Wednesday, May 8, 2019

Stuxnet and Ramifications


Stuxnet and Ramifications



I just finished reading “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon” by Kim Zetter, about the Stuxnet cyber worm and variants, that succeeded in setting back the Iranian nuclear program by several years.



Stuxnet is a malicious computer worm, first uncovered in 2010, that targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a jointly built American/Israeli cyberweapon.



Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including centrifuges for separating nuclear material. Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to either tear themselves apart, or spin irregularly and fail sooner than normal. Stuxnet Has really opened up a can of worms (sic), since it could be tailored as a platform for attacking any modern supervisory control and data acquisition (SCADA) and PLC systems (e.g., in factory assembly lines or power plants), the majority of which reside in Europe, Japan and the US.



Stuxnet reportedly ruined almost one fifth of Iran's nuclear centrifuges. Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.



Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet. Versions of Stuxnet incorporated up to four or five “zero day” exploits and several stolen, digitally signed certificates for device drivers, both unheard of in the normal “hacktivist” world.  It is typically introduced to the target environment via an infected USB flash drive, thereby crossing any air gap. The worm then propagates across the local or wider network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users.



Kim Zetter’s book traces the discovery of a version of Stuxnet in an Iranian personal computer by Sergey Ulasen, of VirusBlokAda a small security company in Belarus, to unpacking and reverse engineering Stuxnet and variants by the Symantec and Kaspersky security groups over a number of years.  She also discusses the ramifications of what amounts to a cyber-attack by one nation-state against another, and the fact that this technology is now available in the wild for possible further use.



Ray Gruszecki

May 8, 2019

No comments:

Post a Comment