A Worm Named Stuxnet
What Exactly Did Stuxnet Do?
In December of 2012, a virus named Stuxnet crippled Iranian nuclear facilities. In development since at least 2005, this virus was discovered in 2010 and is a prime example of a virus whose threat extends far beyond the digital space.
What is Stuxnet?
Stuxnet is a very powerful computer worm that first appeared in 2010 and which also happens to be the biggest and most expensive of this type of malware. It is known to have exploited previously unknown Windows zero-day vulnerabilities to infect a target system and spread to other such systems. Stuxnet primarily attacked the centrifuges of Iran’s uranium enrichment facilities. Since then, it has been modified by cyber attackers, and this mutation has allowed it to spread to other energy-producing and industrial facilities. The original Stuxnet attack was aimed at programmable logic controllers (PLCs) that are used to automate machine processes.
Although no country has officially owned up to creating Stuxnet, it is largely believed to have been created by the US and Israel in a joint effort. Stuxnet garnered a lot of media attention after its discovery, as it is the first virus known to cripple hardware and cause physical destruction of devices that have been infected with it. Iran’s nuclear programme was greatly crippled by Stuxnet, and owing to its aggressive nature, this virus accidentally spread beyond Iran’s nuclear facilities. However, it did not do much damage to external devices outside of the actual target locations.
How Does Stuxnet Work?
Stuxnet is a very complex and intrusive piece of malware. It has been designed to only affect targets that have certain configurations and cause minimal damage to other systems and devices. The targeted nuclear facilities in Iran were isolated and air-gapped from the global network, and so Stuxnet was probably transmitted through USB sticks that were carried into these facilities by agents.
Stuxnet has code for a man-in-the-middle attack that can fake sensor signals and prevent a target system from shutting down due to unusual behaviour. Stuxnet is also abnormally large and written in multiple programming languages, and spreads fast.
Three systemic layers are targeted by Stuxnet:
Windows OS, Siemens PCS 7, WinCC, and STEP7 industrial software apps Siemens S7 PLC
Windows systems were infiltrated by Stuxnet by exploiting several zero-day vulnerabilities like remote code execution. It utilised enabled printer sharing or LNK/PIF vulnerability executing the file when it was viewed in Windows Explorer. This malware can gain access at the user level as well as the kernel level. The device drivers in Stuxnet are signed by two public certificates, which enables it to access kernel drivers without the knowledge of the user. Because of this, Stuxnet could remain undiscovered for a long time.
Once it has infiltrated Windows systems, Stuxnet proceeds to infect files that belong to Siemens industrial software applications and interrupts their communications. It modifies the code on PLC devices too. Stuxnet instals malware blocks in PLC monitors and repeatedly changes the frequency of the system. It alters the operation of motors by changing the rotational speed. Stuxnet also has a rootkit that helps the worm hide from monitoring systems.
What Did Stuxnet Do?
Stuxnet is reported to have destroyed several centrifuges in Iran’s Natanz uranium enrichment facility by making them burn out. Since then, Stuxnet has been modified by other malicious groups to make it capable of targeting facilities such as water treatment plants, gas lines, and power plants.
Stuxnet is a multi-part worm that is believed to have travelled on USB drives and spread through systems running Windows. This virus scanned every infected computer for signs of Siemens Step 7 software. Siemens Step 7 software is used by industrial computers used as PLCs that automate and monitor electro-mechanical equipment. Once a PLC computer was found, Stuxnet updated its code over the Internet and started sending damaging instructions to the electro-mechanical equipment controlled by the affected system. Simultaneously, it also sent false feedback to the main controller so that anyone monitoring the equipment would not have any idea of an attack being underway until the equipment began to destroy itself.
Though it had been in development since 2005, Stuxnet was first identified and reported in 2010. The first known version of Stuxnet is Stuxnet 0.5 [McD13]. In January 2010, the inspectors who visited the Natanz uranium enrichment plant noted that its centrifuges were failing at an unusual rate. They were unable to detect the cause of this failure at the time. Another five months passed and researchers found malicious files in one of the systems.
The worm started spreading around March 2010, but its first variant was found in 2009. On July 15, 2010, the worm became widely known because of a DDoS attack on an industrial systems security mailing list. This attack has interrupted a necessary source of information for power plants and factories.
Stuxnet spread in two waves. The second wave was more visible and less targeted than the first. It was during the second wave that Stuxnet came to be known to the public, as it was more aggressive and widespread. This worm managed to infiltrate and infect more than 20,000 devices in 14 Iranian nuclear facilities and destroyed around 900 centrifuges.
Although Stuxnet didn’t cause a lot of damage outside its target area, it provides an example for later malware that targets various infrastructures. Modified versions of Stuxnet target non-nuclear facilities as well.
The Offsprings of Stuxnet
Stuxnet had a massive influence on the development of future malware. While the creators of Stuxnet reportedly designed it to expire in June 2012, the legacy of Stuxnet survives in other malware based on the original code. The “offsprings” of Stuxnet are as follows:
- Duqu (2011):
Duqu is a group of computer malware that also exploits zer0-day vulnerabilities in Windows. Based on the Stuxnet code, it was created to log keystrokes and collect data from industrial facilities, possibly to launch an attack later. It is very similar to Stuxnet and also targets Iranian nuclear entities.
- Flame (2012):
Like its predecessor Stuxnet, Flame also travelled via USB drives. It is a complex spyware that targets Iran and other Middle Eastern countries. Flame recorded Skype conversations, logged keystrokes, and gathered screenshots, amongst other things. It mostly targeted educational and governmental organisations.
- Havex (2013):
Unlike Flame, Havex primarily targets Western countries. However, it has intentions similar to Flame. Havex aimed to collect information from aviation, defence, energy, and pharmaceutical companies, amongst others. Havex malware usually targeted US, European, and Canadian organisations.
- Industroyer (2016):
Industroyer is a malware that was utilised to attack Ukraine’s power grid. It is known to have caused a power outage in Ukraine in December 2016 that left part of Kyiv without electricity for an hour.
- Triton (2017):
This attacked the safety systems of a petrochemical plant in Saudi Arabia, giving rise to concerns about the malware maker’s intention to cause bodily injury to workers. Triton is known as “the world’s most murderous malware” and can cause a plant disaster.
- Unnamed Virus (2018):
Most recently, an unnamed virus with the characteristics of Stuxnet is reported to have struck unspecified network infrastructure in Iran in October 2018.
Ordinary computer users need not worry about Stuxnet-based malware attacks as they are threats to a range of critical industries like power production, electrical grids, and defence. Although extortion is a general goal of virus makers, the Stuxnet family of viruses seems to be keener on attacking infrastructure.
How To Protect Industrial Networks From Stuxnet Attacks
Good security practices are paramount in preventing malware attacks. Such practices include consistent patches and updates; strong passwords with password management; as well as identification and authentication software. To protect against Stuxnet, virus scanning or banning of all USB drives and other portable media, along with endpoint security to intercept malware before it can spread through the network, are essential. Companies can use the following tips to protect themselves from Stuxnet and other malware:
Isolate industrial networks from general business networks using firewalls and a demilitarised zone (DMZ). This will prevent malware from spreading. Closely monitor networks for abnormal activity, along with machines that automate industrial processes. Using application whitelisting can help filter your network from malicious actors. Monitor and log all activities on the network and also maintain stringent removable media policies to stop sketchy USBs from being used.Exercise host hardening by disabling non-essential services. Execute strong physical security for access to industrial networks. These can include card readers and surveillance cameras.
Lastly, organisations should create an incident response plan to enable them to react quickly to problems and restore systems quickly.