Stuxnet

What is Stuxnet?

Stuxnet is the first real malicious computer worm launched in industry, first discovered in June 2010 by the security company VirusBlokAda. Development started in 2005 and took till 2007 before it was launched. The worm caused destructive damage to the Iranian Nuclear Industry via the Siemens S7-300 PLC control systems of centrifuges. Stuxnet created a normal view to operators, while in fact the centrifuges were damaged by overspeed by keeping the outlet valves closed. Although no country has openly admitted responsibility, the worm is widely understood to be a jointly built American/Israeli cyberweapon. Later it was hinted that the Dutch Intelligence Services AIVD contributed to the successful launch. Also Germany contributed by providing information about the Siemens systems delivered to Iran and also France contributed.

How does Stuxnet work?

Many organisations investigated how it works, such as IEEE, Kaspersky labs and many more. By using a special technique called ‘reverse engineering’ specialists were able to reproduce part of the source code of Stuxnet. The entire source code has not yet been published.

  1. Infection: Stuxnet enters a system via a USB stick (jumping the air gap) and proceeds to infect all machines running Microsoft Windows. By brandishing two digital certificates that seems to show that it comes from a reliable company, the worm is able to evade automated-detection systems. Stuxnet uses 4 zero-day vulnerabilities and a default password attack to enter the Siemens systems. Among these exploits were remote code execution on a computer with Printer Sharing enabled and the LNK/PIF vulnerability, in which file execution is accomplished when an icon is viewed in Windows Explorer, negating the need for user interaction. Stuxnet is a large worm of almost half a megabyte in size and written in several different programming languages such as C and C++, which is also unusual for malware.
  2. Search: Stuxnet then checks whether a given machine is part of the targeted industrial control system S7 PLC by Siemens. Such systems are deployed to Iran to control high-speed centrifuges to enrich nuclear fuel.
  3. Update: If the system isn’t a target, Stuxnet does nothing. But if it is, the worm attempts to access the Internet and download a more recent version of itself. In this way it is possible to keep the worm up-to-date, but without this update possibility it also works.
  4. Compromise: The worm then compromises the target system’s logic controllers using the ‘zero-day’ vulnerabilities that have been identified by experts.
  5. Control: At the start of the infection Stuxnet spies on the operation of the target system and then it uses this information to take control of the centrifuges. First it showed normal operation to the operators, no alarms and normal speed. Then it increased the speed with closed outlet valves, making the centrifuges spin themselves to failure.
  6. Deceive and destroy: The operators were presented with false information and had no idea what was going wrong until it was too late. After successful destruction the Stuxnet worm deleted itself from the Windows systems by deleting the log-files and other information that could help in forensic investigation.

The worm consists of a layered attack against three different systems:

  1. The Windows operating system,
  2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
  3. One or more Siemens S7 PLCs.

In 2014, 4 years after the successful Stuxnet attacks an article was published that “The 0-day Vulnerability exploited by Stuxnet (CVE-2010-2568) still threatens users, Kaspersky Lab study finds”. This vulnerability remains widespread and poses a threat in 2014, 4 years after discovery to 19,000,000 users. This was because it took Microsoft a long time to create a patch for the vulnerability and many users didn’t patch their systems on a regular basis. Luckily most Anti-virus software protecting Microsoft systems were able to identify Stuxnet-like attacks and was the only way of protection for some time.

Impact:

Kevin Hogan, Senior Director of Security Response at Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran. Kaspersky Lab experts at first estimated that Stuxnet started spreading around March and April 2010, but the first variant of the worm appeared in June 2009.

On 15 July 2010, the day the worm’s existence became widely known, a distributed denial-of-service attack was made on the servers for two leading mailing lists on industrial-systems security. This attack, from an unknown source but likely related to Stuxnet, disabled one of the lists and thereby interrupted an important source of information for power plants and factories. On the other hand, researchers at Symantec have uncovered a version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility.

The second variant, with substantial improvements, appeared in March 2010, apparently because its authors believed that Stuxnet was not spreading fast enough; a third, with minor improvements, appeared in April 2010.

A study in 2011 of the spread of Stuxnet by Symantec showed that the main affected countries in the early days of the infection were Iran, Indonesia and India:

Country Share of infected computers
Iran 58.3%
Indonesia 17.8%
India 10.0%
Azerbaijan 3.4%
Pakistan 1.4%
Malaysia 1.2%
United States 0.9%
Uzbekistan 0.7%
Russia 0.6%
Others 5.7%

Later in 2017 a Whitepaper was published by ESET with more detailed statistics:

Country Share of infected computers
Iran 52.2%
Indonesia 17.4%
India 11.3%
Pakistan 3.6%
Uzbekistan 2.6%
Russia 2.1%
Kazakhstan 1.3%
Belarus 1.1%
Kyrgyzstan 1.0%
Azerbaijan 0.7%
United States 0.6%
Cuba 0.6%
Tajikistan 0.5%
Afghanistan 0.3%
Rest of the world 4.6%

Statistics published by the Federation of American Scientists (FAS) show that the number of enrichment centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred. The Institute for Science and International Security (ISIS) suggests, in a report published in December 2010, that Stuxnet is a reasonable explanation for the apparent damage at Natanz Nuclear Facility in Iran, and may have destroyed up to 1,000 centrifuges (10 %) between November 2009 and late January 2010.

What happened after Stuxnet?

Experts believe the worm might have set back Iran’s nuclear program by as much as two years or more. However, many are asking, then what? What happens after the two years or however long it takes for Iranian engineers to solve the Stuxnet problem?

A positive change after Stuxnet was that it created justification to start Cybersecurity programs to protect companies and individuals against Cyber-attacks worldwide. Non-believers that believed that the experts were talking about Science Fiction could not refuse and deny that a Cyber-attack could destroy production facilities or worse. One problem the experts were facing before Stuxnet was that it ranked: “Never heard of in Industry” and this changed to “Heard of in Industry”, the next step in a Risk Assessment.

After Stuxnet many attacks have created a lot of damage and people learned from Stuxnet that anything could be possible in the Cyber world.

More reading could be found here: Stuxnet Under the Microscope (85 pages).