Stuxnet: The Grandfather of Cyber Weapons
Stuxnet, the world’s first known cyber weapon, not only had technical and political ramifications of using a cybersecurity exploit as a key player in the Iran nuclear negotiations, but more importantly, it cements cyber weapons as a non-trivial defensive and offensive tool in the modern nuclear age. First discovered in 2010, Stuxnet was a computer worm that exploited a vulnerability in the Siemens software of Iran’s nuclear computers, causing their Uranium enrichment centrifuges at the Natanz nuclear enrichment facility to rotate out of control and eventually explode. This paper will examine the technical logic and implementation behind the Stuxnet attack, its discovery, impact on the Iran nuclear program, and its precedence as the first global cyber weapon.
How does Stuxnet work?
The goal behind Stuxnet was to hinder or disable Iran’s efforts to become a nuclear state, and thus was engineered to fulfill that design decision. Consequently, all of Stuxnet’s capabilities revolve around its ability to execute a targeted and contained attack on Iran’s nuclear computing units specifically. On Iranian nuclear control systems, normal use is as follows. The Siemens Step 7 software is used to program industrial systems, which is transferred to the PLC (Programmable Logic Controller) which runs the centrifuges. In turn, Windows database software is used to store important information about the centrifuge such as including its speed, or notification of potential errors. Stuxnet managed to successfully exploit zero-day, or previously unknown or undiscovered vulnerabilities in the Siemens Step 7 and Microsoft software, to incapacitate the centrifuges while remaining undetected.
The most commonly cited mechanism Stuxnet uses to gain access to the computer network is though an infected USB drive, and automatically load itself to computers with open file sharing. From there, it used the default password of the Siemens Step 7 to gain access to the database and load itself onto the computer. To propagate to other computers on the network, it was able to infect PLC datafiles and copy itself to the datafile. It also has a peer-to-peer update mechanism to update all instances once one of them gains control at the system level. The last step of gaining access is to check that the PLC is controlling at least 155 total frequency converters, a little under the known amount of Iranian centrifuge control. This verifies that Stuxnet is specifically targeting the Iranian centrifuges only. Once it loads malicious code to the PLC, it also verifies that the motors are 800Hz-1200Hz as an additional check that it is indeed on the correct centrifuge controller.
At this point, Stuxnet is ready to execute the attack. It increases the centrifuge frequency to 1410Hz for 15 minutes, then sleeps to avoid detection. After 27 days, it slows the frequency to 2Hz and sleeps again. The process is repeated, speeding up and slowing down the centrifuge. To avoid detection, it would send the correct frequency of 800-1200 Hz back to the database, and in the case of a failsafe, it would run the centrifuges at normal frequency. Additionally, Stuxnet used stolen RealTek certificates to avoid detection from antivirus software. Overall, Stuxnet used four different zero-day vulnerabilities in two different operating systems, in a highly complex and targeted cyber attack that was completely unprecedented in scope and ultimately effective in its attack and stealth.
Discovery
Stuxnet was discovered by Sergey Ulasen under the internet security company VirusBlokAda, and later Kaspersky. While working on a customer complaint that their computer kept rebooting, he discovered that the Stuxnet malware was on the computer. Both Siemens and Microsoft have security patches that address the flaws exploited by Stuxnet, although Microsoft failed to do so on the first try, requiring two additional updates. It is estimated that Stuxnet affected a little under 1000 Iranian centrifuges. The Stuxnet attack is widely thought to be credited to Israel and the United States, as both countries were concerned with the progression of the Iranian nuclear program, but neither country has publicly confirmed their involvement.
Impact
Stuxnet is estimated to have set back the Iran nuclear program by 2 years. Despite Stuxnet, Iran was revealed to be a nuclear state in the mid 2000’s. More significantly, however, Stuxnet was proof that cyber attacks could impact the physical world, and be used to damage physical infrastructure. In the age of technology, modern warfare will increasingly rely on cyber weapons like Stuxnet to weaken enemy resources. Additionally, the code of Stuxnet is available on the internet, making it an open source cyber weapon potentially capable of attacking power grids, nuclear plants, or other infrastructure if the source code is accurately altered. Stuxnet makes it extremely clear the need for strong security practices as we move on to an increasingly digital, and increasingly vulnerable world.
Written by Sabrina Tsui
Sources
Corera, Gordon. “What Made the World’s First Cyber-Weapon so Destructive?” BBC IWonder, BBC.
Holloway, Michael. Stuxnet Worm Attack on Iranian Nuclear Facilities. 16 July 2015.
“Interview with Sergey Ulasen, The Man Who Found The Stuxnet Worm.” Nota Bene Eugene Kasperskys Official Blog.
“Iran Nuclear Program.” Wikipedia, Wikimedia Foundation.
Jones, Brad. “The Legacy of Stuxnet.” Digital Trends, 7 Mar. 2016.
Katz, Yaakov. Stuxnet Virus Set Back Iran’s Nuclear Program by 2 Years. 15 Dec. 2010.
Krebs, Brian. Microsoft Fixes Stuxnet Bug Again. 10 Mar. 2015.
Nachenberg, Carey. “Dissecting Stuxnet.” Stanford University.
“Protecting Productivity – Integrated Industrial Security.” Patches and Updates – Industrial Security – Siemens.
“Stuxnet.” Wikipedia, Wikimedia Foundation.