This analysis of Stuxnet, courtesy of Symantec, is quite interesting. The level of resources and competence to make this happen is indicative of far more than hackers or criminals. I have said it before. Let there be no mistake. Welcome to the world of state sponsored information warfare.
A short point on the resources needed to make this happen from the above paper:
“In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. This includes zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.”
and
“Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.”
and
“In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion. The attackers compromised two digital certificates to achieve this task. The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, as the two companies are in close physical proximity.”
What this means is that the team that pulled this off used multiple vulnerabilities not known in the wild, stole 2 digital certificates from Taiwanese companies and most probably had a mock setup of the industrial control systems of the target plant. This is non-trivial.
Let me leave you with this thought from the paper: “Also, the attackers likely completed their initial attack by the time they were discovered.”
cheers.
not sure how they really came up with this…
http://threatpost.com/en_us/blogs/stuxnet-analysis-supports-iran-israel-connections-093010?