In June of 2010, researchers at a cyber security firm in Belarus called VirusBlokAda discovered a troubling bit of malware with a mysterious purpose. It used USB drives to transmit itself, bypassing Internet security. This was nothing new, nor was it overly troubling.
What was both of those things was the fact that this new malware was using multiple zero-day exploits. That's what programmers call an exploitable bug that hasn't been discovered or patched yet. Which means a fully-patched, fully up-to-date operating system with cutting edge security would still be vulnerable to it.
|So not like the malware you'd only find on grandma's computer|
Even more baffling, Stuxnet did not appear to cause any harm once it infected a new system. It just sat in wait until either it could infect a new computer or a specific piece of hardware was attached to it. By painstakingly reading through countless lines of code, security experts were able to determine that its target was specific PLC systems.
|Which basically look like boxes of plastic with some wires and lights on them.|
|The other ways in are well-guarded and way less subtle. So flash drive it is, I guess.|
|Certainly a motive there.|
|Spoiler Alert: it was probably both.|
And make no mistake. It worked. It's hard to say how well it worked since any official planning or execution documentation is certainly and highly classified, but thousands of Iranian centrifuges mysteriously failed before Stuxnet was discovered.
This is obviously a win for American espionage, but it has broader implications that are staggeringly bleak. At some point, this operation, (known as Operation Olympic Games), and by extension the United States government, determined that there were four vulnerabilities which could potentially lead to industrial sabotage. Maybe even to catastrophic attacks on infrastructure. And rather than take defensive measures to fix the problem, they used it against another nation.
The use of zero-day exploits by nation states is potentially a Pandora's Box on par with the use of weapons of mass destruction. Stuxnet opened the box.
"Gas centrifuge cascade" by U.S. Department of Energy - Public Domain
"Bonzi buddy". Licensed under Fair use via Wikipedia
"S7300" by Ulli1105 - Own work. Licensed under CC BY-SA 2.5 via Commons
"Natanz nuclear" by Hamed Saber - http://www.flickr.com/photos/hamed/237790717. Licensed under CC BY 2.0 via Commons