Stuxnet – the World’s First Digital Weapon

by Marius Marinescu / 27 October

 

Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect PCs but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors.

Stuxnet was first identified by the infosec community in 2010, but development on it probably began in 2005. Despite its unparalleled ability to spread and its widespread infection rate, Stuxnet does little or no harm to computers not involved in uranium enrichment. When it infects a computer, it checks to see if that computer is connected to specific models of programmable logic controllers (PLCs) manufactured by Siemens. PLCs are how computers interact with and control industrial machinery like uranium centrifuges.

 

If it is deconstructed, they are simply the control element of a control system. If you are building a motion detected lighting system, you must have 3 parts to that; a sensor, a controller and an actuator. In a lighting system, the sensor would be a thermal sensor that detects human presence or movement; the controller would be a circuit or something more complex that the logic of the system would be built in, and the actuator would be the lights. The end result would be the controller sensing the presence of a human through the sensors, and turning on the switch to turn on the lights. This is a very simple control system that gives the ability to program the controller without changing the circuitry, or electrical system associated with it.

 

Modern PLCs are programmed using the proprietary OEM software that comes along with the system. This software incorporates graphical programming interfaces such as ladder programming that enable automation engineers with limited programming knowledge to program the PLCs that will automate the connected hardware. In a factory setting, combinations of PLCs are connected using SCADA (Supervisory Control and Data Acquisition) systems that are also programmed using OEM software provided by the system manufacturers creating an ecosystem of Operational Technology software.

 

The biggest jaw-drop comes when we analyze the security of this software, with it being developed for engineers by OT software developers. By some, the vulnerabilities of the software have been thrashed as Insecure by Design, especially when looking at the access privileges and protocol vulnerabilities. There are significant amounts of vulnerabilities reported on leading OEM software vendors that question the very competency of the hardware giants to develop secure OT software. It is these vulnerabilities combined with OS vulnerabilities that were exploited by Stuxnet to carry out massive damages to selected critical infrastructure.

 

It’s now widely accepted that Stuxnet was created by the intelligence agencies of the United States and Israel. The classified program to develop the worm was given the code name “Operation Olympic Games” and it was begun under President George W. Bush and continued under President Obama. While neither government has ever officially acknowledged developing Stuxnet, a 2011 video created to celebrate the retirement of Israeli Defense Forces head Gabi Ashkenazi listed Stuxnet as one of the successes under his watch.

 

While the individual engineers behind Stuxnet haven’t been identified, we know that they were very skilled, and that there were a lot of them. Kaspersky Lab’s Roel Schouwenberg estimated that it took a team of ten coders two to three years to create the worm in its final form.

The U.S. and Israeli governments intended Stuxnet as a tool to derail, or at least delay, the Iranian program to develop nuclear weapons. The Bush and Obama administrations believed that if Iran was on the verge of developing atomic weapons, Israel would launch airstrikes against Iranian nuclear facilities in a move that could have set off a regional war. Operation Olympic Games was seen as a nonviolent alternative. Although it wasn’t clear that such a cyberattack on physical infrastructure was even possible, there was a dramatic meeting in the White House Situation Room late in the Bush presidency during which pieces of a destroyed test centrifuge were spread out on a conference table. It was at that point that the U.S. gave the go-ahead to unleash the malware.

 

Stuxnet was developed as a computer malware that only attacked SCADA systems that were developed by Siemens, the German industrial devices giant. The malware was designed to exploit zero-day vulnerabilities in Microsoft Windows operating system, and the software of Siemens, SIMATIC STEP 7 and SIMATIC WinCC. In terms of Microsoft Windows, the creators of the virus exploited 4 zero-day vulnerabilities of Microsoft Windows to spread. The main objective of Stuxnet was to increase the speed of the Iranian nuclear centrifuges at Natanz, resulting in a melt-down, thus damaging the nuclear infrastructure.

 

It is important to note that most operational technology systems of modern critical infrastructure are built with direct cyber attacks in mind, thereby air gapping the systems in most cases. What it means is that the local networks of SCADA systems are not connected to the unsecured systems such as the Internet. This prevents a direct remote cyber attack without the engagement of a physical agent impossible, thus reducing the vulnerability of the system. The above argument was taken into consideration by the developers of Stuxnet.

 

Stuxnet mainly had 3 components that worked in sync: a worm to deliver the payload, a link file to replicate the worm, and a rootkit to hide all the malicious code. The malware famously exploited the Windows shortcut vulnerability from where it is spread to removable devices such as flash drives.

 

The sophistication in Stuxnet’s design makes it interesting to study how it affected Natanz nuclear centrifuges. A rough idea of what happened is as follows:

 

1. Stuxnet spreads to millions of devices through the internet, infecting computers and copying itself to the removable devices such as USB flash drives.

 

2. Stuxnet malware infects the computer of the maintenance engineer through the USB flash drive. Since an air gap is installed to block direct cyber attacks by the external networks to the internal network of the Natanz facility, this was the only way such an infection was possible.

 

3. The malware is executed in the local host computer without any indication and replicates rapidly within the local network exploiting a Windows network vulnerability.

 

4. The malware has found the control computer running Siemens software and has infected its configuration files. There are varying reports of this software being SIMATIC STEP 7 — the Siemens PLC software or SIMATIC WinCC — the Siemens SCADA software. The infection results in malicious lines of code being executed by the system.

 

5. The code changes the programming to increase the centrifugal speed of Natanz centrifuges thus controlling the hardware. These lines of code are said to be executed once in 27 days to make it undetectable.

 

6. Code changes the output of the system to hide the increased centrifugal speeds. For example, if the centrifugal speeds are increased from 10,000rpm to 15,000rpm over a period of 3 months, the output from the SCADA system would only display 10,000rpm as the current centrifugal speed. This is to increase the damage to the infrastructure by delaying the date of discovery.

 

The complexity of Stuxnet lead to it being named the world’s first digital weapon.

Despite how well Stuxnet was designed, in its payload it is simply a logic bomb; a malware that is executed only when logic is met, in this case, the control computer of a Siemens S7–400 PLC, running SIMATIC WinCC and SIMATIC STEP 7 software. This was the configuration at Natanz nuclear centrifuges, but not only there. Stuxnet was never intended to spread beyond the Iranian nuclear facility at Natanz. However, the malware did end up on internet-connected computers and began to spread in the wild due to its extremely sophisticated and aggressive nature, though, as noted, it did little damage to outside computers it infected. Many in the U.S. believed the spread was the result of code modifications made by the Israelis.

 

The malware ultimately affected 115 countries damaging thousands of industrial equipments running the machines with said configuration.

Symantec, who was the first that unraveled Stuxnet, said that Stuxnet was “by far, the most complex piece of code that we’ve looked at – in a completely different league from anything we’d ever seen before”. And while you can find lots of websites that claim to have the Stuxnet code available to download, you shouldn’t believe them: the original source code for the worm, as written by coders working for U.S. and Israeli intelligence, hasn’t been released or leaked and can’t be extracted from the binaries that are loose in the wild. (The code for one driver, a very small part of the overall package, has been reconstructed via reverse engineering, but that’s not the same as having the original code.)

 

Since then several other worms with infection capabilities similar to Stuxnet, including those dubbed Duqu and Flame, have been identified in the wild, although their purposes are quite different than Stuxnet’s. Their similarity to Stuxnet leads experts to believe that they are products of the same development shop, which is apparently still active.