Post

Stuxnet - The malware that hacked a nuclear facility

What was Stuxnet?

Stuxnet was a computer worm discovered in 2010; it targeted the Siemens industrial control systems used in Iran’s nuclear facilities to sabotage their uranium enrichment program. Its discovery led to widespread discussions on cybersecurity, cyberwarfare, and the ethical implications of using digital weapons.

Stuxnet represented a significant shift in cyber warfare tactics, as it specifically targeted physical infrastructure rather than just data or networks.

The Attack Cycle

Stuxnet was a very complicated piece of malware, with the main file being over 500kb. Several layers of encryption masked its many parts and inner core.

The worm consisted of two parts: the infiltration system and the payload. The entirety of the Stuxnet malware consisted of a large DLL file, which was packaged with a dozen smaller DLL files wrapped together in multiple layers of encryption.

Stuxnet stands alone in the realm of malware, as no other has ever been found to exploit as many zero-day vulnerabilities. This unprecedented feat suggests that the attackers were specifically targeting a high-value, high-security objective.

Organizations must continuously update their security protocols to protect against zero-day vulnerabilities, which are exploited before developers have a chance to issue fixes.

Infiltration

Attackers had the task of disrupting systems that were not directly connected to the internet. They did this by creating autonomous worms loaded onto a USB flash drive, hoping that if enough systems got infected, they would eventually hit their target. These infected USB drives were spread across the facilities to be picked up by industrial facility employees who would plug them into their computers. Infected machines would also spread Stuxnet through shared drives, yet another method they could use to reach their targets.

Once these drives were plugged in, the primary Stuxnet DLL used a Windows Shell LNK vulnerability (CVE-2010-2568) to install itself on the system.

This type of vulnerability highlights the importance of regularly updating operating systems to patch known security flaws.

The Stuxnet DLL was designed to be compatible with different versions of Windows, namely Windows Vista, XP, 7 as well as Windows Server 2000, 2003. Once installed, two Zero-Day exploits were used to escalate its privileges and inject themselves into a new process: Unpatched Windows Task Scheduler Vulnerability (CVE-2010-2743). This DLL had countermeasures installed to evade the most popular antivirus programs at the time, AVP and McAfee.

Be wary of malware that can evade detection by common antivirus programs; consider employing a multi-layered security approach.

The malware then wrote six files: 4 were Windows directory encrypted files, and two were device drivers.

  • C:\\Windows\inf\oem7A.pnf
  • C:\\Windows\inf\oem6C.pnf
  • C:\\Windows\inf\mdmcpq3.pnf
  • C:\\Windows\inf\mdmeric3.pnf
  • C:\\Windows\system32\Drivers\mrxnet.sys
  • C:\\Windows\system32\Drivers\mrxcls.sys

It then installs these drivers into the registry to ensure that the malware runs every time the computer boots up. These files are loaded before most of the Windows system applications. The malware then modifies the Windows Firewall and Windows Defender to avoid detection.

The next step for Stuxnet was to spread across the network. For this, it used two vulnerabilities: a known Windows Server NetPathCanonicalize() (CVE-2008-4250) vulnerability through which it copied itself onto remote system shares and a zero-day vulnerability called the Windows Print Spooler Service Vulnerability (CVE-2010-2729), which it used to write files to a shared printer’s system directory.

In addition to using Zero-Day vulnerabilities, Stuxnet also used authentic stolen certificates to appear legitimate. These were stolen from two different hardware companies in Taiwan, adding another layer of complexity to this malware.

After spreading the malware to other computers in the network, Stuxnet attempted to locate its target, the facility’s Industrial Control System (ICS). This machine controls an assembly line and is tasked with receiving data from remote sensors, measuring process variables, comparing the collected data with desired setpoints, and deriving command functions that are then used to control a process.

Once it gained control over an ICS, it searched for software called Step7 by the company Siemens. This software is used to configure and program Programmable Logic Controllers (PLCs). A central security hole in this software was a hardcoded username and password combination, specificallyBasisk, which Stuxnet used to get backdoor access and yield a command shell. Stuxnet then injected itself into any Step7 project files it could locate within the software. By infecting these project files, this malware now had the power to jump through the air gap as a USB stowaway. This is because to transfer commands to a PLC, engineers had to transfer project files to them via a laptop connected directly to a PLC with a cable or through a USB flash drive to a programmable machine. By infecting the transferred Step7 files, the attackers had essentially turned every engineer into a potential carrier for their Stuxnet.

When these infected files reach a PLC, Stuxnet uses the previously mentioned techniques to escalate its privileges and gain administrative control. The malware now had complete control over its target and was ready to disrupt the system.

When infecting a machine through a USB stick, this malware was originally intended to spread only on three additional machines. It would erase itself after 21 days if no specified conditions were met, leaving no traces behind. Stuxnet also had a kill date of 24th June 2012, after which it would stop spreading and delete itself.

Rootkits and Updates

Apart from the main Stuxnet payload, the initial also consisted of a User-Mode rootkit (~WTR4141.tmp) and a Kernel-Mode rootkit (MRxNet). These rootkits were designed to hide Stuxnet files and directories in flash memory.

Rootkits pose a serious threat as they allow malware to hide deeply within a system, making detection and removal particularly challenging.

The Kernel-Mode rootkit contained a debug message: B:\\myrtus\\src\\objfre_w2k_x86\\i386\\guava.pdb

myrtus is a Hebrew word that could point towards Israel or just be a false positive.

The Stuxnet malware was also designed to update itself with any modifications the attackers made. It could be updated via the internet using two malformed websites:

  • www.mypremierfutbol.com
  • www.todaysfutbol.com

It could also update itself using peer-to-peer connections, creating an RPC Server after being infected and then listening for any connections from any PC on the network. When it discovered another infected machine with a newer malware version, it installed the update on its machine.

Cyber threats can evolve over time through updates, making it crucial to isolate infected systems quickly to prevent updates from attackers.

Payload

The payload was designed to interfere with the nuclear enrichment process performed by the PLC at the power plant.

Manipulation of industrial control systems can lead to severe physical and environmental damage; it’s vital to secure these systems from unauthorized access.

Stuxnet looked for two specific microchips used to control the rotation speed of the centrifuge. These microchips were made by two companies: Vaasa Control Ltd, based in Finland, and Fararo Paya, based in Iran.

If Stuxnet did not find these specific microchips, it would terminate its operation and erase itself from the PLC. If it found these microchips installed within the PLC, it would then search for an even more specific centrifuge operating between the speed of 807 and 1210 Hz.

Next, Stuxnet remained dormant for a couple of weeks, studying the pattern of how these centrifuges were run so that it could replicate this back during its attack. After several weeks, Stuxnet would suddenly instruct the centrifuges to drastically increase their revolutions per second for 15 minutes at a time, returning to its average speed. This would cause the centrifuges to wobble and even break apart in some instances. Since this occurred while the centrifuges were spinning at average speeds, the malware could remain covert, and the victims had no clue they were being sabotaged.

If the speed increase were not enough to damage the centrifuges, the malware would slow down the revolutions per second to the point that they almost stopped and then resume rotation at their original speed. These speed changes were done at intervals of 27 days to ensure Stuxnet remained hidden within the infrastructure.

The Impact on Uranium Enrichment

This brings us to why Stuxnet was doing what it was doing. It was disrupting the highly sensitive gas centrifuges to prevent uranium enrichment.

To understand how Stuxnet accomplished this, we need to know how uranium gets enriched.

Hot uranium gas is injected into a rapidly rotating centrifuge. The speeds at which these centrifuges are rotated considerably impact the outcome and, if done correctly, could result in the creation of a nuclear bomb. However, if done incorrectly, this can lead to the wastage of rare and expensive Uranium 235, the degradation of 1000 centrifuges, and the setback of a country’s Nuclear Program by almost three years.

Understanding the specifics of how cyberattacks can target physical infrastructure helps in developing more robust security protocols to protect critical national assets.

This is precisely what Stuxnet achieved, sabotaging the uranium enrichment in the nuclear facility in Nantanz and heavily delaying Iran’s Nuclear Program.

Detection Evasion

Stuxnet heavily relied on remaining covert. Its objective was to continue sabotaging the uranium enrichment while remaining hidden within Iran’s nuclear facility.

To accomplish this, the attackers used various techniques to evade detection. Apart from using stolen legitimate certificates for its payload, preventing Windows Firewall from detecting it as well as reverting the centrifuges to normal operations, one of the main reasons this malware remained undetected within the nuclear facilities was due to its ability to replace the sensor data sent from the PLC to the technician with pre-recorded data. This way, even though the malware was causing the centrifuges to break down. On reports and inside the control room, all systems appeared normal.

Regular audits and manual checks of system outputs versus physical conditions can help identify discrepancies caused by malware.

Moreover, Stuxnet “saved” a snapshot of the original software responsible for regulating the speed of centrifuges. This way, whenever a programmer started debugging the PLC, Stuxnet would present them with their original normal functioning software with nothing wrong with it. Since an attack of this complexity had never been done before, nobody expected malware or a virus to do this.

Discovery

However, we know about this malware; its impact is all because of a bug within its working. An error in one code line caused the malware’s propagation to malfunction. Instead of spreading to only three new machines at a time, the malware spread beyond Nantanz’s target network. This malware was out of control and infecting systems all over Iran and the World. It spread to so many collateral machines that it was only a matter of time before something went wrong and it was caught.

Even the most sophisticated malware can contain flaws that lead to its discovery, underscoring the importance of vigilant system monitoring.

Soon afterward, Virusblokada, a Belarussian computer security company, discovered this malware several months after its creation. This led to Iran shutting down the nuclear facilities and removing the malware from all their systems. By September 30th, 2010, Symantec presented a comprehensive analysis of Stuxnet at the Virus Bulletin.

Attribution

Attribution in cyber warfare can be complex but is crucial for forming appropriate diplomatic and cybersecurity responses.

Stuxnet’s Properties

Stuxnet was a unique malware that was built with precision in mind. Unlike regular malware, it was designed to target a particular infrastructure, which suggests that the attackers had detailed information about their target’s infrastructure. They had custom-built every step of the attack process to exploit their victim’s network.

The malware was also designed to be stealthy, installing itself onto target machines without antivirus software detecting it and hiding its tracks by slightly modifying the centrifuge’s rotation speed. It also sent falsified data to engineers, which allowed the malware to persist on the target’s machine for as long as possible, disrupting their workflow and burning resources.

Stuxnet was unprecedentedly complex, having fallbacks and compatibility with a wide range of target machines. It used four different zero-day exploits, which showed that the attackers wanted to ensure that this cyberattack succeeded. The malware was extensive, with over one hundred and fifty thousand code lines, compared to an average computer malware with around 15 thousand code lines. This suggests that the attackers had spent considerable time and resources developing Stuxnet to ensure their target was successfully hacked.

What we know

These clues led security researchers to believe that this malware had to be created by a nation-state actor, someone with an enormous number of resources and detailed intelligence about their victim’s machine.

In September 2009, Iran announced that it was moving forward with uranium enrichment to develop nuclear capabilities. This news especially concerned two nations, the United States and Israel.

  • The United States and Iran have not been on good terms; they have had no formal diplomatic relations since April 1980. Tensions between the nations rose when Iran announced their uranium enrichment program.
  • Israel and Iran have been on the brink of war for quite some time. These nations have been openly hostile towards each other since the early 1990s, including direct military confrontations.

An investigative report in June 2012 claimed that Stuxnet resulted from a joint American-Israeli operation codenamed Olympic Games. It was reported that the Israeli intelligence unit 8200 developed the Stuxnet malware and tested it on centrifuges that the Americans seized. The report also claimed that Stuxnet began its construction during the Bush Administration and continued through the Obama Administration. Although neither nation has claimed ownership of the attack to date, a video posted by Israeli defense forces to celebrate the retirement of their head, Gabi Ashkenazi, listed Stuxnet as one of the successes under his watch. It is now widely accepted that the U.S. and Israel collectively created Stuxnet to delay the Iranian Nuclear Enrichment program. This cyberattack was considered a non-violent alternative to airstrikes to slow down Iran, which could have resulted in an all-out regional war.

An analysis by Kaspersky Lab unraveled that “the code was too sophisticated to be the brainchild of a ragtag group of black hat hackers” and that it would have taken a team of around ten coders roughly 2-3 years to develop Stuxnet in its final form.

Throughout its lifetime, Stuxnet infected over 60,000 computers, more than half of them in Iran. Other countries affected include India, Indonesia, China, Azerbaijan, South Korea, Malaysia, the United States, the United Kingdom, Australia, Finland, and Germany.

Aftermath

Repercussions

After the malware was discovered in September 2010, Iran quickly assembled a team to combat Stuxnet. However, this was not an easy task due to Stuxnet’s ability to rapidly spread across computers and newer malware frequently appearing in various systems.

Iran claimed that Stuxnet “had minimal effect on Iran’s Nuclear Program” even though it ended up delaying it by almost three years. A couple of months later, they claimed that the United States and Israel were behind the attack.

Iran drastically increased its cyber capabilities in response to the Stuxnet and other cyberattacks.

The escalation of cyber capabilities following an attack can lead to a cyber arms race, increasing the potential for future conflicts.

An NSA document leaked by Edward Snowden from April 2013 suggested that Iran had “demonstrated a clear ability to learn from the capabilities and actions of others” and was replicating these attack techniques in subsequent attacks.

Iran also created the 1390 Program which added six cyber defense master’s degree programs and one doctoral program across various Iranian universities.

Legacy of Stuxnet

In September 2011, one year after Stuxnet was exposed, a new malware was discovered by security researchers in Hungary. This malware was called Doqu, which had many similarities to Stuxnet. That experts believed that this malware was developed by the same people who developed Stuxnet. However, unlike Stuxnet, Doqu was an espionage tool used to steal sensitive information from their victims and record any activity on a computer; this included keystrokes, screenshots, and even using the computer’s microphone, which was then sent to various servers.

Six months later, in May 2012, another espionage malware was discovered named Flame. This malware was much more advanced and sophisticated than Doqu and could activate Bluetooth communication, identify smart devices in the area, and retrieve information from them. It was also about 20 times as complex and sophisticated as Stuxnet, with some people even believing that it was the most complex malware ever known.

The evolution of cyber threats requires continuous advancements in cybersecurity measures to protect sensitive information and critical infrastructure.

Following these two malware, there have been instances of other malware exhibiting similar properties to Stuxnet. These include Havex, Industroyer, Triton, and an unnamed virus discovered in 2018. Stuxnet had brought forth a whole new era of cyber warfare.

What does the future hold?

Stuxnet proved to the world that cyberweapons could be used to sabotage physical equipment with extreme sophistication and precision. They could be used to conduct attacks nationwide with real consequences. This also showed that nations were no longer restricted to only four domains; they could now design cyberweapons and covertly attack their target’s critical infrastructure.

Finding out about Stuxnet also sheds light on the notion that it was only discovered due to a bug within the code. Had it not been found, it would have rendered Iran’s Nuclear Program useless and had significant repercussions. This attack was over 10 years ago, and it’s almost a certainty that many attacks of that scale have taken place without us ever finding out about them. A major cyber attack could be underway, and we might never find out about it.

The ongoing development of cyber warfare tactics necessitates a proactive approach to cybersecurity, focusing on both prevention and quick response to emerging threats.

References

This post is licensed under CC BY 4.0 by the author.