What Is Stuxnet And Who Created It?

Thanks to Stuxnet, we now live in a world where code can destroy machinery and stop (or start) a war…so say some analysists.

The keynote speaker at the recent Reset 2018 was Kim Zetter, an investigative journalist and author of an acclaimed book on Stuxnet – Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

She took the audience through the chronology, not just from introduction to discovery, but from the US investigating the idea that Russia, China or North Korea could cause physical damage with digital code - through to current day copycats.

The various iterations of Stuxnet were considered, how they were introduced - naming supply companies used - as well as a detailed explanation of how the worm worked.

So we do know that attackers can achieve physical destruction with code as a fact.  Multiple nations now plan to launch their own offensive capability, “at least 20 countries we know of”.  And the capability is there for anyone to use for any purpose. Zetter concluded that while Stuxnet was a precision weapon, not everyone will be as capable and careful.

Stuxnet Background

Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect PCs but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors.

Stuxnet was first identified by the infosec community in 2010, but development on it probably began in 2005. Despite its unparalleled ability to spread and its widespread infection rate, Stuxnet does little or no harm to computers not involved in uranium enrichment.

When it infects a computer, it checks to see if that computer is connected to specific models of programmable logic controllers (PLCs) manufactured by Siemens. PLCs are how computers interact with and control industrial machinery like uranium centrifuges.

The worm then alters the PLCs' programming, resulting in the centrifuges being spun too quickly and for too long, damaging or destroying the delicate equipment in the process.

While this is happening, the PLCs tell the controller computer that everything is working fine, making it difficult to detect or diagnose what's going wrong until it's too late.

Who created Stuxnet?

It's now widely accepted that Stuxnet was created by the intelligence agencies of the United States and Israel. The classified program to develop the worm was given the code name "Operation Olympic Games"; it was begun under President George W. Bush and continued under President Obama.

While neither government has ever officially acknowledged developing Stuxnet, a 2011 video created to celebrate the retirement of Israeli Defense Forces head Gabi Ashkenazi listed Stuxnet as one of the successes under his watch.

While the individual engineers behind Stuxnet haven't been identified, we know that they were very skilled, and that there were a lot of them. Kaspersky Lab's Roel Schouwenberg estimated that it took a team of ten coders two to three years to create the worm in its final form.

Several other worms with infection capabilities similar to Stuxnet, including those dubbed Duqu and Flame, have been identified in the wild, although their purposes are quite different than Stuxnet's. Their similarity to Stuxnet leads experts to believe that they are products of the same development shop, which is apparently still active.

What's the purpose of Stuxnet?

The US and Israeli governments intended Stuxnet as a tool to derail, or at least delay, the Iranian program to develop nuclear weapons.

The Bush and Obama administrations believed that if Iran were on the verge of developing atomic weapons, Israel would launch airstrikes against Iranian nuclear facilities in a move that could have set off a regional war. Operation Olympic Games was seen as a nonviolent alternative.

Although it wasn't clear that such a cyber-attack on physical infrastructure was even possible, there was a dramatic meeting in the White House Situation Room late in the Bush presidency during which pieces of a destroyed test centrifuge were spread out on a conference table. It was at that point that the US gave the go-head to unleash the malware.

Stuxnet was never intended to spread beyond the Iranian nuclear facility at Natanz. The facility was air-gapped and not connected to the Internet. That meant that it had to be infected via USB sticks transported inside by intelligence agents or unwilling dupes, but also meant the infection should have been easy to contain.

However, the malware did end up on Internet-connected computers and began to spread in the wild due to its extremely sophisticated and aggressive nature, though as noted it did little damage to outside computers it infected.

Many in the US believed the spread was the result of code modifications made by the Israelis; then-Vice President Biden was said to be particularly upset about this.

Stuxnet source code

Liam O'Murchu, who's the director of the Security Technology and Response group at Symantec and was on the team there that first unraveled Stuxnet, says that Stuxnet was "by far the most complex piece of code that we've looked at, in a completely different league from anything we’d ever seen before."

And while you can find lots of websites that claim to have the Stuxnet code available to download, O'Murchu says you shouldn't believe them: he emphasized to CSO that the original source code for the worm, as written by coders working for US and Israeli intelligence, hasn't been released or leaked and can't be extracted from the binaries that are loose in the wild.

However, he explained that a lot about code could be understood from examining the binary in action and reverse-engineering it. For instance, he says, "it was pretty obvious from the first time we analysed this app that it was looking for some Siemens equipment."

Eventually, after three to six months of reverse engineering, "we were able to determine, I would say, 99 percent of everything that happens in the code," O'Murchu said.

And it was a thorough analysis of the code that eventually revealed the purpose of the malware. "We could see in the code that it was looking for eight or ten arrays of 168 frequency converters each," says O'Murchu.

"You can read the International Atomic Energy Association’s documentation online about how to inspect a uranium enrichment facility, and in that documentation they specify exactly what you would see in the uranium facility, how many frequency converters there will be, how many centrifuges there would be. They would be arranged in eight arrays and that there would be 168 centrifuges in each array. That’s exactly what we were seeing in the code."

"It was very exciting that we’d made this breakthrough," he added. "But then we realised what we had got ourselves into, probably an international espionage operation, and that was quite scary."

Symantec released this information in September of 2010; analysts in the west had known since the end of 2009 that the Iranians had been having problems with their centrifuges, but only know understood why.

Stuxnet documentary

Alex Gibney, the Oscar-nominated documentarian behind films like Enron: The Smartest Guys In The Room and Going Clear, directed Zero Days, which explains the history of Stuxnet's discovery and its impact on relations between Iran and the west. Zero Days includes interviews with O'Murchu and some of his colleagues, and is available in full on YouTube.

One dramatic sequence shows how the Symantec team managed to drive home Stuxnet's ability to wreak real-world havoc: they programmed a Siemens PLC to inflate a balloon, then infected the PC it was controlled by with Stuxnet. The results were dramatic: despite only being programmed to inflate the balloon for five seconds, the controller kept pumping air into until it burst.

The destruction of the Iranian uranium centrifuges, which followed the same logic, they were spun too quickly and destroyed themselves, was perhaps less visually exciting, but was ultimately just as dramatic.

As the documentary explains, we now live in a world where computer malware code is causing destruction at a physical level. It's inevitable that we'll see more in the future.

CSO Online:              SC Magazine:

You Might Also Read: 

Stuxnet, Secrecy & The New Era of Cyber War:

Son of Stuxnet: Irongate Malware:


 

« How Silicon Valley Became A Den Of Spies
Bank Industry Is Turning On To AI Technology »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

National Cyber and Information Security Agency (NUKIB) - Czech Republic

National Cyber and Information Security Agency (NUKIB) - Czech Republic

NUKIB is the central Czech government body for cyber security, the protection of classified information in the area of information and communication systems and cryptographic protection.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

RangeForce

RangeForce

RangeForce delivers the only integrated cybersecurity simulation and skills analysis platform that combines a virtual cyber range with hand-on training.

Abnormal Security

Abnormal Security

Abnormal is an API-based email security platform providing protection against the entire spectrum of targeted email attacks.

Sonrai Security

Sonrai Security

Sonrai Security delivers an enterprise security platform focused on identity and data protection inside AWS, Azure, and Google Cloud.

ISMAC

ISMAC

ISMAC was founded to create a security solution that would work for smaller to medium as well as bigger corporations at an affordable price.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

Xmirror Security

Xmirror Security

Xmirror Security focuses on integrated detection and defense of the continuous threat to the DevSecops software supply-chain with artificial intelligence technology as the core.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

Technology Innovation Institute (TII)

Technology Innovation Institute (TII)

TII is a UAE-based research center that aims to lead global advances in AI, robotics, quantum computing, cryptography and secure communications and more.

Innov8tif

Innov8tif

Innov8tif is an AI company specialised in providing ID assurance solutions — helping digital businesses to prevent frauds by verifying and authenticating customers identity.

Price Forbes

Price Forbes

Building on more than 100 years of specialist insurance broking, Price Forbes partner with clients around the world who are looking to understand and balance today’s risk and plan for the future.