When it comes to cyber security, it’s normally data breaches that make the news. These incidents affect many people and represent a terrible news day for the company at the receiving end of the data breach. Much less regularly, you hear about a new zero-day exploit that often heralds a rash of data breaches of companies that can’t protect themselves. It’s not very often that you hear about cyber incidents that don’t directly affect users. Stuxnet is one of those rare exceptions.
Worming Its Way In
Stuxnet is the name of a strain of malware. Specifically, it is a worm. A worm is a term used to refer to any malware that can automatically propagate itself from one infected device to another. This allows it to spread rapidly, as a single infection can result in a much larger-scale infection. This wasn’t even what made Stuxnet famous. Nor was how wide it spread, as it didn’t cause that many infections. What made Stuxnet stand out was its targets and its techniques.
Stuxnet was first found in a nuclear research facility in Iran. Specifically, the Natanz facility. A few things about this stand out. Firstly, Natanz was an atomic facility working on enriching Uranium. Secondly, the facility wasn’t connected to the Internet. This second point makes it difficult to infect the system with malware and is typically known as an “air gap.” An air gap is generally used for susceptible systems that don’t actively need an Internet connection. It does make installing updates harder, but it also decreases the threat landscape faces.
In this case, Stuxnet was able to “jump” the air gap through the use of USB sticks. The precise story is unknown, with two popular options. The older story was that the USB sticks were dropped surreptitiously in the facility’s car park and that an overly curious employee plugged it in. A recent story alleges that a Dutch mole working at the facility either plugged in the USB stick or got someone else to do so. The malware on the USB stick included the first of four zero-day exploits used in Stuxnet. This zero-day automatically launched the malware when the USB stick was plugged into a Windows computer.
Targets of Stuxnet
The primary target of Stuxnet appears to be the Natanz nuclear facility. Other facilities were also affected, with Iran seeing almost 60% of all worldwide infections. Natanz is exciting because one of its core functions as a nuclear facility is to enrich uranium. While lightly enriched uranium is needed for nuclear power plants, highly enriched uranium is necessary to build a uranium-based nuclear bomb. While Iran states that it is enriching uranium for use in nuclear power plants, there has been international concern over the amount of enrichment happening and that Iran could be attempting to construct a nuclear weapon.
To enrich uranium, it’s necessary to separate three isotopes: U234, U235, and U238. U238 is by far the most naturally abundant but isn’t suitable for nuclear power or nuclear weapons use. The current method uses a centrifuge where the spinning causes the different isotopes to separate by weight. The process is slow for several reasons and takes a lot of time. Critically, the centrifuges used are very sensitive. The centrifuges at Natanz spun at 1064Hz. Stuxnet caused the centrifuges to spin faster and then slower, up to 1410Hz and down to 2Hz. This caused physical stress on the centrifuge, resulting in catastrophic mechanical failure.
This mechanical failure was the intended outcome, with the presumed aim of slowing or halting Iran’s uranium enrichment process. This makes Stuxnet the first known example of a cyber weapon used to degrade the abilities of a nation-state. It also was the first use of any form of malware that resulted in the physical destruction of hardware in the real world.
The Actual Process of Stuxnet – Infection
Stuxnet was introduced into a computer via the use of a USB stick. It used a zero-day exploit to run itself when plugged into a windows computer automatically. A USB stick was used as the primary target Natanz nuclear facility was air-gapped and not connected to the Internet. The USB stick was either “dropped” near the facility and inserted by an unwitting employee or was introduced by a Dutch mole at the facility; the specifics of this are based on unconfirmed reports.
The malware infected Windows computers when the USB stick was inserted through a zero-day vulnerability. This vulnerability targeted the process that rendered icons and allowed remote code execution. Critically, this step didn’t require user interaction beyond inserting the USB stick. The malware included a rootkit allowing it to deeply infect the operating system and manipulate everything, including tools like antivirus, to hide its presence. It was able to install itself using a pair of stolen driver-signing keys.
Tip: Rootkits are particularly nasty viruses that are very difficult to detect and remove. They get themselves into a position where they can modify the whole system, including the antivirus software, to detect its presence.
The malware then tried to spread itself to other connected devices through local network protocols. Some methods made use of previously known exploits. However, one used a zero-day vulnerability in the Windows Printer Sharing driver.
Interestingly, the malware included a check to disable infecting other devices once the device had infected three different devices. However, those devices were themselves free to infect another three devices each, and so on. It also included a check that automatically deleted the malware on the 24th of June 2012.
The Actual Process of Stuxnet – Exploitation
Once it spread itself, Stuxnet checked to see if the infected device could control its targets, the centrifuges. Siemens S7 PLCs or Programmable Logic Controllers controlled the centrifuges. The PLCs were, in turn, programmed by the Siemens PCS 7, WinCC, and STEP7 Industrial Control System (ICS) software. To minimize the risk of the malware being found where it couldn’t affect its target if it couldn’t find any of the three pieces of software installed, it sits dormant, doing nothing else.
If any ICS applications are installed, it infects a DLL file. This allows it to control what data the software sends to the PLC. At the same time, a third zero-day vulnerability, in the form of a hardcoded database password, is used to control the application locally. Combined, this allows the malware to adjust the programming of the PLC and to hide the fact that it has done so from the ICS software. It generates false readings indicating that everything is fine. It does this when analyzing the programming, hiding the malware, and reporting the spin speed, hiding the actual effect.
The ICS then only infects Siemens S7-300 PLCs, and even then, only if the PLC is connected to a variable frequency drive from one of two vendors. The infected PLC then only actually attacks systems where the drive frequency is between 807Hz and 1210Hz. This is far faster than traditional centrifuges but typical of the gas centrifuges used for uranium enrichment. The PLC also gets an independent rootkit to prevent uninfected devices from seeing the true rotation speeds.
In the Natanz facility, all of these requirements were met as the centrifuges span at 1064Hz. Once infected, the PLC span the centrifuge up to 1410Hz for 15 minutes, then dropped to 2Hz, and then spun back up to 1064Hz. Done repeatedly over a month, this caused around a thousand centrifuges at the Natanz facility to fail. This happened because the changes in rotational speed put mechanical stress on the aluminum centrifuge so that parts expanded, came into contact with each other, and mechanically failed.
While there are reports of around 1000 centrifuges being disposed of around this time, there’s little to no evidence of how catastrophic the failure would be. The loss is mechanical, partly induced by stress and resonant vibrations. The failure is also in a huge, heavy device spinning very fast and was likely dramatic. Additionally, the centrifuge would have contained uranium hexafluoride gas, which is toxic, corrosive, and radioactive.
Records show that while the worm was effective at its task, it wasn’t 100% effective. The number of functional centrifuges Iran owned dropped from 4700 to about 3900. Additionally, they were all replaced relatively quickly. The Natanz facility enriched more uranium in 2010, the year of infection, than the previous year.
The worm also wasn’t as subtle as hoped. Early reports of random mechanical failures of centrifuges were found to be unsuspicious even though a precursor caused them to Stuxnet. Stuxnet was more active and was identified by a security firm called in because Windows computers occasionally crashed. Such behavior is seen when memory exploits don’t work as intended. This ultimately led to the discovery of Stuxnet, not the failed centrifuges.
The attribution of Stuxnet is shrouded in plausible deniability. The culprits, however, are widely assumed to be both the US and Israel. Both countries have strong political differences with Iran and deeply object to its nuclear programs, fearing that it is attempting to develop a nuclear weapon.
The first hint for this attribution comes from the nature of Stuxnet. Experts have estimated that it would have taken a team of 5 to 30 programmers at least six months to write. Additionally, Stuxnet used four zero-day vulnerabilities, a number unheard of in one go. The code itself was modular and easy to expand. It targeted an industrial control system and then a not particularly common one.
It was incredibly specifically targeted to minimize the risk of detection. Additionally, it used stolen driver certificates that would have been very difficult to access. These factors point towards an extremely capable, motivated, and well-funded source, which almost certainly means a nation-state APT.
Specific hints towards US involvement include using zero-day vulnerabilities previously attributed to the Equation group, widely believed to be part of the NSA. Israeli participation is slightly less well attributed, but differences in coding style in different modules heavily hint at the existence of at least two contributing parties. Additionally, there are at least two numbers that, if converted to dates, would be politically significant to Israel. Israel also adjusted its estimated timeline for an Iranian nuclear weapon shortly before Stuxnet was deployed, indicating that they were aware of an impending impact on the alleged program.
Stuxnet was a self-propagating worm. It was the first use of a cyber weapon and the first instance of malware causing real-world destruction. Stuxnet was primarily deployed against the Iranian Natanz nuclear facility to degrade its uranium enrichment ability. It made use of four zero-day vulnerabilities and was highly complex. All signs point to it being developed by a nation-state APT, with suspicions falling on the US and Israel.
While Stuxnet was successful, it did not have a meaningful impact on Iran’s uranium enrichment process. It also opened the door for the future use of cyberweapons to cause physical damage, even during peacetime. While there were many other factors, it also helped to increase the political, public, and corporate awareness of cyber security. Stuxnet was deployed in the timeframe of 2009-2010