Stuxnet is a computer worm that was originally aimed at Iran’s nuclear facilities and has since mutated and spread to other industrial and energy-producing facilities.
Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect PCs but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors.
The original Stuxnet malware attack targeted the programmable logic controllers (PLCs) used to automate machine processes. It generated a flurry of media attention after it was discovered in 2010 because it was the first known virus to be capable of crippling hardware and because it appeared to have been created by the U.S. National Security Agency, the CIA, and Israeli intelligence.
Discovery of Stuxnet worm
The first public awareness of Stuxnet dates to 2010, when Sergey Ulasen, then head of antivirus kernel development for VirusBlokAda Ltd., an antivirus company based in Belarus, discovered and described the malware (Ulasen went to work for Kaspersky Lab in 2011).
Initially, the malware’s purpose wasn’t fully understood, but it was clear its design was complex, and it probably could not have been written without a team of expert programmers working over several months. There are three separate code elements to Stuxnet; in fact, the first piece had already been noticed and remarked on. VirusBlokAda had found two malware samples in the wild that used a previously unknown flaw that enabled a fully patched Windows 7 computer to be compromised.
There was more to this attack than VirusBlokAda had initially seen. however, Stuxnet contains code that can identify the software used in the process of creating and deploying instructions for programmable logic controllers (PLCs) made by German manufacturer Siemens AG. Though malware that attacked PLCs had been seen before, this was the first instance of a rootkit that ran on a PLC.
Purpose of Stuxnet worm
Logic controllers automate the most critical parts of an industrial facility’s processes, such as temperature, pressure, and the flow of water, chemicals, and gasses. In the case of Stuxnet, malicious control of Siemens’ PLCs was used to cause high-speed centrifuges to shake violently enough to cause physical damage.
Researchers who have closely examined the components and techniques used in Stuxnet believe work on developing the attack probably began around 2006. The primary attack on the Iran Natanz facility did not take place until the middle of 2009.
Stuxnet used a multistep attack sequence, beginning by exploiting Windows Autorun LNK files and spreading through removable storage devices, such as USB flash drives. It used four previously unknown Microsoft zero-day flaws to gain access to laptops and other machines, to gain access to the network.
In response, Microsoft issued two patches, and experts in SCADA security created a list of formal recommendations for facilities that use SCADA systems. Like the Zeus banking Trojan, Stuxnet code included stolen digital certificates, so the malware appeared legitimate and could avoid detection by traditional intrusion detection systems (IDS).
After Stuxnet surfaced, researchers quickly began to reverse-engineer the malware. It is generally believed that Stuxnet was not designed for espionage, but rather to cause failures in the centrifuge infrastructure used for enriching uranium to weapons-grade at Iran’s Natanz facility. Subsequent reports have estimated that about one-fifth of the centrifuges used at Natanz were brought offline by the malware.
How Stuxnet worm works
- Stuxnet gets onto the network
Security experts believe Stuxnet was transferred into the Natanz plant on a memory device.
According to cyber-security firm Symantec, Stuxnet probably arrived at Iran’s nuclear plan Natanz on an infected USB stick.
Someone would have had to physically insert the USB into a computer attached to the network – this could have been done deliberately or accidentally. The worm then uploaded itself into the plant’s computer system.
- Stuxnet worm spreads through computers
Stuxnet was designed to quickly spread through the plant’s network. It was looking for computers that control centrifuges.
Once inside the computer system, Stuxnet searched for software that controls machines called centrifuges.
Centrifuges spin materials at high speeds to separate their components. In the Natanz plant, the centrifuges were separating different types of uranium, to isolate the type (called ‘enriched uranium’) that is critical for both nuclear power and nuclear weapons.
- Stuxnet worm re-programs centrifuges
Hundreds of centrifuges were hijacked and instructed to spin out of control.
The worm found the controlling software and inserted itself into it, seizing control of the centrifuges.
Stuxnet carried out two separate attacks. First, it made the centrifuges spin dangerously fast, for about 15 minutes, before returning to normal speed. Then, about a month later, it slowed the centrifuges down for around 50 minutes. This was repeated for several months
- 1,000 machines are destroyed
Around 1,000 fuel enrichment centrifuges at Natanz had to be replaced.
Over time, the strain from the excessive speeds caused infected machines to disintegrate.
It is reported that Iran decommissioned around 20 percent of its centrifuges in the Natanz plant during the attack.