The cyber shot heard round the world

The establishment of international command centers and operations groups focused on cyber security operations was a needed practice in cyberspace defense. The growth and formalization of those organizations, however, did not remain solely focused on defensive postures for long. In the early part of the 2010s, these groups began to be exposed as they engaged in a New Cold War in cyberspace. This clandestine back and forth would soon result in the leaking of some of the most powerful nation state-level weapons in cyberspace becoming commodities on the internet. Commodities that any person, anywhere could access and aim at their intended targets. One of the first, and most impactful, of these nation state cyber weapons to become public was Stuxnet – a US cyber weapon.

While there is no "official" declaration of the Stuxnet worm being a result of any specific US cyber operation, it is widely accepted that this is where the weapon originated. Stuxnet was a direct result of the tensions between the United States and the Iranian government's development of nuclear capabilities that took place in the late 2000s and early 2010s. In order to stop the development of potential nuclear weapons by an openly threatening regime, the US would unleash a new weapon of mass destruction, one built from code.

The development of Stuxnet began in the early 2000s, possibly 2003 or 2004, and took anywhere from a few months to a year to develop. Analysis of the code that operates within Stuxnet indicated that the level of sophistication required for this type of weapon could only come from the global superpower in cyberspace at the time, namely, the US. Given the assumption that the US is that superpower, the only place that has the capabilities to develop that advanced code to enable a weapon as complex as Stuxnet is the NSA.

Prior to late 2009 or early 2010, the NSA did not have a specific mission set that was solely focused or tasked with offensive cyber operations capabilities. Most of the missions within the NSA directorates prior to the establishment of US Cyber Command in 2010 operated as loosely-connected mission sets that often focused specifically on intelligence collection and dissemination. The development of the Stuxnet weapon was in actuality the result of an amalgamation of intelligence collection on possible targets in Iran, and the realization that there was certain vulnerable hardware running in the Natanz nuclear plant that could be exploited.

The NSA's intelligence collection apparatus had managed to collect open source technical information on the providers for the nuclear plant that openly advertised what specific hardware was in use within Natanz. The companies that provided support and hardware to the Natanz nuclear site in Iran noted that they serviced Siemens S7 programmable logic controllers (PLC) as part of their contract with an affiliate provider.

This information, combined with other intelligence resources that were collected via other methods, would be critical to the development and deployment of the Stuxnet worm.

The operation to get Stuxnet installed and launched on internal systems within the nuclear facility was most likely the result of a combined human spying operation via contacts that the CIA had in Iran. Those assets were provided with a USB device that contained the early version of Stuxnet, and with the simplicity of simply inserting that USB into a device that was connected to the Natanz network, the first shot across the bow was fired. The malware worked its way deep into the core of the Natanz network and ultimately found its target: those PLC controllers that control critical functions within the centrifuges that are used for enriching uranium. Slowly and covertly, the malicious code did its job and degraded the facility's ability to further enrich uranium, as the specific speed required for that precise process was impacted. Other nation-states, namely Unit 8200 in Israel, have also been either blamed for the Stuxnet attack or have been implicated as possibly being tied to the malware's installation on Iranian target networks. Regardless of who specifically launched the attack, the results were undeniable. Physical systems, those that enriched uranium, were afflicted and were damaged. This caused a degradation in the Iranian nuclear program's efficiency and capability and did impact their ability to gain specific nuclear capabilities at the time.

However, this weapon did not simply stop at its intended target. Research following the attacks on the Natanz nuclear facility by Symantec indicated that over 100,000 unique Internet Protocol (IP) addresses had seen or been exposed to versions of the Stuxnet virus. Although Stuxnet was a weapon that was aimed at a very focused scope for its operations, it would not take long for that weapon to expand beyond the bounds of the Iranian networks. The methods and tactics that the weapon used to proliferate within the Iranian network, where most machines were running MS Windows software, meant that should that malware be exposed to vulnerable machines outside of those networks, it would replicate and move across the globe. Which was exactly what happened.

Over 40,000 other infections related to signatures of Stuxnet were noted "in the wild" up to three years after the Natanz attacks, and three different specific variants of the malware were found by researchers in countries as far away as Taiwan.

For the next seven years, different variants of the Stuxnet weapon were found in a variety of different organizations across the globe. Duqu, a different but closely technically-related version of Stuxnet, was discovered in 2011 in Budapest. Duqu had many of the very same technical components as the Stuxnet tool, but Duqu was more vectored to collect information, including keystrokes, rather than being built to destroy a system physically. Flame, another closely tied technical variant of Stuxnet, was discovered in 2012. Again, Flame contained identical portions of the Stuxnet code and protocols, but Flame was modified for collecting and recording voice and chat conversations, including Skype calls.

As late as 2017, Triton, yet another variant of Stuxnet's original tooling, was found lurking in systems far beyond Iranian nuclear networks. Triton was modified to disable safety systems in petrochemical plants that used variations of the same Siemens S7 PLC controllers. It was dubbed "the world's most murderous malware" by researchers. Triton's focus on disabling safety controls meant it could cause explosive control failures in chemical plants. While Stuxnet was most likely, and by all accounts, a US cyber weapon, its variants were not exclusive to the US or its allies. Follow-on research from the cyber firm FireEye attributed Triton to Russian organizations. Duqu was noted to likely have originated in the Middle East. And Flame still has no real specific point of origin, but some organization had to have manufactured it.

That first attack with a targeted well-built cyber weapon was the first strike in a covert war whose weaponry spilled outside of the target area. That weapon, Stuxnet, was the first purpose-built piece of nation state cyber weaponry that the world became aware of. And its use spawned variants and attack tools that are in use by cyber warfare operators far beyond the realm of its original intended area of operations.