The former top-ranking military intelligence officer in the U.S. armed forces discusses Stuxnet on this week's episode of "60 Minutes," and he may give some ammunition to cybersecurity watchers who believe the United States had something to do with the sophisticated computer worm that wreaked havoc on Iran's nuclear program in 2010.
Retired Gen. Mike Hayden called the sabotaging of Iran's nuclear program with Stuxnet a "good idea" during an interview with Steve Kroft to be aired this Sunday, according to an episode teaser sent out by "60 Minutes" on Friday
Hayden, a former director of both the National Security Agency (1999-2005) and the Central Intelligence Agency (2005-06), told the CBS news show that he doesn't know who was behind Stuxnet, but in the 18 months since the cyberattack that destroyed more than 1,000 Iranian centrifuges occurred, there has been much speculation that either the U.S., Israel, or both countries may have developed and deployed the worm.
"This was a good idea, alright? But I also admit this was a big idea, too," Hayden told Kroft. "The rest of the world is looking at this and saying 'Clearly, someone has legitimated this kind of activity as acceptable.'"
Stuxnet, unlike the computer viruses that attack PCs and other consumer devices, targets critical infrastructure systems—specifically industrial control systems like the SCADA systems used to control centrifuges used at Iran's nuclear reactor.
Hayden told "60 Minutes" that Stuxnet, or something like it, could one day be used against the U.S. "So there are those out there who can take a look at this ... and maybe even attempt to turn it to their own purposes," he said.
Built by a Tiny Team?
Nobody has proven who was behind Stuxnet, but last December a pair of security researchers said they believed it and the related Duqu computer worm were based on a common software platform built by a dedicated team of malware developers around the end of 2007.
"We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers," Kaspersky Lab researchers Alexander Gostev and Igor Soumenkov wrote in their December report.
Stuxnet spreads through Microsoft Windows but specifically targets Siemens supervisory control and data acquisition (SCADA) systems. Duqu, discovered in September, is thought by many security researchers to be virtually identical in origin and makeup to Stuxnet, though it appears to have been tweaked to steal information from industrial control systems rather than damage them like its cousin.
"In terms of architecture, the platform used to create Duqu and Stuxnet is the same," Gostev and Soumenkov write. "This is a driver file which loads a main module designed as an encrypted library.
At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection."
Gostev and Soumenkov have dubbed the code kernel they believe is underneath both computer worms the "Tilded" platform, in reference to its authors habit of using file names starting with "~d". In its first iteration, the Tilded platform was used to create at least one spyware module in 2007 or 2008, and "several other programs whose functionality was unclear" between 2008 and 2010, they said.
The researchers believe the platform underwent "its most significant change" in the summer or fall of 2010. That produced Stuxnet, which now has four driver file variants that have been identified, and Duqu.
They also think the Stuxnet/Duqu story has yet to be fully told. Kaspersky Lab last year came across previously unknown driver files they think may have been part of early Tilded platform-based spyware modules that didn't appear to be associated with Stuxnet but which may have been predecessors to Duqu.
Gostev and Soumenkov think that what they are probably seeing is various stages of the "evolution" of the driver files used to "load and execute a main module" like Duqu or Stuxnet. The authors of those driver files wouldn't write new ones from scratch, the researchers said, but instead would "tweak ready-made files."
Commonalities between versions of the driver files for Tilded platform-based worms suggest not just a common ancestry for Stuxnet and Duqu, but common authorship of the programs by a team working together, according to the Kaspersky Lab researchers.