I finished the Kim Zetter book on the airplane on the way back from several meetings where my work team and I discussed Industrial Control System security, malware and offensive toolsets among other things. The book as the title mentions "STUXNET and the launch of the first digital weapon" is the story about STUXNET detection, progress and analysis by the Symantec, Karsperky and other teams around the globe. She also covers the variants that seemed to be based out of the same tool framework the malware known as DUQU and FLAME. She also goes farther in the book providing context on the geopolitical events that where at play at the moment of the infection and provides a holistic picture of the possible reasons of why the malware evolved in its versions and what was being seen by the UN inspectors at the nuclear facilities in Iran.
Having read the reports and also worked on analyzing the malware and its variant so as to help write remote detections for it the part that intrigued me the most was the depiction of the research teams from the different companies that worked on their own and leverage each others published research on the malware as it evolved and changed its nature in attack and spread techniques. What followed was also the way the world events of the moment where tied together with information from the UN Nuclear Inspection reports, interviews with the researchers and news related providing in my opinion the best presentation of what makes this infection so unique and one to fear.
What makes STUXNET so unique it is not only that it was a state sponsored malware since this is not the first one seen by researchers but that it is the first that involved so many zero days so as to guarantee its intended purpose, its complexity, size and that is is the first time that what it is believed to be a nation state malware is deployed to sabotage physical infrastructure systems of a foreign nation. The complexity of the action and exploits used have not been seen all together in any other single piece of malware out there. The authors of the malware had to to not only have at their disposal a collection of zero day exploits to use, the use of kernel level rootkit and the unique complexity and specialty the systems being infected. This malware not only infected computer systems but it also highjacked ICS control software to alter and infect the firmware of PLC (Programmable Logic Controllers) this is something not seen before and that would have requieres not only the programing and reverse-engineering resources to pull it off but a test infrastructure and access to the equipment no mere criminal or lone hacker could ever dream of having access to.
The book also covers some of the conundrums faced with this type of weapon like the exploit the new developing grey market of exploit sellers, open disclosure and the role of the government in having the responsibility of protecting infrastructure and the same time having the capability to perform its intelligence and offensive military operations in a digital era.. The book has a great of approach of not showing one side over the other in the debate about exploit sale and the governments research, purchase and none disclosure of vulnerabilities but presents both points of view in a objective manner. Also covered is the political ramifications and moral grounds that those that use these type of tools face now that the pandoras box of weaponized malware for sabotage has been open, going way beyond of the Denial of Service and espionage attacks seen before. As mentioned in the book one of the problems with the stockpiling and use of these vulnerabilities is that when use a copy of it is given to the foe if detected and that by keeping the vulnerability secret it exposes hundreds of thousands of their own systems to it by not disclosing and patching it.
One of the small parts that I enjoyed also from the book was the description of the life and backgrounds of the researchers that worked on the malware. All where self-taught and have a drive to find and understand how this code works. I work and know lots of people that are like this with vulnerabilities and malware making me relate better to the researchers. She also covers the other side of the coin in the book where we have the private industry with researchers who's only job is to provide the exploits to the government or to who will ever pay for them.
This book I consider it a must read for any security professional either in defense or offense.