Is an International Cyberwar Imminent?
Stay up to date with the latest headlines via email.
Getting to the bottom of Stuxnet is a sticky business, though plenty of researchers are trying. What is known is that it was a worm targeted at a uranium enrichment site in Iran, ostensibly to slow down the country's nuclear production programme. It is also known that it was the first cyber attack that has directly caused physical damage. What is not so clear is who was behind the attack, nor whether a Stuxnet-like virus could potentially knock out a city's power grid or other critical infrastructure - and panic around the latter has led to much rhetoric around the growing threat of cyber war.
Antivirus researchers agree that Stuxnet's careful orchestration means another government is likely to have been behind the attack. Several media reports cite officials who place the blame squarely on US and Israeli shoulders, though neither government has publicly accepted it.
"We've concluded that whoever wrote it was highly sophisticated, highly organised, had experience, had resources and was likely to have hierarchical structure," says Ilias Chantzos of online security firm Symantec, which began studying Stuxnet in 2010. "That indicates the involvement of a nation state, but at no point have we had enough information to attribute what that state might be."
Symantec and other antivirus firms are still in the process of establishing a timeline for Stuxnet. Although the worm was first identified in 2010, Symantec found that Natanz's control systems had been infected as early as 2005 - meaning that it had been much longer in the making than previously thought. It also concluded that different developer groups participated as Stuxnet evolved, lending credence to the theory that multiple states took part.
But other independent researchers consider Stuxnet to be rather rough-and-ready, pointing out that for all the worm's precision inside Natanz, its makers could not do much to stop it getting out and infecting other machines. One well-known US cryptographer, Nate Lawson, is more sceptical of the Western state theory, noting inconsistencies and technical flaws in Stuxnet's code.
"We're left with the authors being run-of-the-mill," he writes.
Independent consultant Tom Park has also voiced scepticism, pointing to basic errors that suggest a less-than-elite group may have put the finishing touches to the worm.
A changed hacking environment
Neither theory is particularly comforting. A physically destructive worm - planned and executed with permission from the highest levels of the US government. Or a patched-together virus produced by contractors who, though technically successful in their mission, were not skilled enough to stop the virus spreading to a large number of Iranian computers. Either marks something different to the protest hacks that bring down, say, online banking sites for a few hours.
"Previous attacks were more visible and aimed to cause disruption. They were for fame and notoriety," explains Chantzos.
That is still the case, to a large extent. Vigilante collective Anonymous uses simple distributed denial of service attacks or website defacement as a kind of prankish political statement. More often than not it is, as they put it, "for the lulz". But virtual graffiti on payment sites, though annoying, is more of a middle finger to a vague notion of authority than sinister disruptions of government projects. Even the more sophisticated takedowns, such as the 2007 DDoS attacks on Estonia, caused surface damage at best.
Cyber war talk
The most immediate online threat is, perhaps, more state-sponsored cyber espionage than sabotage like Stuxnet. More than a quarter of US companies have been targeted by Chinese hacks, according to the American Chamber of Commerce - none have seen their equipment break. Reliable estimates of financial losses due to data breaches are hard to come by, but a report from the US national intelligence director pins it at $398bn between 2009 and 2011. Meanwhile, the US has moved to restrict government purchases of Chinese IT equipment for fear of buying infected systems.