Stuxnet is a malicious computer worm that first came into the limelight in 2010 and was believed to have been in development since 2005. Stuxnet targets explicitly Supervisory Control and Data Acquisition (SCADA) and Programmable Logic Controllers (PLC)systems and is responsible for causing tremendous damage to Iran's nuclear program. However, it is believed that the malware was created jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games.
Stuxnet targets Programmable Logic Controllers (PLCs) specifically, which allow the automation of electromechanical processes in plants, factories, or industrial infrastructures such as those used to control machinery and industrial methods in nuclear power plants-- gas centrifuges for separating nuclear material. Stuxnet exploited four zero-day flaws. Stuxnet functions by targeting machines that use the Microsoft Windows OS and then looking out for Siemens Step7 software. It was reported that the worm was able to compromise PLCs present in the Iranian nuclear plants by collecting information on industrial systems and causing the fast spinning of the centrifuges, which resulted in them tearing themselves apart. Stuxnet reportedly ruined almost 20% of Iran's nuclear centrifuges. The worm reportedly infected over 200,000 computers and caused hundreds of machines to degrade physically.
December 6, 2010: The Langner Controller Integrity Checker mitigation tool for Stuxnet-inspired malware announced.
The attackers developed the Stuxnet worm to exploit four Microsoft Windows OS zero-day vulnerabilities known to the intelligence agencies but not publicly disclosed to the world.
The four exploited vulnerabilities for the attacks were: -
The LNK file extension was explicitly used to enable the worm to spread in the system using USB sticks. The shared print spooler vulnerability was used to extend the worm through the network using shared printing facilities used in the 2000s. Finally, the privilege escalation exploits enabled the worm to execute its code and damage the centrifuges secretly.
Firstly, the worm targeted the computers used to manage the SCADA and PLC devices that controlled the centrifuges present in the nuclear plant. The atomic facilities network was not connected to the broader Internet, thus creating an air gap. Therefore, physical means such as USB sticks were used to infiltrate the worm into the network. This was achieved by the intelligence agencies entering five nuclear facilities suppliers and secretly adding the Stuxnet code to their systems. As a result, the engineers at the supplier companies were cleared to work on the SCADA and PLC. However, the anti-virus systems implemented could not detect the malicious code. Once the USB sticks were plugged into the nuclear facilities' computers running on Microsoft Windows OS, the Stuxnet worm entered the system. It replicated itself to all other available Microsoft Windows-based computers on the nuclear facilities networks, thus resulting in a full-fledged spread over the Iranian nuclear network.
Once the worm had infiltrated and spread across the network, the code identified the specific Siemens's Step 7 Software running on the facilities’ computers with Microsoft Windows OS. Siemens's Step 7 application controlled SCADA and PLC, used to control the centrifuges. The code then executed the payload, which resulted in the manipulation of the controls that managed the speed and duration of the centrifuges; the high speed caused the centrifuges to burn themselves out. On the other hand, the low rate caused inefficient processing of nuclear material -uranium, thereby wasting resources and slowing the production. In addition, when the Stuxnet worm of the centrifuges was manipulating the speed, false data was being sent to the SCADA and PLC, which is monitored by the Siemens Step 7 application, giving the false impression that the instrument mechanics were working fine at the facility.
Later, a variant of Stuxnet was manipulating the valves to increase the pressure inside centrifuges, damaging both the valve and the centrifuge, thus slowing down the uranium enrichment process.
Meanwhile, it provides false feedback to the outside that they won’t know what’s going wrong until it’s too late to do anything about it.
Mainly to destroy centrifuges. Stuxnet speeds up the rotational speed of centrifuges from ordinary to 1,410 Hz for 15 minutes; then, 27 days later, it slows them down for 50 minutes, during which the rotational speed of centrifuges is reduced to 200 Hz. Almost every 27 days, the sequence repeats. The high speed causes the centrifuges to rupture, and the low rate would result in inefficient processing of nuclear material -uranium, thereby wasting resources and slowing the production.
To discover the Iranians- Stuxnet’s creators hoped to slow Iran’s nuclear program by creating doubt and confusion. Resulting in the Iranians halting uranium processing on several centrifuges. The creators of Stuxnet probably thought the worm wouldn’t be discovered as quickly as it was. If it hadn’t been discovered as early, the damage it would have caused could have been more significant. Waiting 27 days between attacks was done possibly to be stealthier.
Stuxnet worm also caused some unintended effects. It infected 100,000 computers around the world. Stuxnet didn’t do any severe damage outside Iran’s nuclear program, as it was highly targeted to destroy the efforts of Iran to become a nuclear power. However, others may use Stuxnet’s code as a base to attack SCADA or other systems in other countries.
Once these attacks are detected inside the organization – system or networks, we can only react to the attack and minimize the potential risk the attack possesses.