Stuxnet and Ramifications
I just finished reading “Countdown to Zero Day: Stuxnet and
the Launch of the World's First Digital Weapon” by Kim Zetter, about the
Stuxnet cyber worm and variants, that succeeded in setting back the Iranian
nuclear program by several years.
Stuxnet is a malicious computer worm, first uncovered in
2010, that targets SCADA systems and is believed to be responsible for causing
substantial damage to Iran's nuclear program. Although neither country has
openly admitted responsibility, the worm is believed to be a jointly built
American/Israeli cyberweapon.
Stuxnet specifically targets programmable logic controllers
(PLCs), which allow the automation of electromechanical processes such as those
used to control machinery and industrial processes including centrifuges for
separating nuclear material. Stuxnet functions by targeting machines using the
Microsoft Windows operating system and networks, then seeking out Siemens Step7
software. Stuxnet reportedly compromised Iranian PLCs, collecting information
on industrial systems and causing the fast-spinning centrifuges to either tear
themselves apart, or spin irregularly and fail sooner than normal. Stuxnet Has
really opened up a can of worms (sic), since it could be tailored as a platform
for attacking any modern supervisory control and data acquisition (SCADA) and
PLC systems (e.g., in factory assembly lines or power plants), the majority of
which reside in Europe, Japan and the US.
Stuxnet reportedly ruined almost one fifth of Iran's nuclear
centrifuges. Targeting industrial control systems, the worm infected over 200,000
computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines
related to the main payload of the attack; a link file that automatically
executes the propagated copies of the worm; and a rootkit component responsible
for hiding all malicious files and processes, preventing detection of the
presence of Stuxnet. Versions of Stuxnet incorporated up to four or five “zero
day” exploits and several stolen, digitally signed certificates for device
drivers, both unheard of in the normal “hacktivist” world. It is typically introduced to the target
environment via an infected USB flash drive, thereby crossing any air gap. The
worm then propagates across the local or wider network, scanning for Siemens
Step7 software on computers controlling a PLC. In the absence of either
criterion, Stuxnet becomes dormant inside the computer. If both the conditions
are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7
software, modifying the code and giving unexpected commands to the PLC while
returning a loop of normal operations system values feedback to the users.
Kim Zetter’s book traces the discovery of a version of
Stuxnet in an Iranian personal computer by Sergey Ulasen, of VirusBlokAda
a small security company in Belarus, to unpacking and reverse engineering
Stuxnet and variants by the Symantec and Kaspersky security groups over a
number of years. She also discusses the
ramifications of what amounts to a cyber-attack by one nation-state against another,
and the fact that this technology is now available in the wild for possible
further use.
Ray Gruszecki
May 8, 2019
