Sophos Labs: There are two stories that have been the focus of much speculation that have come to some closure today. New information confirming many peoples suspicions about Aurora and Stuxnet have been reported by Wikileaks.org and Reuters.
As has been widely reported Wikileaks began releasing over 250,000 previously secret diplomatic cables that it is assumed they received from PFC. Bradley Manning. Most of the cables are as uninteresting as reading your friends Yahoo! mail.
Quote from nytimes.com article on Wikileaks cables
One particular cable did shed some light on the “Operation Aurora” attacks on Google, Adobe and others last January. The New York Times reported that a “Chinese contact” told the embassy that the Politburo was behind the attacks.
OK, China did it, mystery solved, we can all go home now. This is what most of the press seems to be saying, but I am not quite so convinced. Yes it is probable that there was Chinese involvement in the Aurora incident, but I am not willing to claim that it was on order from President Hu Jintao as told by a “Chinese contact”.
Within 24 hours of the Aurora cable becoming public, Iran and Stuxnet were back in the news. President Mahmoud Ahmadinejad denounced “enemies of Iran” for using computer code to “create problems” for their uranium enriching centrifuges. This would appear to be confirmation that Iran was in fact the target of the Stuxnet worm and the curious specificity of the malware in what it would attack and how.
Of course Mr. Ahmadinejad is pointing his finger in the direction of the United States and Israel, which up to this point there has not been much evidence to indicate this to be fact.
A separate report from Iran this morning talked of coordinated bombing attacks against two important nuclear scientists in Iran’s program. Clearly there is a concerted effort to derail the Iranians, but from where anyone can guess.
What are the lessons of the day?
Firstly you should ensure that information that is valuable is protected with strong cryptography and cannot be transfered in bulk to Wikileaks (or your competitors).
Second when developing a nuclear strategy (or protecting networks that you don’t want infected with malware) you should run pro-active anti-malware products which use HIPS, device control and network monitoring. Critical systems should both run anti-malware and be air-gapped from the Internet.
Hmmm. This is sounding old hat. The advice for nuclear powers, diplomats and militaries is the exact same advice as all of the rest of us should heed. This isn’t about cyberwar, it’s about cyber-insecurity. Nations potentially using malware to attack one another, spies, thieves and turncoats will always be used to get an advantage, and the same thing that motivates nation-states motivates criminals and competitors… Power and wealth.