Stuxnet

Stuxnet: The Grandfather of Cyber Weapons

Stuxnet, the world’s first known cyber weapon, not only had technical and political ramifications of using a cybersecurity exploit as a key player in the Iran nuclear negotiations, but more importantly, it cements cyber weapons as a non-trivial defensive and offensive tool in the modern nuclear age. First discovered in 2010, Stuxnet was a computer worm that exploited a vulnerability in the Siemens software of Iran’s nuclear computers, causing their Uranium enrichment centrifuges at the Natanz nuclear enrichment facility to rotate out of control and eventually explode. This paper will examine the technical logic and implementation behind the Stuxnet attack, its discovery, impact on the Iran nuclear program, and its precedence as the first global cyber weapon.

How does Stuxnet work?

The goal behind Stuxnet was to hinder or disable Iran’s efforts to become a nuclear state, and thus was engineered to fulfill that design decision. Consequently, all of Stuxnet’s capabilities revolve around its ability to execute a targeted and contained attack on Iran’s nuclear computing units specifically. On Iranian nuclear control systems, normal use is as follows. The Siemens Step 7 software is used to program industrial systems, which is transferred to the PLC (Programmable Logic Controller) which runs the centrifuges. In turn, Windows database software is used to store important information about the centrifuge such as including its speed, or notification of potential errors. Stuxnet managed to successfully exploit zero-day, or previously unknown or undiscovered vulnerabilities in the Siemens Step 7 and Microsoft software, to incapacitate the centrifuges while remaining undetected.

The most commonly cited mechanism Stuxnet uses to gain access to the computer network is though an infected USB drive, and automatically load itself to computers with open file sharing. From there, it used the default password of the Siemens Step 7 to gain access to the database and load itself onto the computer. To propagate to other computers on the network, it was able to infect PLC datafiles and copy itself to the datafile. It also has a peer-to-peer update mechanism to update all instances once one of them gains control at the system level. The last step of gaining access is to check that the PLC is controlling at least 155 total frequency converters, a little under the known amount of Iranian centrifuge control. This verifies that Stuxnet is specifically targeting the Iranian centrifuges only. Once it loads malicious code to the PLC, it also verifies that the motors are 800Hz-1200Hz as an additional check that it is indeed on the correct centrifuge controller.

At this point, Stuxnet is ready to execute the attack. It increases the centrifuge frequency to 1410Hz for 15 minutes, then sleeps to avoid detection. After 27 days, it slows the frequency to 2Hz and sleeps again. The process is repeated, speeding up and slowing down the centrifuge. To avoid detection, it would send the correct frequency of 800-1200 Hz back to the database, and in the case of a failsafe, it would run the centrifuges at normal frequency. Additionally, Stuxnet used stolen RealTek certificates to avoid detection from antivirus software. Overall, Stuxnet used four different zero-day vulnerabilities in two different operating systems, in a highly complex and targeted cyber attack that was completely unprecedented in scope and ultimately effective in its attack and stealth.

Discovery

Stuxnet was discovered by Sergey Ulasen under the internet security company VirusBlokAda, and later Kaspersky. While working on a customer complaint that their computer kept rebooting, he discovered that the Stuxnet malware was on the computer. Both Siemens and Microsoft have security patches that address the flaws exploited by Stuxnet, although Microsoft failed to do so on the first try, requiring two additional updates. It is estimated that Stuxnet affected a little under 1000 Iranian centrifuges. The Stuxnet attack is widely thought to be credited to Israel and the United States, as both countries were concerned with the progression of the Iranian nuclear program, but neither country has publicly confirmed their involvement.

Impact

Stuxnet is estimated to have set back the Iran nuclear program by 2 years. Despite Stuxnet, Iran was revealed to be a nuclear state in the mid 2000’s. More significantly, however, Stuxnet was proof that cyber attacks could impact the physical world, and be used to damage physical infrastructure. In the age of technology, modern warfare will increasingly rely on cyber weapons like Stuxnet to weaken enemy resources. Additionally, the code of Stuxnet is available on the internet, making it an open source cyber weapon potentially capable of attacking power grids, nuclear plants, or other infrastructure if the source code is accurately altered. Stuxnet makes it extremely clear the need for strong security practices as we move on to an increasingly digital, and increasingly vulnerable world.

Written by Sabrina Tsui

Sources

Corera, Gordon. “What Made the World’s First Cyber-Weapon so Destructive?” BBC IWonder, BBC.
Holloway, Michael. Stuxnet Worm Attack on Iranian Nuclear Facilities. 16 July 2015.
“Interview with Sergey Ulasen, The Man Who Found The Stuxnet Worm.” Nota Bene Eugene Kasperskys Official Blog.
“Iran Nuclear Program.” Wikipedia, Wikimedia Foundation.
Jones, Brad. “The Legacy of Stuxnet.” Digital Trends, 7 Mar. 2016.
Katz, Yaakov. Stuxnet Virus Set Back Iran’s Nuclear Program by 2 Years. 15 Dec. 2010.
Krebs, Brian. Microsoft Fixes Stuxnet Bug Again. 10 Mar. 2015.
Nachenberg, Carey. “Dissecting Stuxnet.” Stanford University.
“Protecting Productivity – Integrated Industrial Security.” Patches and Updates – Industrial Security – Siemens.
“Stuxnet.” Wikipedia, Wikimedia Foundation.

Robert Bacher

Robert Bacher (1905-2004)

 

Background

Bacher was a nuclear physicist known for his leadership at the Los Alamos laboratory during the Manhattan Project. He received his bachelor’s and PhD degree in physics at the University of Michigan. After graduation, he held teaching positions at Columbia University, and later Cornell University, advancing from assistant professor to tenured professor in 1945. At Cornell, Bacher measured neutron absorption with a neutron velocity spectrometer, which was also used for experiments at Los Alamos. He also worked on radar research at MIT’s Radiation Laboratory. During this time, he was contacted by Robert Oppenheimer due to his work connected with the Radiation Lab. Oppenheimer was “was very much interested in the problems that one would run into in setting up a new laboratory. This was why he came to us.”

Manhattan Project

Robert Bacher headed the experimental physics division of the Los Alamos Laboratory during the war. As a partner with Oppenheimer in setting up the new Los Alamos lab, he “felt very strongly that a laboratory could not be a military laboratory”, because doing so would go against the ideals of scientific research and thus established it as a civilian laboratory. He started as a leader in the physics division. In 1944, Bacher lead the G, or “gadget” division of the lab, which came up with the design of the implosion-type ‘Fat Man’ atomic bomb. In the transition from a uranium bomb to developing a plutonium bomb, Bacher’s division experimented with the symmetry of implosion to compress the plutonium center. He was also one of the scientists that participated in the 1945 Trinity test of the bomb’s plutonium core.

After the war and the AEC

Post-war, Bacher remained involved in policy as a United Nations technical advisor to Bernard Baruch. He also joined as a member of the Atomic Energy Commision as it’s only scientist. In an interview he stated, “I felt that for the Atomic Energy Commission to start up without having scientific representation on it was not the right thing to do,” especially at the highest level of policy-making. During the first half of his time on the board, Bacher conducted investigations at the Los Alamos and Hanford nuclear facilities and discovered they were not producing bombs at the rate the US government had hoped for their nuclear stockpile. Under his guidance, the labs were able to resume weapon production to a suitable level. In the later half of his time at the AEC, Bacher was able to propose alternative, non-weaponized uses of nuclear power. After his time on the Atomic Energy Commision, he returned to Caltech as faculty and head of the Physics, Math and Astronomy division, where he remained until retirement.

 

Written by Sabrina Tsui

Sources:

Interview of Robert Bacher by Finn Aaserud on 1986 February 13, Niels Bohr Library & Archives, American Institute of Physics, College Park, MD USA.

Robert Bacher Biography. Engineering and Technology History Wiki.

Sherwin, Martin J. “Robert Bacher’s Interview – Part 1.” Robert Bacher’s Interview – Part 1, Manhattan Project Voices, 29 Mar. 1983.

Ward Whaling. Robert F. Bacher A biographical Memoir. National Academy of Sciences, 2009.