Some say a code word in Stuxnet refers to... Queen Esther?
Israel was identified in a giant media buzz as the force behind the Stuxnet worm attacking the Iranian nuclear program because of the code string "myrtus" that appears in the software which some allege refers to Queen Esther from the Purim story.
Israel was identified in a giant media and world opinion buzz as the force behind the Stuxnet worm attacking the Iranian nuclear program because of the code string "myrtus" that appears in the software.
The idea was that "myrtus" refers to the Esther of the biblical Book of Esther, the Jewish woman who became queen of Persia and thwarted a planned massacre of the Jews in the Persian empire. Esther was also known as Hadassah, a name linked in Hebrew to the word for myrtle, or myrtus.
But while the Stuxnet code itself is "brilliant", this myrtus theory is "totally ridiculous" and does not stand up to serious analysis, according to Israeli cyber intelligence expert Nimrod Kozlovski, head of Altal Information Security, a Tel Aviv-based consulting firm. He was speaking by videoconference to a forum organized in Paris by NanoJV head Dominique Bourra, a cyberdefense specialist, entitled "Stuxnet, Pandora's box or stroke of genius?"
"The development and execution of Stuxnet is a stroke of genius no matter what country is behind it or what real damage was done to Iran," said Kozlovski. "It is a landmark activity that opens the battlefield for global cyber warfare. But the word myrtus appears by chance, not as a signature. Why would any designer, especially an Israeli, leave a signature with such a trace to Jewish history in ancient Persia? It is farfetched."
One expert at the forum suggested that the word "myrtus" stands for "my remote terminal units", a technical code-linked term.
There was agreement and disagreement on Stuxnet among participants at the forum in Paris, which was attended, among others, by representatives from African countries. Forum initiator Dominique Bourra connected on the American west coast with Jeffrey Carr, CEO of the cyberdefense company Taia Global, a columnist for the highly-regarded Forbes Magazine Firewall blog and the author of "Inside Cyber Warfare."
"The Stuxnet was very sophisticated in its development and especially in its zero-day execution," said Carr, "but if the goal was to destroy Iranian nuclear operations, ? it was a failure."
Carr also postulated that Stuxnet may be a Chinese-sponsored attack. Carr discovered five ties to Stuxnet that are unique to China and provide a mobile for the attack. This is an out-of-the box position that at worst can be dismissed and at best raise even more possibilities, something he is very good at.
"People don't believe it was China, but they don't know why," he said. "China does not want Iran to have atomic bombs, but it is oil dependant on Teheran. And the two authentification certificates were stolen from a company in Taiwan."
French experts present at the Atelier BNP Paribas were less impressed with the sophistication of Stuxnet. "The Stuxnet attack was not targeted because it spread around the world and was visible," commented Eric Filiol, military expert and head scientist at the French Cryptology and Computer Virology Lab. "Stuxnet showed everyone, including outlaw states and cyber-mafias, how to construct an industrial cyber-attack. And Israel has made a real mistake by accepting responsibility for the attack."
Another French expert, Daniel Ventre, researcher at the French National Center for Scientific Research, noted "There are only shadowy zones concerning Stuxnet, no certainties about its efficiency or the real target or even the designers. Its value is symbolic, a buzz around the mythology of good and evil, with Iran the evil." Another French expert said that the zero-day attack technology was not new and had been used in numerous other cyber attacks.
Nimrod Kozlovski took issue with most of those comments. "I disagree with the zero-day statement," he said. "Random zero-day technology has been used, yes, but never has a synchronized four zero-day attack of such sophistication been seen. And most other attacks had the goal of gathering information and data or eavesdropping, but this was the first destructive attack targeting soft-point control and command systems."
Jeffrey Carr added, "In fact, the damage to Siemens systems was widely reported but it was not extensive. The company bottom line was not affected."
Kozlovski continued, "Israel has not accepted responsibility for Stuxnet. The official line has been, don't confirm, don't deny, a policy that has been used in the past. On the Iranian side, we don't know the real extent of the damage because it is difficult to confirm, so the dis-information factor is important. But the psychological effect is huge, because the attack created a humiliating situation for Iran concerning its vulnerability."
A question was asked in Paris, just how important is the psychological angle in cyber warfare, compared to the technology and execution of the attacks. Does it really matter?
Kozlovski responded, "Cyber warfare has become the fifth domain of war in general. There are currently no legal structures on the international level concerning cyber attacks, but more and more countries will be signing accords and alliances in cyperspace. It is ambiguous what force the country that did this really has, but it is still a show of force, and the psychological factor is major."