http://www.darkreading.com/attacks-breaches/stuxnets-earlier-version-much-more-power/240164120
By Kelly Jackson Higgins
Dark Reading
November 20, 2013
The later-discovered earlier iteration of Stuxnet was a far more
aggressive, stealthy, and sophisticated attack that could have ultimately
caused catastrophic physical damage in Iran's Natanz facility. So says the
expert who deciphered how Stuxnet targeted the Siemens PLCs, after
recently reverse-engineering the code and further studying the attacks.
Ralph Langner, head of The Langner Group and a renowned ICS/SCADA expert,
today published an analysis of Stuxnet that shines new light on the
game-changing cyberweapon. Langner concludes, among other things, that the
attackers moved from a more destructive and stealthy payload to a weaker
and more easily detected one, and conventional wisdom that it would take a
nation-state to use Stuxnet as a blueprint for attacks against U.S. and
its allies' critical infrastructure is incorrect.
One big takeaway from Langner's new analysis is how the Stuxnet attackers
so dramatically shifted gears from a dangerous, aggressive, and hidden
attack strategy that wasn't discovered for at least five years to a
louder, more noticeable, and detectable one that burnt multiple zero-day
vulnerabilities and used stolen digital certificates. "What you see today
in that analysis is that the first attack was more complex, stealthy, and
more aggressive than the second. That is counterintuitive," Langer told
Dark Reading. "So why did the attackers go from the ultimate in stealth
and aggression to something that's much more simple and comes with a much
higher risk of detection?"
The first attack was never meant to be detected, nor was it until Symantec
found its malware clue tucked among Stuxnet samples. It was a component
that didn't fit with the malware, according to Liam O Murchu, manager of
North American operations for Symantec Security Technology & Response. In
February Murchu detailed Symantec's discovery of what it nicknamed
"Stuxnet 0.5," which dates back to 2005, five years before the later and
better-known version of the malware was discovered in 2010.
[...]
--
Dean Bushmiller teaches a great 5-Day CISM in Albany NY Dec. 2 6.
Call 327-937-9786 for details.
