Stuxnet: The world’s first digital weapon, that brought a nuclear nation to its knees.

Stuxnet is a malicious computer worm that first came into the limelight in 2010 and was believed to have been in development since at least 2005. Stuxnet specifically targets Supervisory Control and Data Acquisition (SCADA) and Programmable Logic Controllers (PLC)systems and is responsible for causing tremendous damage to the nuclear program of Iran. Although it is believed that the malware was created jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games.

© Chappatte/International Herald Tribune

Stuxnet targets Programmable Logic Controllers (PLCs) specifically, which allow the automation of electromechanical processes in plants, factories, or industrial infrastructures such as those used to control machinery and industrial processes in nuclear power plants — gas centrifuges for separating nuclear material. Stuxnet exploited four zero-day flaws. Stuxnet functions by targeting machines that use the Microsoft Windows OS and then look out for Siemens Step7 software. It was reported that the worm was able to compromise PLCs present in the Iranian nuclear plants, by collecting information on industrial systems and causing the fast spinning of the centrifuges which resulted in them tearing themselves apart. Stuxnet reportedly ruined almost 20% of Iran’s nuclear centrifuges. The worm reportedly infected over 200,000 computers and caused around a thousand machines to physically degrade.

Timeline of the Stuxnet Attack

November 20, 2008: It was found that Trojan. Zlob’s variant was using the LNK vulnerability which was also later identified in Stuxnet.

April 2009: The renowned security magazine “Hackin9” released details of a Remote Code Execution (RCE) vulnerability present in the Printer Spooler service, which was later identified as MS10–061.

June 2009: Evidence for the earliest Stuxnet sample was found. It does not exploit MS10–046 nor has signed driver files.

January 25, 2010: Stuxnet driver files are obtained with a valid certificate signed by Realtek Semiconductor Corporations.

March 2010: MS10–046 is exploited by a Stuxnet variant.

June 17, 2010: Virusblokada, a European security software company reports W32.Stuxnet uses a vulnerability in the processing of shortcuts/.lnk files to propagate. This was later identified as MS10–046.

July 13, 2010: Symantec, an American software company adds detection as W32.Temphid which was previously detected as Trojan Horse.

July 16, 2010: Security Advisory for “Vulnerability in Windows Shell” is released by Microsoft. Verisign revokes the certificate — Realtek Semiconductor Corps.

July 17, 2010: New Stuxnet driver is identified which is signed with a certificate from JMicron Technology Corporation rather than Realtek Semiconductor Corporation.

July 19, 2010: Investigation on malware infecting Siemens WinCC SCADA systems is initiated by Siemens.

July 20, 2010: Symantec monitors the Stuxnet Command and Control(C2) traffic.

July 22, 2010: Verisign, an American network infrastructure company revokes the JMicron Technology Corps certificate.

August 2, 2010: Microsoft releases MS10–046, which patches the Windows Shell shortcut vulnerability.

August 6, 2010: Symantec releases reports stating how Stuxnet can inject and hide code on a PLC affecting ICS.

September 14, 2010: MS10–061 patch for the Printer Spooler Vulnerability is released by Microsoft. Microsoft reported two other privilege escalation vulnerabilities. Both of which were identified by Symantec in August.

September 30, 2010: Symantec releases comprehensive analysis of Stuxnet

October 11, 2010: Open letter to Symantec addressing their weakly informed assessment of the threat posed by Stuxnet-inspired malware. The letter pointed out some major shortcomings — why Stuxnet can be copied easily and can be re-used by follow-up attackers without insider knowledge.

November 14, 2010: Published intelligence on attacker profiling, pointing out that a coalition of nation-states appears to be behind Stuxnet, Suspecting — Israel, USA, Germany, and Russia.

December 6, 2010: The Langner Controller Integrity Checker mitigation tool for Stuxnet-inspired malware was announced.

How Stuxnet attack work

pic credits : spectrum.ieee.org

The Stuxnet worm was developed by the attackers to exploit four Microsoft Windows OS zero-day vulnerabilities that were known to the intelligence agencies but were not publicly disclosed to the world.

The four exploited vulnerabilities for the attacks were: -

• The .lnk file extension for creating shortcuts.
• A shared print-spooler vulnerability.
• Two vulnerabilities related to privilege escalation.

The LNK file extension was specifically used to enable the worm to spread in the system using USB sticks. The shared print spooler vulnerability was used to spread the worm through the network using shared printing facilities, a sharing facility used in the 2000s. The privilege escalation exploits enabled the worm to secretly execute its code and damage the centrifuges.

Firstly, the worm targeted the computers used to manage the SCADA and PLC devices that controlled the centrifuges present in the nuclear plant. The nuclear facilities network was not connected to the wider Internet thus creating an air gap. Therefore, to infiltrate the worm into the network, physical means such as USB sticks were used. This was achieved by the intelligence agencies infiltrating five of the nuclear facilities’ suppliers and secretly adding the Stuxnet code to their systems. The engineers at the supplier companies were cleared to work on the SCADA and PLC. The anti-virus systems implemented were not able to detect the malicious code. Once the USB sticks were plugged into the nuclear facilities computers running on Microsoft Windows OS, the Stuxnet worm enter the system and replicated itself to all other available Microsoft Windows-based computers on the nuclear facilities networks, thus resulting in a full-fledged spread over the Iranian nuclear network.

Once the worm had infiltrated and spread across the network, the code then identified the specific Siemens’s Step 7 Software running on the facilities’ computers with Microsoft Windows OS. Siemens’s Step 7 application was responsible for the control of SCADA and PLC, which were used to control the centrifuges. The code then executed the payload, which resulted in the manipulation of the controls that managed the speed and duration of the centrifuges, the high speed caused the centrifuges to burn out themselves, and the low speed caused inefficient processing of nuclear material -uranium, thereby wasting resources and slowing the production. When the speed was being manipulated by the Stuxnet worm of the centrifuges, false data was being sent to the SCADA and PLC which is monitored by the Siemens Step 7 application, giving the false impression that the instrument mechanics were working fine at the facility.

It was later discovered that a variant of Stuxnet was manipulating the valves to increase the pressure inside centrifuges, damaging both the valve and the centrifuge, thus slowing down the uranium enrichment process.

Steps involved in the attack

1. Stuxnet malware enters the system or network via USB stick and proceeds to infect all machines running the Microsoft Windows OS. By showcasing a digital certificate that seems to show that it comes from a reliable company, the worm can evade automated- detection systems.
2. Stuxnet malware then checks whether a given machine is part of the targeted Industrial Control System (ICS) made by Siemens. Such systems are deployed in the Iranian nuclear plants to run high-speed centrifuges that help to enrich nuclear fuel.
3. If the system isn’t a target, Stuxnet does nothing; if it is, the worm attempts to access the internet and download a more recent version of itself.
4. The worm then compromises the target system’s logic controllers, exploiting zero-day vulnerabilities.
5. Stuxnet spies on the operations of the targeted system. Then it uses the information it has gathered to take control of the gas centrifuges, making them spin resulting in complete failure.
6. Meanwhile, it provides false feedback to the outside that they won’t know what’s going wrong until it’s too late to do anything about it.

Effects of Stuxnet

Mostly, to destroy centrifuges. Stuxnet speeds up the rotational speed of centrifuges from normal to 1,410 Hz for 15 minutes; then, 27 days later, it slows them down for 50 minutes, during which the rotational speed of centrifuges is reduced to 200 Hz. Almost every 27 days the sequence repeats. The high speed causes the centrifuges to get ruptured, and the low speed would result in inefficient processing of nuclear material -uranium, thereby wasting resources and slowing the production.

To discover the Iranians- Stuxnet’s creators hoped to slow Iran’s nuclear program by creating doubt and confusion. Resulting in the Iranians halting uranium processing on several centrifuges. The creators of Stuxnet probably thought the worm wouldn’t be discovered as quickly as it was. If it hadn’t been discovered as early as it had been, the damage it would have caused could have been greater. Waiting 27 days between attacks was done possibly to be stealthier.

Stuxnet worm also caused some unintended effects. Infected 100,000 computers around the world. Stuxnet didn’t do any serious damage outside Iran’s nuclear program, as it was highly targeted to destroy the efforts of Iran to become a nuclear power. Others may use Stuxnet’s code as a base to attack SCADA or other systems in other countries.