Stuxnet and now Flame: The US and Israel Continuing Cyber War against Iran
12/06/2012
Last two weeks have brought out that cyber war is no longer in the realm of science fiction, but very much a part of what is happening here and now. First, we had David Sanger in New York Times confirming what was widely held – that the Stuxnet virus that had damaged a number of centrifuges in the Natanz uranium enrichment facility, was the joint product of the US and Israeli teams. What is new in David Sanger‘s report is that these attacks – codenamed Olympic Games – started under George Bush and was expanded under Barack Obama. Not only did they continue, they were directly overseen by the White House. The second is the discovery of another virus – Flame – that is also directed against Iran and has been active from at least 2009.
Why should the discovery of a new kind of virus be of such concern when computer viruses have been around for so long? This is because what a nation state can do if it get into the act of creating viruses is qualitatively different from what few hackers (or crackers) can do. What is at best a nuisance and at worst a loss of some data in infected machines, can transform into a complete break-down of basic infrastructure of a country. A nation states has the ability to target computers that control vital infrastructure and cause catastrophic failures of the systems. Even when a specific equipment or a country is targeted, as Stuxnet has shown, such viruses can escape beyond their targets and pose a threat to other equipment and other countries as well.
Consider the case of a nuclear reactor, where its core is controlled by computers. This is how current generation of nuclear power plants are controlled. If the control system is known, it is possible to infect the system in a way that may cause a core melt-down. After Fukushima, can anybody doubt that such an act would be an act of war? On par with a physical attack on the nuclear reactor?
If we look at how the world functions, it is not just financial systems and other information that computers handle. The power grid, the controls of hazardous plants, the telecommunication networks, air traffic controls, are all handled by computers and software. Even the lowly washing machine has embedded controls on a chip which has software on it. If countries want to play games with such software and computers, it opens a whole new arena of war with untold consequences.
Speaking last week on the sidelines of a security conference, Eugene Kaspersky, founder of Kaspersky Lab, which found the Flame virus, said, ““Cyber weapons can replicate, and there could be random victims anywhere around the globe, it doesn’t matter how far you are from the conflict,” he said. “It’s not cyberwar, it’s cyberterrorism and I’m afraid it’s just the beginning of the game. “
It is not that the US is not aware of it. In 2000 itself, it stated in its Strategic Doctrine – Pentagon’s “Joint Vision 2020,” of full spectrum dominance. It speaks of full spectrum dominance as involving not just four – space, sea, land, air – as stated earlier but the fifth dimension as well: “information” or cyberspace. It also made clear that any cyber attack on its vital infrastructure would be considered an act of war and would invite physical retaliation. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” as quoted by the Wall Street Journal.
In May 2010 the Pentagon set up its new U.S. Cyber Command (USCYBERCOM), which it is now seeking to elevate to be on par with other Commands and directly under the Commander-in-Chief. It also put in place laws National Defence Authorization for Fiscal Year 2012 the following:
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests,…
There are some restrictions on such powers but from what we have seen of the US, its President’s powers are today virtually unlimited in terms of waging war. The Libyan military intervention was carried out without any authorisation from the Congress. Nor has the US recognised that attacks on civilian infrastructure, which Natanz facility is, is forbidden under International Humanitarian Law.
Kaspersky and his colleagues have estimated that the Flame virus is 20 times the size of the Stuxnet virus and would have cost about $100 million to develop. It had a number of modules, including the one that would delete the virus from the infected machine on receiving a command from its command and control centres. Others have pointed out that it needed sophisticated cryptographic skills of a high order to be able to crack Microsoft’s software update protocols and use this route to infect machines. Of course, for reasons not known, Microsoft had left this security hole in its update procedure in spite of knowing of this problem since 2008.
The Flame virus was detected when Iran reported to the International Telecom Union (ITU) that data was getting wiped from its computers in the Oil Ministry. ITU asked Kaspersky Labs, one of the leading anti-virus companies to investigate, leading to the discovery of the Flame virus. Flame appears – as we know of it today – to be stealing data from computers. It communicated with a set of computers located around the world, which acted as the command and control centres, analysing which were the machines which had been infected, what kind of data it had and which were the files that should be sent back to the command and control centres. It also had the ability to turn on mikes, record conversation, turn blue tooth devices on, record key strokes and so on. Once, the detection of Flame became public, the command & control centres, issued a command to the virus to self-destruct and went dark.
Kaspersky Lab has now reported that there are sections of code in Flame that is identical to the code in Stuxnet, showing clearly that the same countries behind Stuxnet are also the creators of Flame. In other words, Stuxnet was not just one virus but part of a major larger attack. Earlier, another virus called Duqu, also targeting Iran, had been identified as a part of the Stuxnet family.
The Stuxnet virus was very specifically targeted for destroying centrifuges running in Natanz. Sanger writes in New York Times that when the US reached an agreement with Gaddafi on Libya not continuing with its nuclear weapons program, the centrifuges received from AQ Khan’s network, believed to be identical with that in Iran, was sent to the US. These were used to plan out and physically test the actual attack. The virus attacked the controls of the frequency converters of the centrifuges, and therefore the speed of the centrifuges. The controls of the frequency converters were in Siemens PLC’s, which were the specific targets of attack. On activation, the virus would speed up and slow down the centrifuge repeatedly leading to its eventual breakdown. It is estimated that about a 1,000 centrifuges out of 9,000 centrifuges were affected by Stuxnet and were taken out by Iran.
Sanger’s reports also indicates that this was a joint effort of the US and Israel. The US participants blamed the Israeli side for Stuxnet escaping into the external environment. Though Iran had the largest number of infected computers, Indonesia and India also had a number of computers infected by Stuxnet.
It has been suggested that one of the reasons of the Fukushima failure was the failure of some of the Siemens PLC’s which might have been affected by Stuxnet, though there is no evidence that I can find of this. happening The issue is not that Fukushima happened because of Stuxnet but when Stuxnet turned rogue and escaped into the “wild”, it exposed all machines using Siemens PLC’s to unknown dangers. Since PLC’s are in various plants including hazardous ones, the US in attacking Iran was putting at risk a huge number of countries and installations. And that includes India, which had over infected 5,000 systems.
Is there international law or treaties regarding cyber war? Russia and China have both argued that space and cyber space should be treated similarly and prohibited from weaponisation. The US position is that it is too early to speak about cyber war, perhaps because they are the only ones waging it. As is well known, the US has also opposed attempts to demilitarise space, believing that it is the only one with technology and money to successfully weaponise space. The Star Wars program, which is still being pursued is an indicator that the US continues with its belief that it should dominate space as a part of its planned full-spectrum dominance. On cyber weapons, it has the same position – as long as it sees itself having an edge over others, it will continue to oppose any international treaty on cyber weapons.
The only international law we have is whether cyber attacks constitute an act of war under the current definition of physical attacks. While theft of data is an act of espionage and therefore can be considered as “normal” behaviour of a state, using a cyber weapon such as Stuxnet to physically damage equipment would constitute an act of war on par with a physical attack. There is no difference in law whether the damage was inflicted by a direct physical attack or a targeted virus which creates the same damage. Using a virus to damage physical equipment therefore constitutes a an act of war against Iran.
By initiating this new form of attack, the US has deliberately brought in a whole new range of warfare and weapons into play. Where the US has led, others will surely follow. As Kaspersky has noted, “I’m afraid that it will be the end of the world as we know it,..I’m afraid that very soon the world will be very different.” The interconnected world of today is far more vulnerable; just as a banking crash in the US can take down the global economy, so can a few strategically connected computers take down continental sized grids affecting multiple countries; similarly for and global telecommunication networks. With its limited aim of attacking Iran, the US has just made the whole world an infinitely more dangerous place for all of us.