[ISN] Stuxnet’s Earlier Version Much More Powerful And Dangerous, New Analysis Finds

http://www.darkreading.com/attacks-breaches/stuxnets-earlier-version-much-more-power/240164120 By Kelly Jackson Higgins Dark Reading November 20, 2013 The later-discovered earlier iteration of Stuxnet was a far more aggressive, stealthy, and sophisticated attack that could have ultimately caused catastrophic physical damage in Iran’s Natanz facility. So says the expert who deciphered how Stuxnet targeted the Siemens PLCs, after recently reverse-engineering the code and further studying the attacks. Ralph Langner, head of The Langner Group and a renowned ICS/SCADA expert, today published an analysis of Stuxnet that shines new light on the game-changing cyberweapon. Langner concludes, among other things, that the attackers moved from a more destructive and stealthy payload to a weaker and more easily detected one, and conventional wisdom that it would take a nation-state to use Stuxnet as a blueprint for attacks against U.S. and its allies’ critical infrastructure is incorrect. One big takeaway from Langner’s new analysis is how the Stuxnet attackers so dramatically shifted gears from a dangerous, aggressive, and hidden attack strategy that wasn’t discovered for at least five years to a louder, more noticeable, and detectable one that burnt multiple zero-day vulnerabilities and used stolen digital certificates. “What you see today in that analysis is that the first attack was more complex, stealthy, and more aggressive than the second. That is counterintuitive,” Langer told Dark Reading. “So why did the attackers go from the ultimate in stealth and aggression to something that’s much more simple and comes with a much higher risk of detection?” The first attack was never meant to be detected, nor was it until Symantec found its malware clue tucked among Stuxnet samples. It was a component that didn’t fit with the malware, according to Liam O Murchu, manager of North American operations for Symantec Security Technology & Response. In February Murchu detailed Symantec’s discovery of what it nicknamed “Stuxnet 0.5,” which dates back to 2005, five years before the later and better-known version of the malware was discovered in 2010. […]