Middle East malware is a wake-up call to industry to sweat the small stuff
The discovery of the advanced computer spyware Flame capped a recent spate of news that has implications for the cyberdefense policies and preparations of corporations and nations alike.
Reports of Flame's advanced technologies and extensive capabilities—uncovered by researchers in Iran in late May, before being verified by computer security laboratories worldwide—were at risk of being pushed out of the headlines when, on June 1, The New York Times reported U.S. officials all but declaring that Stuxnet—the 2008-10 malware used in an attack credited with destroying centrifuges at the Natanz, Iran, nuclear plant—was part of a covert cyberweapons program instituted by the George W. Bush administration and accelerated under President Barack Obama.
The in-depth Times report—drawn from numerous, international interviews—had the effect of making widespread assumptions and earlier reporting about Stuxnet's political authorship more concrete (AW&ST May 23, 2011, p. 43). Initiated by the Bush administration in 2006, the program—codenamed Olympic Games—saw the's National Security Agency working with Israel's military signals intelligence and code-breaking group, Unit 8200. After an intelligence-gathering phase in which the Natanz plant was digitally mapped, code designed to destroy centrifuges was tested on working replicas of the Iranian centrifuge cascades, constructed at a number of U.S. national laboratory sites, before being deployed against the Iranian facility.
The Times stresses that deterring Israel from launching a kinetic strike against Iran's nuclear program was a key part of the U.S. rationale for the policy. While political reaction in Washington saw Republican calls for an end to White House leaks relating to classified operations, there were no denials.
Flame's emergence had already reignited the debates around the offensive cyberwarfare capabilities and policies of nation states (AW&ST June 4, p. 28). The malware, which appears to be a surveillance tool rather than a weapon with a destructive capability, was immediately identified as the product of a state program, its complexities judged by researchers to be beyond the capacity of individual programmers.
The malware used stolen digital signatures to fool the infected computer into believing that the Flame installation was a legitimate update to the Windows operating system—a capability described by more than one research lab as “the Holy Grail” of exploit coding, and which pushed Microsoft into a rare emergency patch release to close the vulnerability. Yet there were also critical voices. Graham Cluley, of anti-virus provider Sophos, stressed the tiny number of infected devices, and Rik Ferguson, director of security research and communication at Trend Micro, wrote that the code was “unique in malware terms certainly, but not impressive in and of itself.”
The two issues, Stuxnet's U.S. authorship and whether claims of Flame's prowess are exaggerated, are more than just coincident. The questions they raise cut to the heart of cyberdefense and security policymaking, as well as industry's preparedness. With privately held elements of critical national infrastructure high on the likely target list for adversaries—and about 80% of domestic U.S. critical infrastructure is said to be in non-government hands —covert moves to adopt a first-strike cyberwarfare doctrine may serve to elevate the exposure of commercial systems to state-sponsored cyberattacks. Yet the focus on increasingly sophisticated threats may discourage businesses from defending against less technically advanced albeit far more widespread attacks, increasing the vulnerability not just of corporate networks, but of entire nations.
“Since [Stuxnet] there's almost a perception that everything is an Advanced Persistent Threat,” said Greg Day, director of security strategy for the U.K. division of information security specialists Symantec, during a presentation to the Counter Terror Expo 2012 in London. He pointed out that most corporate security is focused on advanced threats and the lower-end, “brute force” approach of denial-of-service attacks and defacement of public-facing websites.
“What I think has slipped under the radar is the middle ground, which is persistent and targeted threats, that are taking [known] toolkits and vulnerabilities and saying, 'I'm going to find a company and target them, and I'm going to keep going and going and going until I get in,'” he continued. “The challenge we have is we don't necessarily realize this middle ground exists.”