This malware uses four 0day vulnerabilities, stolen device driver certs, and specifically targets industrial control systems. I'll be very interested to see who it turns out was the target of this attack.
I read that article and I'd really like to read more about this part:
"A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly 'Trojanized' to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb."
Wow this is some next-generation William Gibson-esq shit right here.
As far as who its attacking if the PLC payloads could be unencrypted it might reveal that they attack a certain kind of device, or perhaps in a certain installation or configuration. Finding out exactly what those payloads doing will be the most interesting, and revealing of all. The Symantec article says that the payloads have changed over time, as well.
It's impossible to identify any one target as being "the one" that Stuxnet was after like the author tries to do in this article. There were tens of thousands of Stuxnet infections spread throughout the Middle East and Europe at the time it was discovered. Stuxnet is a piece of malware, it's reusable, and it was clearly a component of many successful intrusions into control system networks rather than part of a single attack.
Do you know if it has a command and control component? This author's analysis seemed to indicate that it was relatively simple, which seemed to be why he thought it was so focused.
Given that it is going to be easy to patch, it will likely have a short lifetime, no?
Maybe its optimistic, but I'd hope this has caused a big enough stir among people running Siemens installations that they are taking care of this issue. If so, that will give it a short lifetime. Even if the individual plant admins aren't doing so, Siemens must be taking action here, right?
I guess I'm buying into the idea that its difficult to do attacks against PLC's for SCADA systems. I have to claim ignorance on that issue, but it sure seems like its a hard problem. That difficulty, combined with the relative sophistication of the malware (four 0days, etc) lends credence to the idea that its a targeted attack.
Additionally, releasing malware that targets something like that and then just waiting to see which plants you end up owning seems unlikely. What is the motivation? Once you figure out which ones you own, then you write more custom attacks against those targets?
One of the exploited bugs is a default admin password in Siemens SCADA equipment. Siemens released a statement shortly after Stuxnet was discovered, urging admins not to change the default password because it might have unexpected consequences.
Of course this attack was targeted in the sense that it went after SCADA equipment, but there was far more than a single target. Like I said, this is malware and malware is multi-purpose and reusable, and in this case it was used many, many times. These guys are looking for a story about how a single target was THE target, but they're missing the big picture.
Some more info here: http://www.symantec.com/connect/blogs/stuxnet-introduces-fir...