Stuxnet: Digital Industrial Sabotage or Cyber-Weapon of Mass Destruction?

The story of Stuxnet reads like a cross between a work of cyberpunk fiction and an international spy novel. In 2009 the world community was intensely debating the immediacy of Iran’s nuclear weapon program readiness. Meanwhile, a clandestine software project, sponsored by a cyber superpower with vast resources, was engaged in coding the first known malware rootkit to monitor and subvert the programmable logic controllers of an industrial system, allegedly the Iranian Natanz uranium enrichment facility. Since the outbreak of the worm, security researchers have studied Stuxnet intensely to determine its origin, mechanism, and target. While the suspected aim was to disrupt Iran’s nuclear program, official confirmation only came late last year, as “Iranian President Mahmoud Ahmadinejad said [in November 2010] that malicious computer code launched by “enemies” of the state had sabotaged centrifuges used in Iran’s nuclear-enrichment program.”1 If this were simply a story of how the ‘good guys’ prevailed over the ‘bad’, we could end the narrative here, and possibly laud the potential of cyber-warfare to avert physical combat. However, now that infecting industrial systems has evolved from a theoretical concept into an inevitable reality, it becomes the security analyst’s duty to project capabilities such as Stuxnet demonstrated onto the increasingly complex web of systems that sustain our lives.

It is not exactly clear how or when Stuxnet was first unleashed, and its purpose was also not immediately obvious. Experts suspect that in June 2009, Russian contractors working for the Iranian nuclear program inserted an infected USB stick into a system running the uranium enrichment plant.2 The infection was dubbed ‘Stuxnet’ by a Belarusian security firm who first detected the worm running loose in June 2010, and noticed that particular string of text in the code.3 Spreading through Windows computers by means of previously unknown vulnerabilities, or ‘zero-day’ exploits, the outbreak was concentrated in Iran, although systems in India, Pakistan, and Indonesia were also compromised.4 Usually worms are spread through the Internet directly, causing a much larger infection footprint than the mere 100,000 computers worldwide reportedly affected by Stuxnet. Relying so heavily on the mechanism of infected USB sticks and local network shares to spread itself would seem to indicate that the target was not normally connected to the Internet, and the intended system might have relied on ‘air-gap’ security, or non-connectivity to the Internet, to prevent cyber-attacks. One additional implication of this infection vector is that the spread of Stuxnet would be fairly confined to the geographical area in which it was introduced, which seems to indicate a concern for limiting potential collateral damage on the part of the mysterious authors of Stuxnet. The technically-induced limitation of the worm to a specific geographic location and the exploitation of ‘air-gap’ security typical in industrial facilities are both strong indicators that Stuxnet was specifically designed to infiltrate such a system with minimal unintended consequences.

Another clue in the mystery of the Stuxnet worm is the enormous value of the zero-day, or unpatched, vulnerabilities in Windows that were being exploited by the bug. Usually such security holes are worth a lot of money to hackers, in the neighborhood of $500,000 each on the black market. In addition, Stuxnet installed a rogue Windows driver that had been signed with stolen legitimate certificates also worth quite a considerable sum. Security expert Bruce Schneier expressed skepticism that the Stuxnet coding effort had been instigated by a typical criminal organization intent on theft or extortion, and supported the notion that it was a dedicated effort to take down a specific target:

Stuxnet doesn’t act like a criminal worm….Stuxnet performs sabotage. It doesn’t threaten sabotage, like a criminal organization intent on extortion might. Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write….Additionally, zero-day exploits are valuable. They’re hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.5

Once Stuxnet infected a Windows machine, it would check for the existence of a running Siemens WinCC/PCS7 SCADA control software and take advantage of yet another zero-day vulnerability, a hard-coded password for the system’s database, to install itself. Then, if it detected that the control system was running a precise configuration of frequency-converter drives operating centrifuges at particular high speeds only found at the Natanz uranium enrichment plant, Stuxnet would insert a rogue driver into the chain of communication between the control system and the Siemens S7 PLCs which actually operate the centrifuges. This form of man-in-the-middle attack allowed Stuxnet to record sensors monitoring normal day-to-day operations, and play them back to the control software, so that nobody in charge could easily determine that anything had gone terribly wrong. But indeed, the centrifuges were being manipulated to speed up and slow down in such a manner as to hinder their ability to process uranium:

Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium….If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.1

The sophisticated espionage and sabotage which Stuxnet performed is not a product of typical criminal syndicates, terrorists, or common hackers. It is an exercise of a superpower’s national security interest in keeping the nuclear arms field clear of competitors.

However, Stuxnet is not the first malware to have a physical effect on an industrial system, as it is suspected that the CIA caused a large trans-Siberian gas pipeline explosion in 1982, by sabotaging its SCADA control system operated by the Russians. Our country is highly interested in the new battlefields of cyber-war, and has access to the specialized facilities necessary for testing these new forms of weaponry:

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.6

The most alarming implication of Stuxnet is that the concept of programming malware capable of disabling or destroying the critical systems necessary for sustaining our way of life is now in the toolkit of any sufficiently determined entity willing to invest the time and money necessary for deploying such a cyber-weapon of mass destruction. Although the nation-state responsible for Stuxnet may have taken great pains to avoid collateral damage and unintended consequences, the proverbial cat is now out of the bag.

Comments

aigeanta's picture

Stuxnet worm reportedly planted by Iranian double agent

 

Stuxnet worm reportedly planted by Iranian double agent using memory stick

By  | Published about 4 hours ago

The Stuxnet computer worm used to sabotage Iran’s nuclear program was planted by a double agent working for Israel. The agent used a booby-trapped memory stick to infect machines deep inside the Natanz nuclear facility, according to a report published on Wednesday.

Once the memory stick was infected, Stuxnet was able to infiltrate the Natanz network when a user did nothing more than click on an icon in Windows, ISSSource reported. They cited former and serving US intelligence officials who requested anonymity because of their proximity to the investigations. Covert operators from Israel and the US wanted to use a saboteur on the ground to spread the infection to insure the worm burrowed into the most vulnerable machines in the system, reporter Richard Sale added.

The double agent was probably a member of an Iranian dissident group, possibly from the Mujahedeen-e-Khalq group. This group is believed to be behind the assassinations of key Iranian nuclear scientists. In October, a huge blast destroyed an underground site near the town of Khorramabad in western Iran that housed most of Iran’s Shehab-3 medium-range missiles capable of reaching Israel and Iraq. Former and current US officials told ISSSource that the MEK was behind the attack, and one of the officials said “computer manipulations” caused the blast. “Given the seriousness of the impact on Iran’s (nuclear) program, we believe it took a human agent to spread the virus,” the source told the publication.

As Wired.com senior reporter Kim Zetter chronicled last year, Stuxnet made history as the most advanced—if not the first—real cyber weapon. It ultimately exploited four previously unknown vulnerabilities in Windows and masterfully took advantage of weaknesses buried deep inside Siemens’s Simatic WinCC Step7 software, which was used to control machinery inside Natanz. Stuxnet disrupted the Iranian nuke program by sabotaging the centrifuges used to enrich uranium. While the worm was designed to spread widely, it was programmed to execute its malicious payload against a highly selective list of targets.

According to ISSSource, Stuxnet wasn’t the first malware the US military has used against opponents. In the 1980s, it planted viruses inside a Soviet military-industrial structure that could be activated in time of war. A similar process against China is continuing today, the publication said. In late 1991, just prior to the Desert Storm operation against Iraq, the CIA and British Government Communication Headquarters implanted bugs into hardware that was smuggled into Baghdad. US planes destroyed the targeted command and control network where the infected equipment was inserted before the malware was able to spread.

— aigeanta

Short URL