Digital Forensics Incident Response, Technology

Who wrote Stuxnet?

by  •  • 3 Comments

Who cares?

First investigative principles is knowing who is watching the investigation. At fire and major police incidents common practice is to photograph or video tape the crowd. Your suspect is likely the one most interested in the investigation. The second principle is the likely suspects are called that for a reason. They’re likely. Whomever has a high ICT index, a large enough population, and the interest is the most likely suspect.

If you know the husband caught his wife cheating, bought a handgun, was seen loading it, loud arguments were heard, and shots were fired you won’t go investigate the priest living in another state who never met the couple with the dead wife. You haul the husband down to the station and advise him of his rights. You might go one step further and look to see who might be taking advantage of the preponderance of the evidence (taking advantage of a bad situation to set the husband up) but in general the police are about putting people in jail not looking for exculpatory evidence.

Stuxnet was cool but I don’t think some super secret group in a dark room was needed to write it. Who had the motive, means, and opportunity to write it? It was either an individual (unaffiliated), a corporation, or a nation state (ed. though there is one other possible vector). Each group has their own motives.
The list of entities who had motive to generate Stuxnet is long. From the obvious United States as actor to the less obvious corporation and finally the nation state that sold Iran the centrifuges. Who benefited by Stuxnet is another piece of that puzzle. I’m seeing lots of pseudo technical analysis and malware forensics but that is a very limited piece of this puzzle. It is kind of like analyzing a handgun to see who built it while knowing it says Smith & Wesson on the barrel.  You’re trying to figure out what mine the ore came from and what mill the steel was smelted at.
Who cares?
The code is the gun and it doesn’t tell you a darn thing about who pulled the trigger or purchased it. People are reverse engineering the technology which is really cool, but it doesn’t tell you a darn thing about motive. Anybody assuming effect is direct causation or motive needs to think it through a bit more.
Knowing answers to questions is great, but it is much more important to know what questions to ask. “Who wrote Stuxnet?”, is an interesting question, but the really interesting question is, “Who profited from Stuxnet?”
A trivial little diagram.

Looking at the relationships of who might have wrote Stuxnet. Starting from entities it works it's way to motives (click to make larger)

3 comments for “Who wrote Stuxnet?

Leave a Reply