It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. Siemens, however, advises against changing the default passwords because it “could impact plant operations”.The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and crackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled. These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.
Which is all very technically interesting. But from a foreign policy standpoint, who launched it, aiming at what, for what purposes is even more interesting to me. Was it the US or Israel using a cyber attack to accomplish what an air raid on Iranian nuclear facilities couldn’t – and with less PR blowback? If so is it approximate to a covert ops teams sneaking into the country and blowing up the plant with C-4? What retaliation can we anticipate from Iran, perhaps an increase in coordinated Green Zone attacks? Of course the nature of cyberwar puts it more in the dark arts than clear conventional attacks – what are the ramifications if Russian programmers are running a false-flag operation to get Iran to think the US or Israel is attacking it? Is it a warning of “we could do more, at any time” – the equivilant of waking up to find a your prized horse’s head in your bead. The opaqueness makes it difficult for public debate – do cyberattacks fall underneath the War Powers Act? Does a cyber unit in Virginia that spends 60days building a virus to take out an Iranian nuke facility constitute “armed forces” “remaining for 60 days” in hostile actions? What if instead of a released virus it’s a long term series of coordinated attacks (similar to what the Pentagon is suffering). My quick summation is that this still falls under covert action – and with any covert action requires the careful balancing of secrecy and transparency. You can’t compromise a covert mission, but correspondingly, if covert missions percipitate an overt war – or even covert war – we need a method for which there is input, at least from Congress.
All of this plays into my concept of a formless warfare, from Sun Tzu’s quote: “Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.” which I’ll get into more later. But formless warfare is a new and emerging way for big countries to attack one another in this nuclear armed age. It is separate, unique, and inherently different than COIN actions of GWOT , and also separate and different from territorial considerations such as the Erythrian Theater (which overlaps but is itself different from the War on Terror). Formless warfare is a return to “big player” power politics – akin to late 19th early 20th century “board setting” between the major powers in Europe – when conventional forces were used to exert national policy. Two global wars and nuclear arms later – and you can no longer use conventional forces in that way. Unconventional forces are useful in proxy fight states, but their utility goes way down in an opposing nation state. In formless warfare however you use indirect or untraceable actions such as economic policy (currency manipulation, economic pressures and trade disputes), territorial disputes (through public forums) and cyberwar jointly deployed to acheive aims that conventional forces or covert ones could not. Unlike conventional warfare where nation states no longer are favored against smaller states (due to international pressures, treaties, and insurgency challenges); nuclear options aren’t necessarily viable – formless warfare allows top-power nation states to “punch at their weight” against other top-power nation states and absolutely clobber smaller states. (See also China’s defacto isolation of Tibet using economic policy.) I think Stuxnet may be the first opening gambit of formless warfare that we know about where the US might actually be counter punching at their weight on a smaller opponent – kind of like telling Iran – look, maybe we can’t send a flight to bomb your nuclear facilities, but we can still “get” you.
Either way, it’s interesting. I’m not sure we’ll see an Iranian nuclear facility blow up on TV as a result of Stuxnet, and I doubt we’ll ever know for sure who launched it, or what it’s launching has produced in counter-attacks – hence “formlessness”.