SANS Digital Forensics and Incident Response Blog

Why Stuxnet Isn't APT

...or at least, shouldn't be considered as such...

JOIN SANS FOR A 1-DAY CYBER THREAT INTELLIGENCE SUMMIT headed by Mike Cloppert - 22 Mar 2013 - http://www.sans.org/event/what-works-cyber-threat-2013

Stuxnet has become so buzz-worthy that I almost feel like an article relating it to "APT" is the epitome of anecdotal industry navel-gazing. Making a qualitative assessment of each can be a useful exercise in classifying and understanding the threat landscape, however. This in turn helps clarify risk, driving resource allocation, investment, and R&D. Even more important than the conclusions presented herein, I want to elucidate some of the analysis that goes into threat assessments so that others might be empowered to do the same. At the same time, do not interpret this as an exhaustive or 'correct' methodology, but rather a single case study.

So many unrelated conversations these days seem to drift toward the inclusion of Stuxnet that I'm beginning to see it like the invocation of a Hitler analogy in modern US political debates. There's a lot to be said about this event, to be sure, but I feel we can do much better in understanding similarities and differences in various threat landscapes, thus my initial motivation to write this article. The bottom line is that I feel we do both Stuxnet and APT a disservice by classifying the former into the latter, and worse yet, confuse what could otherwise be informed threat-oriented decisions on CND.

Intent

Often, the intent of an actor is inferred based loosely on observations by analysts tracking down impacted systems, targets, and entry vectors. I'm going to stick to the observable properties of Stuxnet, in comparison to what I feel is consensus on APT as used by those of us in the DoD/DIB community (where the term originated).

The first clear divergence of Stuxnet from APT is in targeting. Although it has been said that the intended target of Stuxnet was China/Iran/Mars/Your Mom, in practice, this operation targeted all machines with a certain configuration controlling certain devices. The target selection/recon is conveniently embedded in the Stuxnet code, leaving little room for interpretation of how this occurs. Infected systems seek other victim systems for propagation at OSI layers 3 & 4. This is fundamentally different than APT intrusions, which target users. The code intends to spread to machines with certain configurations, that perform certain functions. Again, this is different than APT intrusions, which usually focus on accessing data describing certain technologies. Though nuanced, that difference is very important.

Scope, or visibility, is another area where Stuxnet differs from APT intrusions. Whereas most (but not all) APT intrusions focus on a small set of targets, Stuxnet will propagate promiscuously, regardless of whether the target system contains the desired configuration, or is even a SCADA system at all. This scalpel-versus-hammer distinction, as well as the manual/automated target selection, bears no resemblance to APT intrusions. Somewhat aside, it also makes the probability of discovery very high as compared to APT intrusions, and its broad impact allows for a sort of "analytical economies of scale" benefit that we see with other widespread viruses and worms. This alone can fundamentally alter a defensive strategy.

Objective is another divergent characteristic between the two, and is quite straightforward in one sense: Stuxnet impacts integrity, with the end goal of impacting availability. Thus, Stuxnet is an attack tool, putting it under the CNA umbrella. APT intrusions have been exclusively CNE, and will almost necessarily remain so by definition. Quite related, this objective of Stuxnet is inherently tactical. APT intrusions take the form of campaigns over extended periods of time, and behaviors demonstrate that adversaries will persistently launch intrusions, and/or desire persistent access to targeted environments. These "campaigns" are strategic intrusions by their very nature, which provides for important Intel-driven CND opportunities that may be very different, or missing altogether, from Stuxnet.

Capability

The level of sophistication of Stuxnet is by every account very high. The code is relatively difficult to reverse engineer, contains a PLC rootkit, multiple zero-day exploits, and code that can run on processors with different chipsets. More often than not, the binaries in APT intrusions are relatively straightforward, and exploit a single vulnerability most often in client applications. This enables the adversary to "hide in plain sight" without triggering any heuristic attention through various code obfuscation and file hiding techniques that tend to leave unusual artifacts. After all, with a small target space, the likelihood of discovery is low, and analytical economies of scale will not apply for APT intrusions, meaning survivability against RE efforts is less important to build in.

The role of command-and-control (C2) in Stuxnet achieving its objectives is quite different than conventional APT C2. This capability exists for remote code updates to be distributed to systems infected by the worm. Unlike Stuxnet, the process of achieving objectives in APT intrusions is not necessarily straightforward once a system is compromised. Systems must be manipulated manually for the surgical removal of data, and to facilitate lateral movement within an environment that the intruder may have no, or limited, a priori knowledge of. Backdoors used in APT intrusions therefore either provide a much more robust command set, or funnel keystrokes sent via the channel to a command shell. These differences in C2 role and capability, objective automation and manual intervention, present both opportunities and challenges for CND that are different for Stuxnet and conventional APT intrusions.

So What?

Because of the numerous fundamental differences between Stuxnet and canonical "APT," intelligence-driven CND for each will necessarily be quite different. I would even say it's difficult to find a single attribute clearly shared by the two. If we classify Stuxnet as APT, then one of two things must happen: either we must remove certain attributes from our APT definition so Stuxnet will properly fit that criteria, or we ignore the divergent attributes of Stuxnet. It's easy to see that either case would leave us with fewer strategic approaches to CND that would be effective against both. By keeping them separate, we can consider each with enough specificity for effective CND, and depending on the industry, choose to prioritize one over the other.

Michael is a senior member of Lockheed Martin's Computer Incident Response Team. He has lectured for various audiences including SANS, IEEE, the annual DC3 CyberCrime Convention, and teaches an introductory class on cryptography. His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering, an MS in computer science, is working towards a PhD in systems engineering, has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others, and is a professional member of ACM and IEEE.

2 Comments

Posted March 25, 2011 at 8:47 PM | Permalink | Reply

LonerVamp

This is more for my own understanding than me disagreeing with you, but I have a few questions. As I write this, I'm wondering if we just have divergent definitions of APT''which you've probably outlined elsewhere and I've just not read. :)
1- Under Intent->Targeting, you mention that APT targets users. Would it follow to say that APT is all about social engineering? I'm not sure I'd buy that.
2- Also under Intent-Targeting, it sort of sounds like you're saying Stuxnet wasn't designed to be specific with what it attacks, but really, wasn't it? Maybe if let loose in other environments, it would have infected them as well, but was it? I tend to think of APT as pretty close to nation-state or corporate espionage, and disrupting operations to set someone back a few years sounds like an aligned goal? I may need to read up on your blog further, as you're right that Stuxnet is CNA rather than CNE. Definitely!
3- Under Intent->Scope, I have basically the same issue. It did seem pretty specific, especially if released into a narrow environment. It would seem that if you achieve your goals, visibility without attribution is probably acceptable. Likewise, if the hammer took in some collateral damage, that might be acceptable as well. I guess I'm not necessarily accepting that APT attacks have to be the scalpel (blanket phishing campaigns against a target could be hammer-like?).
4- Under Intent->objective, you made a quick mention of persistent access. Again, this will get back to APT definitions and might just be an unfortunate word choice, but APT doesn't need persistent access? The P to me has always been that the threat will be persistent until it gets what it wants, no longer wants it, or is removed.
By the way, don't spend too much time on a response. I'm not anyone and just looking to understand your viewpoint a bit more. Thanks!

Posted April 2, 2011 at 6:18 PM | Permalink | Reply

Jeremy Impson

Is there a commonly referenced definition of APT? My understanding was that
it was defined to bring to light an important difference between cyber
attackers as typical in the 90s