sign in sign up
<<
Home , Anonymous (hacker group), Stuxnet

Why Didn’t Admit Was an Attack

By GARY D. BROWN

n July 2010, news broke that a new automated tasks in many industrial processes. occurred on systems in Iran.2 In fact, at least had been discovered. PLCs are part of industrial control systems, one system Stuxnet was programmed to target To casual observers, it probably elicited most commonly referred to as Supervisory controlled centrifuges critical to the produc- I little more than a yawn. After all, there Control and Data Acquisition (SCADA) tion of nuclear material. It appears that Iran’s seems to be a new “cyber threat” reported systems. SCADA systems are critical to the uranium enrichment facility at was every day. The detection of new computer modern industrial world, controlling such the specific target.3 After Stuxnet became viruses is announced routinely. In most cases, things as water plants, auto manufacturing, public, Iranian officials issued a statement by the time the event is publicized, the major and electrical powergrids. that the delay in the Bushehr nuclear power antivirus manufacturers have already devel- Stuxnet could not spread directly plant being operational was based on “techni- oped a patch to address whatever software through SCADA systems. It propagated over cal reasons,” but did not assert it was because flaw the was designed to exploit. computers running the Windows operating of Stuxnet.4 At a news conference, President To more experienced cyber players, system. From there, it searched for a certain stated that malicious however, this July 2010 event was far from computer-to-SCADA interface system. If software damaged the centrifuge facilities, routine. “Stuxnet,” as the virus came to be the interface was present, Stuxnet was pro- although he did not specifically mention known, was far more complex than run-of- grammed to determine if it could target a Stuxnet or Natanz.5 The passive posture it the-mill tools. The complicated and PLC—but not just any PLC. Stuxnet singled took on Stuxnet indicates Iran concluded that powerful code was a self-replicating worm out PLCs made by .1 a public statement that it had been the victim that targeted programmable logic controllers The Stuxnet code showed up on of a cyber attack would not have been in its (PLCs), the simple computers used to perform computer systems around the world, where best interest. This article examines some of it parked on hard drives, remaining inert the possible reasons why Iran may have drawn if it did not find what it was seeking. The this conclusion. Colonel Gary D. Brown, USAF, is currently serving as numbers indicate it was aimed at Iran; nearly Before Stuxnet, the most notable actions the senior legal advisor in U.S. Cyber Command. 60 percent of reported Stuxnet infections in cyber were probably the events in the

70 JFQ / issue 63, 4 th quarter 2011 ndupress.ndu.edu BROWN

Republic of Georgia and in Estonia. Neither or injury to persons or damage or destruction arguably violated the law of war. The law rose to the level of a cyber attack. In Georgia, to objects.” of war requires that attacks be discrimina- distributed denial-of-service (DDoS) assaults The Stuxnet event was as clearly a tory, meaning they must be directed against on Web pages began in about cyber attack as any publicly announced event military objectives only. Stuxnet was a self- Why Iran Didn’t Admit mid-July 2008. Three weeks later, the assaults to date. Intentionally designed malware replicating worm. It contained certain con- significantly increased and were accompanied directed against a nation-state resulted in the trols, but demonstrably not enough to prevent by the Russian military crossing the border physical destruction of state- equip- it from inserting itself into civilian systems into South Ossetia, a Georgian province.6 ment.10 The centrifuges were destroyed as around the world. Stuxnet Was an Attack Ultimately, the conflict resulted in over 1,000 effectively as if someone had taken a hammer casualties and tens of thousands of displaced to them,11 and these were not just random Iranian Motivations civilians. The cyber portion of the armed bits of equipment. The destroyed centrifuges What would motivate Iran not to just conflict in Georgia did not meet the common were a critical component of Iran’s nuclear admit it was attacked? As the victim of an definition of an attack and, in any event, paled ambitions.12 Whether the rest of the world attack, it could possibly have gained support beside the destruction and death resulting likes it or not, Iran is working toward an from the international community. At a from the invasion. independent nuclear capability. Another minimum, it might have hoped for statements The situation in Estonia in 2007 was nation interfering with that clearly infringes of condemnation to dissuade future similar different in that it was not accompanied on Iranian sovereignty. That means that not attacks against it. by a kinetic event. After the Estonian only was Iran attacked, but also the attack Discussed below are several reasons Iran government relocated a World War II–era resulted in injury to a significant aspect of might have chosen not to declare Stuxnet an Soviet statue from the center of Tallinn to government policy. attack. Although I have no insight into why a military cemetery, Russian “hacktivists” Iran’s “non-position” on the Stuxnet Iran chose this course of action, I discuss the ( motivated by patriotism or event has been frustrating to practitioners in possibilities basically in order of probability, ideology) began to launch denial-of-service the field of cyberspace operations. Finally, starting with the most probable. and DDoS actions against Estonian Web there was a well-documented, unambiguous Embarrassment. It is possible sites. Ultimately, the activity resulted in cyber attack to dissect! And yet there was little is simply ashamed that it lost a significant making government, banking, and many official discussion of the issue because Iran portion of its hard-obtained ability to create other commercial Web sites unavailable to passed up its opportunity to complain of an nuclear weapons material to a computer bug, Estonians.7 Estonia contacted the North unjustified attack. especially when it portrays itself as having Atlantic Treaty Organization (NATO) to It is unusual that a nation would be a significant cyber capability of its own.13 ask for support, but was rebuffed. There attacked and not be willing to state as much. Furthermore, to make things worse, the most was agreement that, as serious as the The community of nations (for example, commonly suggested perpetrator of the event cyber action was, it did not qualify as a the United Nations, the Arab League, or was Iran’s archenemy, . cyber attack. The Estonian experience led to the conclusion that NATO simply does not con- whether the rest of the world likes it or not, Iran is working sider cyber action worthy of being called an toward an independent nuclear capability attack. For NATO, an attack would trigger a potential self-defense response by the Alli- ance. “Not a single NATO defence minister some other international organization) A video screened at the retirement would define cyber-attack as a clear military may be reluctant to tell a nation it has been party for the head of the action at present.”8 However, NATO’s posi- attacked when it apparently feels otherwise. indicated at least some level of involvement tion on aggressive cyber activities may be After all, if a nation does not feel it has been by Israel in the cyber attack on Iran’s nuclear changing.9 wronged, it is not really within the purview program: “The video of Lieutenant General There were initial indications after the of the international community to try and ’s operational successes discovery of Stuxnet that Iran might state the convince it otherwise. This unusual situation included references to Stuxnet, a computer obvious. In the immediate aftermath of the is perhaps unique to cyber. It is difficult to virus that disrupted the Natanz nuclear Stuxnet event, an Iranian official indicated interpret artillery bombardments or invasions enrichment site [in 2010].”14 Iran had come under “cyber attack,” but he by troops as anything other than attacks. Irrelevance. Iran may have felt that its was quickly silenced. Since then, there has However, in the cyber arena, there is a danger complaints would not be taken seriously since been no further indication of how the event to the international community in this benign it is already on the outs with the international would be characterized in Iran. neglect. community over its nuclear program: “The Although there is no formally agreed- The problem with turning a blind eye and many other countries upon definition of cyber attack, most scholars to the event is that, not only was Stuxnet an have serious concerns about the Iranian would define it in a manner similar to a more attack, it also was quite possibly an illegal Government’s policies: its failure to address traditional, physical attack. A common defi- attack under international law. In addition serious international concerns about its nition of cyber attack is “a cyber operation to violating the general prohibition against a nuclear programme; its support for terrorism which is reasonably expected to cause death use of force against another nation, this event and promotion of instability in its region;

ndupress.ndu.edu issue 63, 4 th quarter 2011 / JFQ 71 SPECIAL FEATURE | Why Iran Didn’t Admit Stuxnet Was an Attack and its continued denial of the human rights A similar consideration might just be techniques make it tough to know the origin to which its own people aspire and which called “unclean hands.” If a country is up to of an activity, much less the originating actor. Iran has made international commitments to anything it should not be doing, its govern- In this case, although Iran may feel protect.”15 ment might not feel it prudent to complain there are some obvious suspects, they may According to an article in the New York when the cookie jar lid pinches its fingers. not be able to prove who was behind Stuxnet. Times, “The United Nations Security Council For example, an alleged Soviet pipeline explo- One example of how the has created leveled its fourth round of sanctions against sion reported in the early 1980s may have new challenges in attribution is the rise of Iran’s nuclear program on Wednesday, but the qualified as a cyber attack—but one that was independent actors on many levels. Cyber measures did little to overcome widespread possible only because the Soviets had stolen techniques now allow coordina- doubts that they—or even the additional infected pipeline management software from tion between actors, so action can be more steps pledged by American and European Canada.18 As a result, even if the Soviet Union effective and devastating, but the risk of dis- officials—would accomplish the Council’s covery is smaller. longstanding goal: halting Iran’s production Of particular note are the hacktivists, of nuclear fuel.”16 who began to garner notice in 2007 with

Agência Brasil events in Estonia, followed by other signifi- cant activity in Lithuania and Georgia the this event arguably violated following year. In a wonderful example of the law of war blurring the line between state policy and independent criminal actors, a group known as StopGeorgia facilitated the cyber assault on Besides, even if Iran had been able to Georgia. This group of nationalistic hackers convince the United Nations it ought to take provided DDoS kits to novice hackers, along action, the chances are slim that any action with lists of Georgian targets. They also against, or even condemnation of, Israel offered more sophisticated malware, complete would survive a journey through the Security with instructions on how to employ it. These Council. services were available to anyone who went to Preserving Future Options. Iran cannot the group’s Web site.19 hope to compete in the traditional military Not all hacktivists are Russian, however. sphere with the West, so it is apparently The Web site WikiLeaks accepts and pub- attempting to level the playing field by devel- lishes sensitive information “leaked” to it oping a nuclear capacity. Similarly, it may be by members of the public. After the site hoping to develop an asymmetric cyber attack Iranian President Mahmoud Ahmadinejad claimed published classified documents that had ability for the same reason. There are reports Stuxnet virus did not affect nuclear operations been stolen from the U.S. Government, many this is the case. private companies in the took General Ali Fazli, acting commander steps in an attempt to make WikiLeaks less of the Basij, was quoted by Iran’s state-owned realized it had been “victimized,” it may not effective. Most of the actions were taken by newspaper as saying Iran’s cyber army is made have been inclined to complain. financial companies that refused to process up of university teachers, students, and clerics. Belief the Action Was Legal. Although payments for WikiLeaks.20 As a result of the He said its attacks were retaliation for similar most legal experts would conclude that financial companies’ actions, the loosely affil- attacks on Iran, according to the semi-official an offensive cyber action resulting in the iated Anonymous responded Mehr news agency. There were no further physical destruction of property is an attack, by freely distributing downloadable malware details about the possible targets or the time of there is no definitive evidence on the topic. with instructions on how to use it to harm the the attacks: We have little insight into what Iran believes targeted companies. is the state of play on cyber legality. From The activity reported to have been taken Iranian hackers working for the powerful the inaction of the community of nations, by Anonymous hacktivists did not result in Revolutionary Guard’s paramilitary Basij we can infer there are no international physical damage to computers. Even if it had, group have launched attacks on websites restrictions on purely cyber activities. More- however, it may not have made sense to treat of the “enemies,” a state-owned newspaper over, other than the legally unchallenged the action as a cyber “attack” because the per- reported Monday in a rare acknowledgment Stuxnet, there is no indication that it is petrators were individual civilians, acting only from Iran that it’s involved in cyber warfare. lawful to actually destroy things in another under suggestion from a higher organization. . . . “As there are cyber attacks on us, so is country—even if the destruction is caused Because it is often impossible to know the our cyber army of the Basij, which includes by a purely cyber event. individuals behind a nefarious cyber action, university instructors and students, as well as Difficulty of Attribution. It is the nature at least in real time, some countries are more clerics, attacking websites of the enemy,” Fazli of cyberspace and the Internet that makes it comfortable treating all cyber events as crimi- said. “Without resorting to the power of the challenging to find out who is responsible for nal cases rather than potential acts of war. Basij, we would not have been able to monitor any given action. Appropriated computers, This may be how Estonia viewed the action and confront our enemies.”17 intermediate hop points, and many other against it in 2007: “It was clear to the Estonian

72 JFQ / issue 63, 4 th quarter 2011 ndupress.ndu.edu BROWN authorities that the cyber attacks could—and enough evidence to establish conclusively that 9 “Defence Ministers Approve Cyber Defence should—be treated as cyber crime.”21 On the Israel was responsible. Even if it had, no effec- Concept and Take Next Step in Defence Reform,” other hand, even Estonia might see things tive action was likely to survive contact with March 10, 2011, available at . differently if the “cyber attack” were destruc- the United Nations Security Council. 10 Sharon Weinberger, “Is This the Start of tive—like Stuxnet—rather than a denial-of- It is unfortunate that the clearest Cyberwar?” Nature, June 9, 2011, 142. service attack or something similar. example of cyber attack appears to have 11 Ibid., 143. Also see Jeffrey Carr, “What Is As a subset of this rationale, in the passed by without a conclusive determination, Cyberwar?” August 12, 2011, available at . possible (although it has not been widely sug- ment from the victim country. Stuxnet may 12 Gross. gested) that Iran itself concocted the Stuxnet now fade into the sunset like so many other 13 “Commander Stresses Iran’s Capability scheme to make it appear a victim of Western offensive actions that were famous in their to Repel Cyber Attacks,” July 8, 2011, available at powers, while at the same time providing an day—, Moonlight Maze, Opera- . 14 theory is purely speculative, and no evidence uncategorized cyber action, and we may Christopher Williams, “Israeli Security Chief Celebrates Stuxnet Cyber Attack,” The Telegraph, is offered to support it. have missed our best opportunity to begin February 16, 2011, available at . apply to Iran’s motivation in this case. Even So far, the customary practice of nations 15 UK Foreign and Commonwealth Office, if they are not relevant in the case of Stuxnet, in cyberspace seems to be, “Do unto others “Britain’s Relations with Iran,” available at . sense of cyber operations. a major player like the United States suffers a 16 Neil MacFarquhar, “U.N. Approves New Fear. In theory, a country could be catastrophic cyber event, it appears likely to Sanctions to Deter Iran,” , June afraid of the reaction of the adversary to being stay that way. JFQ 9, 2010. 17 called out. A cyber adversary might suddenly Nasser Karimi, “Iran’s Paramilitary decide more aggressive options were in order Launches Cyber Attack,” , March if they were caught in the act. However, the NOTES 14, 2011. 18 Richard A. Clarke, Cyber War: The Next circumstances here make it unlikely that fear 1 Seán P. McGurk, Department of Homeland Threat to and What to Do About played a role in Iran’s decision. Security, statement before the U.S. Homeland It (New York: Ecco/HarperCollins, 2010), 93. Deception. It is possible the victim of a 19 Security and Governmental Affairs Committee, The group’s Web site was available at . Jeffrey Carr, “The Rise of the Non- of the attack a secret. The offended nation 2 Michael Joseph Gross, “Stuxnet Worm: State Hacker,” Inside Cyber Warfare (2010), 15. may want to gather intelligence on adversary A Declaration of Cyber-War,” Vanity Fair (April 20 Fahmida Y. Rashid, “PayPal, PostFinance tactics, for example. This constraint would 2011); Symantec, “W32.Stuxnet,” September 17, Hit by DoS Attacks, Counter-Attack in Progress,” probably disappear once the attack becomes 2010, available at . com/c/a/Security/PayPal-PostFinance-Hit-by-DoS- Overcome by Events. If a cyber attack 3 Yossi Melman, “Computer virus in Iran Attacks-CounterAttack-in-Progress-860335/>. 21 occurs in the context of kinetic activities, it actually targeted larger nuclear facility,” . Tikk, Kaska, and Vihul, 25. 22 David Eshel, “Cyber-Attack Deploys may not merit mention. This is similar to com, September 28, 2010, available at . story_channel.jsp?channel=defense&id=news/ tion did not merit much attention—although 4 See Ministry of Foreign Affairs, Islamic dti/2010/09/01/DT_09_01_2010_p42-248207.xml>. that case did not rise to the level of cyber Republic of Iran, weekly briefing, October 5, 2010, 23 Kevin Hall, “The 7 worst in attack. This is also what happened when Israel available at . available at

ndupress.ndu.edu issue 63, 4 th quarter 2011 / JFQ 73