I wrote an email tonight to a friend of mine who had a question about potential Russian cyberattacks and the differences between a regular DDoS attack and something like Stuxnet. Obviously, an email to a friend is pretty informal and the details about Stuxnet here are completely from memory, but this is accurate to the best of my recollection. For context, my friend had said he thought DDoS was like a medieval siege attack and Stuxnet was more like a targeted terrorist attack. I thought some others might find it interesting at least:

 

I’ve never heard a DDoS attack be described that way, but that’s actually a pretty accurate characterization. As for Stuxnet being like a targeted terrorist strike, I would say it was more of a targeted special operations surgical strike (terrorist strikes are specifically designed to cause mass terror, not necessarily disable/kill infrastructure/capability/personnel of the enemy force as surgical special operations are).

DDoS stands for Distributed Denial of Service. The point is to flood the servers with so much traffic that they are incapable of accepting new connections or responding to any connections that do occur. Either all of the resources of the server are consumed or the pipe leading to the servers is completely filled up, meaning there is not enough bandwidth to handle the incoming traffic. These used to just be DoS attacks, but the “distributed” part came about when pipes got wider (more bandwidth for connections) and servers got beefier (they now have more resources to handle many connections at once). Now, attackers use various methods to recruit a large number of source machines to send traffic toward the victim. As for being just a hacker protest tactic, that’s not completely true. That’s probably its most well-known usage, but DDoS attacks are widely used in digital “protection” rackets, just like the old world Mafia had. Sites that absolutely need to be available at certain times but who also don’t want a lot of attention from authorities, such as gambling websites during the Super Bowl, will be threatened by hackers such that, if the website does not pay a certain amount of protection money, it would be really horrible if a DDoS attack were to happen when you really need your site to be up…

Stuxnet actually didn’t require boots on the ground, which was actually the most impressive part of its design given that the Iranian centrifuges were air-gapped (not connected to a computer network which had Internet access). The only way to spread malware to the centrifuges was to have someone connect an infected removable storage drive (most likely USB) to one of the systems connected to the centrifuge network. Despite this limitation, the creators of the virus were able to design it to automatically infect removable storage devices, then spread silently whenever it was connected to different machines. The virus was released in very targeted areas where intelligence reports indicated those with access to the Iranian nuclear program would be. The real genius is that the virus was specifically designed to infect the Iranian programmable logic controllers (PLCs) that control the centrifuges’ operation. These PLCs were fairly standard off-the-shelf components, meaning that they are in many industrial sites across the world. This is where the boots on the ground came in. Someone, most likely Israeli intelligence, knew the exact configuration of the PLCs, so the Stuxnet virus was designed to only activate itself if it detected the configuration known to belong to the Iranian PLCs. The virus then played havoc with the speed of the centrifuges and continuously destroyed them by rapidly changing speeds or running too quickly in general. The Iranians couldn’t figure out for months why the centrifuges were breaking, though, because the virus was also designed to infect the monitoring systems and alter the output to falsely show that the centrifuges were operating within normal parameters. Given that Stuxnet was released into the wild to find its own way to the Iranian systems, it’s not surprising that the virus was also found in various other industrial control systems around the world once people knew it existed. The virus just never activated because it did not detect the Iranian PLC configuration.