yet” part that has many worried, with the stated mission of the first annual Cyber Security Summit scheduled to kick off in New York City next month, to "expose the truth about what is really happening on both the offensive and defensive sides of the growing cyber-arms race.”
When asked how smaller sovereign nations can protect themselves against larger nations with access to greater financial and human resources, Hypponen says they need to build their own defenses, possibly in co-operation with other similar countries.
“Any defense system uses foreign technology. So countries should consider carefully where in the world their online security technology is coming from,” he adds.
For individuals and organizations, the most likely online attack remains a criminal one, such as a banking trojan or a password stealer.
“Very few organizations are targeted by nation-states. But when they are, the situation is very serious and defense can be very, very hard,” says Hypponen.
Other vulnerabilities and predictions
Relevant stakeholders, from security firms to government agencies, would certainly pay considerable attention to the cyber arms race now that is a hot and high-profile topic.
As one of the leading figures in the field, Hypponen himself is sure to play a big role in the continuing global discussion; however there are other parts of the security landscape that has him especially concerned.
In a recent interview with Dark Reading, he states that his “biggest worry is the lousy state of security in factory automation.”
He explained to DNA that traditionally, automation systems have been secured simply by keeping them disconnected from all other systems, which means they have had no built-in protection at all. “We’ve learned now that many of those ‘disconnected’ systems ended up getting connected to public networks after all,” he says.
To make matters worse, Hypponen adds, automation systems have a very long lifecycle. This means that even if the latest programmable logic controller (PLC) boxes and other automation gear have better security, it takes decades before old insecure systems are phased out.
What would it take then, for change to happen? The typically upbeat Hypponen has only this to say: “We won’t see a major change here until we see some large-scale disaster because of insecure automation systems.”
In his role as chief research officer for Finnish security firm F-Secure, Hypponen is tasked with predicting the types of attacks to come and directing the company’s research efforts accordingly.
Right now, the F-Secure research team is spending a lot of time looking into the security of embedded systems.
An embedded system is a computer system designed for specific control functions within a larger system, often with real-time computing constraints. Think electronic products such as televisions, washing machines and cars.
Hypponen is quick to point out that depending on the product category; there is a big difference in the likelihood of these embedded devices getting hacked by criminals.
For example, the chances of a washing machine equipped with a computer and Internet connection getting hacked are slim.
“Who is going to hack it? For what? However, if your car has a computer and Internet connection, somebody will surely hack it. Why? To steal it, of course,” he says.
“Organized car theft is already a big problem and if they can make their job easier via hacking, they will. So the motives of the attackers change the threat scenario greatly,” he adds.
With the security landscape once again on the cusp of change, Hypponen will soon be sharing his thoughts at Malaysia’s premier cyber-security event HITBSecConf, taking place from Oct 8-11 at the Intercontinental Kuala Lumpur hotel.
The conference has invited over 42 of its most popular speakers over the years to return to the stage in celebration of its 10th anniversary in Kuala Lumpur. Hypponen has been a speaker at HITB a total of four times in the last 10 years. Once at HITB Dubai in 2007 and three times at HITB Kuala Lumpur (2005, 2007, 2010).
For those who will be present at this year’s conference, be sure to ask Hypponen about his collection of coin-up video games. He has 12, released during the ‘golden’ years of 1979-1984 and one pinball machine.
If he could keep only one? “That’s easy. I would keep the best game in the world: Xevious.”
Stuxnet, Flame and the new world disorder
Security alert over ‘Madi’ cyber-espionage campaign in Middle East
Online banking accounts in Middle East targeted by ‘Gauss’
HITB celebrates 10yrs of hosting world’s leading security researchers
HITB: If the mountain cannot come to …