Hm. Stuxnet feels less like a normal software project, and more like a NASA mission.<p>Something like a botnet can run updates and patches, and you have a much easier time to iterate, optimize and also to fail in less than catastrophic ways. Sure, you lose some nodes, but you infect some nodes, so be it.<p>Something like Stuxnet is more like the mars rover. You eventually fire it off, and then it has to work correctly autonomously. Once the boosters are going, you cannot fix it anymore. Once Stuxnet is in that facility, there are no more patches. It has to work. And if it's discovered, you've probably blown your only chance.<p>In such a setup, simplicity and options with known and explored failure modes are good.
No, it is amazing, and the author is missing out on understanding why - it does not need to have passed an architectural and design review if it manages to accomplish its goal(s).<p>Ironically, the author focuses on 'hiding the payload' as the thing that makes it embarrassing, as though that is self evident.
Hiding and obfuscating the payload is pointless in this case. The author doesn’t seem to understand the reasons why a group would go through the trouble of obfuscation or other similar techniques.<p>Stuxnet was a one-time operation with a very limited opportunity window. Target systems were airgapped. A large part of the success of the operation relied on a human penetrating that air gap. A successful operation would be attributed to either Israel or USA immediately. What is the benefit of obfuscation?
My impression at the time was that the code was developed by separate teams who did not necessarily know what they were working on, and then integrated by someone cleared for at least part of the real operation. I speculated that the people repsonsible for deploying it would have been in the tactical area of humint agency that was more indexed on direct outcomes than using techniques <i>any</i> more sophisticated than were strictly necessary to accomplish their specific objective, as why risk or waste the advantage of shipping something with additional tradecraft baked into it?<p>I remember thinking they could have at least used hashes of registry entries to detect the modules they were looking for if they wanted to protect the identity of target, but then again, the processor load of the hashing operations would have been a significant IoC. Stuxnet was a straight tactical hack to solve a specific problem, which was to delay that nuclear program. It was not just a threat or demonstration of capability to serve as a deterrent.<p>An example of a demonstration of capability was the silk road arrest, where the FBI mainly used it as a signal to create uncertainty about the absolute security of Tor hidden services, so that people understood they did not have impunity. They didn't break tor, but they showed tor wouldn't protect you if they wanted you. Stuxnet wasn't about demonstrating that they could get at you, it was to delay the nuclear program to give time to negotiations and potential outcomes other than iran achieving a weapons program.<p>What we call 'cyber' now is in support of variously tactical and strategic objectives, and while the criticisms of the code are valid, it's worth evaluating the tools in that higher level more abstract context as well.
This is a whole thread of people taking a blog post from a decade ago out of context. Nate Lawson's blog had two major beats, cryptography and content protection (Lawson, an old-school vuln researcher, co-created the Blu-Ray BD+ content protection system at Cryptography Research).<p>It's probably hard for people today to remember this, but in the heyday of "the blogosphere", blogs bounced stories back and forth between them the way you would Twitter threads today. Stuxnet was a topic like that. Lawson was just tying it to the stuff he wrote about.<p>We've all read Kim Zetter's book by now. Instead of bouncing thoughts she's already written about off the post --- thoughts the author probably by now agrees with? --- you'd do better to actually <i>follow the links</i> in the post back to Lawson's earlier posts about obfuscation, reversing, and content protection. They're still extremely interesting.<p>Regardless: saying that you have a better take on Stuxnet in 2022 than Nate Lawson did in 2011 is kind of an embarrassing flex.
This article seems like a lot of "Stuxnet didn't do enough to hide", but the author misses the fact that it didn't <i>need</i> to hide, judging from the fact that it worked.<p>If it's stupid but it works, it's not stupid. The author is missing the point by lambasting Stuxnet for not having a feature it didn't need.
Stuxnet was a reckless operation concocted by a small group of American and Israel spies and hackers who thought the whole thing would remain secret forever. The recklessness involved setting a precedent by targeting industrial control systems for physical destruction, and also the release of the package to spread over the internet with no external controls. See (May 2021):<p><a href="https://verveindustrial.com/resources/blog/what-is-stuxnet/" rel="nofollow">https://verveindustrial.com/resources/blog/what-is-stuxnet/</a><p>> "This second Stuxnet variant likely did not propagate from an initial infection on a susceptible PLC or controller, but rather gained access to one commodity Windows system through the use of zero-day exploits. From that one infected commodity Windows host, the malware moved laterally from one Windows box to another across the unsegmented network."<p>Once it had been done once, similar attacks followed by other nation-states:<p>> "From a historical perspective, the Stuxnet worm signaled that well-equipped, nation-state-sponsored actors possessed advanced capabilities that would set the stage for more serious cyber-physical attacks such as those in Ukraine, Estonia, and Saudi Arabia."<p>I suppose one positive effect has been the upgrading of security for everything relying on industrial controls systems and PLCs, from nuclear reactors to railways to water supply systems.
I’m surprised this article is still making its rounds. Two points have always stood out to me:<p>1) you never empty the barn on a nation state attack. If you know the systems you’re targeting are primitive, you don’t go in with the F-35 of initial compromise schemas. Aim for +10 over the enemies ability to counter, not +1000.<p>2) the level of overestimation of federal cyber weapons is too damn high. Is it impressive? Absolutely. Is it the best? No. Check in with your private Israeli intel firms for that kind of James Bond stuff. What sets nation states apart are their ability to acquire and perform highly redundant and critically targeted attacks. The NSA would be hamstrung without the cooperation of the CIA and so on. It’s not technical prowess, it’s money and coordination.
The idea of “secure triggers” seems like it wouldn’t work here. Your options are:<p>- have a large enough set of input parameters that it’s infeasible to guess-attack them, but risk even just a single parameter not being correct in your target system and therefore your payload never executed (completely undermining the entire operation)<p>- your key space has enough variability input to prevent the above, making it easy to guess or brute-force, and revealing the payload trivially.<p>Also, it would either way be easy for your target to reverse because they have full access to the target parameters.
It is not just that it was unnecessary to do more, it would have been harmful. Stuxnet was always going to be disected after the attack; why give away all you best techeques.
Something new here?<p>Lots of other Stuxnet articles/revelations.<p>Here's some previous discussions:<p><i>11 years ago</i> <a href="https://news.ycombinator.com/item?id=2112919" rel="nofollow">https://news.ycombinator.com/item?id=2112919</a><p><i>3 years ago</i> <a href="https://news.ycombinator.com/item?id=21432467" rel="nofollow">https://news.ycombinator.com/item?id=21432467</a>
So imagine the scenario if iran made stuxnrt against Israeli nuclear facilities let alone american ones.<p>Imagine the outrage "how dare you" and "attack on the constitution and national integrity of the country" and "causus belli" among other things but its being made as an achievement. Isn't this american propaganda?
It still got a job done. Embarrassing that people found out by the Israeli side screwed up. But this is how cyber attacks will be... They make some impact. Then everyone learns the tech used. Then everyone secures the vector they used. Rinse and repeat. Used too often, and all attack vectors will be closed.
> It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.<p>Being just like hundreds of other malware seems to be a pretty good idea. Blending in is a big part of spy tradecraft.
If Stuxnet was made to stop Iran from getting nuclear weapons, here's a headline from <i>today</i> (which may btw be the reason why articles on Stuxnet are reappearing now):<p><i>"Iran is closer than ever to a nuclear weapon as Biden runs out of options"</i>.
> It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day.<p>Okay? … simplicity is a virtue.<p>They also addressed that, to where we don’t know what most of their malware even does:<p>>> The name originated from the group's extensive use of encryption. By 2015, Kaspersky documented 500 malware infections by the group in at least 42 countries, while acknowledging that the actual number could be in the tens of thousands due to its self-terminating protocol.<p>> The longer they remained undetected, the more systems that could be attacked and the longer Stuxnet could continue evolving as a deployment platform for follow-on worms.<p>Stuxnet wasn’t meant as a long term penetration: they hit a specific target with a one-time cyber weapon.<p>For reference, when their tools leaked in 2016, exploits from 2013 were still zero-days.<p>>> In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had stolen malware code from the Equation Group. […] The most recent dates of the stolen files are from June 2013, thus prompting Edward Snowden to speculate that a likely lockdown resulting from his leak of the NSA's global and domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group.<p>Source:<p><a href="https://en.wikipedia.org/wiki/Equation_Group" rel="nofollow">https://en.wikipedia.org/wiki/Equation_Group</a>
Unfortunately this sounds like fairly typical armchair commentary from someone who doesn't understand the decisions around building and deploying something like this at this scale...<p>Sometimes, yeah, you need to rush things because your window of opportunity is now or never.
Well, I thought it was pretty impressive. Maybe I’m just a rube though.<p>Also, with this encryption based approach, at some point the code needs to run on the systems it targets. So if someone is affected by your payload, by definition they can observe a key that unlocks the payload.