In 1981, CIA director William J. Casey was informed of Soviet plans to steal Canadian industrial software to automate gas pipelines. In response, the CIA hatched a bold plan to create a software “Trojan Horse” which would hijack pumps and valves to create a catastrophic build-up in pressure. One year later, US satellites detected the largest non-nuclear blast in history from a gas pipeline in Siberia. Thus cyber warfare was born.
Twenty-five years later, with the rise of the internet, governments are increasingly paranoid about the potential for catastrophic cyber attacks. Doomsday scenarios envisage failing electrical grids, compromised air traffic control, industrial disaster, and communications collapse all culminating in chaotic societal breakdown. The USA has established a Cyber Command, and the UK, France, Israel, China, Russia, and even North Korea have their own plans for cyber supremacy. Security wonks talk breathlessly about the “fifth domain” of warfare after land, sea, air, and space.
But to the average Joe, this all sounds vaguely comical. Even the word “cyber”, with all its 80s hacker movie connotations, is a little hard to take seriously. Cyber attacks over the last ten years have barely been newsworthy. There were rumours of cyber attacks from both sides in the 2006 Israel-Lebanon war. China has been caught with its hand in the cookie jar, once by McAfee in 2007, and twice by Google in 2009, stealing data from other nations and critics of the Communist party. The US has been the target of large data thefts by unknown powers, one downloading terabytes of data from Defence, State, and Energy Departments in 2007, the other a worm spread through Pentagon computers by flash drive in 2008. But none of these could be described as “war”. If anything, it was a natural extension of the communications espionage that has existed for decades. These “attacks” have not made physical damage, and no one knew whether it was possible.
Then, in June 2010, a small Belarusian cyber security firm identified an unusual bug. Named Stuxnet after a filename in the code, it was unusually sophisticated, and appeared to target industrial software, unlike standard PC worms. Soon after, the engineering giant Siemens realised that their Supervisory Control and Data Acquisition (SCADA) software that runs on industrial Windows systems, WinCC, was Stuxnet’s target.
Industrial systems are not normally connected to the internet to avoid attacks, but Stuxnet exploited several novel security flaws to run off USB drives. Known as zero-day vulnerabilities, these loopholes are usually identified by hackers and sold for a prize sum. Stuxnet exploited an unprecedented four such holes. Investigators from Symantec described it as “groundbreaking”, and sophisticated enough that only a nation-state could plausibly have organised and funded the effort.
What was its purpose? Originally assumed to be for opportunistic espionage, researchers eventually realised that Stuxnet wasn’t stealing data. It was programmed to lay in wait, keep a low profile, and spread until it reached a very specific target. It then takes control of the system and overrides certain files, perhaps to similar destructive effect as the CIA engineered nearly three decades ago. Thus Stuxnet has been described as a “cyber missile”.
Who would launch an attack like this, and what were they trying to achieve? The answer became clear when Symantec surveyed systems affected worldwide. The results showed 60 per cent of infected computers were in Iran. Speculation mounted that Stuxnet was the cause of ongoing, unexplained problems in the Bushehr nuclear reactor or a nuclear accident reported at the Natanz enrichment facility in 2009. The obvious candidate for such an attack is Israel, who has been loudly complaining about Iran’s nuclear program for years, and has a history of using force to prevent rivals from building nuclear facilities. In 1981 they bombed the Iraqi Osirak reactor and ended Saddam’s nuclear ambitions.
While definitive proof is still lacking, researchers have since found a tantalising piece of evidence. A line of code was found to contain the word myrtus, the Latin name for the myrtle tree. The Hebrew word for myrtus is Hassadah, also the name of a biblical Jewish queen who pre-emptively struck against the enemies of the people of Israel. Investigators have pointed the finger at Israel’s cyber division Unit 8200, infamous for press-ganging convicted hackers to work in their headquarters deep in the Negev desert.
We may never know what Stuxnet’s target truly was, or the intended effects. The stealth and the sophistication of the beast mean it has probably already hit the target. Researchers estimate it has been in “the wild” for up to a year undetected.
The implications are vast. A virus that can move under the radar for so long, achieve such wide coverage, and seize control of any system is the realisation of our cyber security nightmares. Many questions remain about the first real cyber attack. All we know for certain is that it will not be the last.