Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon. A 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including Bushehr Nuclear Power Plant and the Natanz nuclear facility. This brief video succinctly explains the Stuxnet malware.
Stuxnet was first identified by the security company VirusBlokAda in mid June-2010. Brian Kreb’s blog post was the first to galvanize the world onto Stuxnet which was detected from a Windows shortcut flaw. The original name given by VirusBlokAda was “Rootkit.Tmphider”; Symantec however called it “W32.Temphid”, later changing to “W32.Stuxnet“. Its current name is derived from a combination of some keywords in the software (“.stub” and “mrxnet.sys“). The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update; this led to the worm spreading to an engineer’s computer that had been connected to the centrifuges, and spreading further when the engineer returned home and connected his computer to the internet.
Primarily Stuxnet has three modules:
- Worm : a piece of code responsible for executing all routines related to the main payload of the attack.
- Link file : a file once opened (even by the file manager like Windows Explorer) automatically executes the propagated copies of the worm.
- Rootkit : component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet.
It is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
Stuxnet was an unprecedentedly masterful malware which performed twenty zero-day exploits, hacks that take advantage of vulnerabilities previously unknown to the white-hat community.
Stuxnet is typically introduced to the target environment via an infected USB flash drive. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users.
A study of the spread of Stuxnet by Symantec showed that the main affected countries in the early days of the infection were Iran, Indonesia and India:
Ralph Langner, the researcher who identified that Stuxnet infected PLCs in a TED Talk recorded in February 2011, stated that, “My opinion is that the Mossad (national intelligence agency of Israel) is involved, but that the leading force is not Israel. The leading force behind Stuxnet is the cyber superpower – there is only one; and that’s the United States. Here’s the Langner’s TED talk on Stuxnet.
On 1 June 2012, an article in The New York Times said that Stuxnet is part of a US and Israeli intelligence operation called “Operation Olympic Games“, started under President George W. Bush and expanded under President Barack Obama.
In October 2012, U.S. defense secretary Leon Panetta warned that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids. The next month, Chevron confirmed the speculation by becoming the first U.S. corporation to admit that Stuxnet had spread across its machines.
In 2015, Kaspersky Labs‘ research findings on another highly sophisticated espionage platform created by what they called the Equation Group, noted that the group had used two of the same zero-day attacks used by Stuxnet, before they were used in Stuxnet, and their use in both programs was similar.