fbpx
3 Pemimpin Dr, #06-04 (07), Singapore 576147
+65 8839 6772
customerservice@cyberforsec.com

The Stuxnet Worm – Cyber Warfare, The Invisible Weapon

Join the “on-demand, gig economy” with CyberForSec®, the platform for Services Enabled Collaborators

The Stuxnet Worm – Cyber Warfare, The Invisible Weapon

Background

Over 15 Iranian nuclear facilities at Natanz were attacked and infiltrated by the Stuxnet worm and an estimated number of 984 uranium enriching centrifuges were destroyed after the virus caused them to burn themselves out. Stuxnet, the first known virus to be capable of crippling hardware, is thought to be created by the United States and Israel to attack Iran’s nuclear facilities. The governments intended Stuxnet to derail, or at least delay, the Iranian program to develop nuclear weapons. A computer worm was seen as a nonviolent alternative compared to airstrikes if Iran were on the verge of developing atomic weapons, avoiding the possibility of an escalation into a full-blown regional war.

What is the Stuxtnet worm?

It is an extremely sophisticated 500-kilobyte computer worm that was discovered in June 2010. With its unparalleled ability to spread and its widespread infection rate, it exploits vulnerabilities to infect computers, spread and cause real-world physical effects. It is designed to manipulate computer systems made by the German firm Siemens that control and monitor the speed of the centrifuges. It specifically targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors.  Centrifuges spin materials at high speeds to separate out their components. In the Natanz plant, the centrifuges were separating different types of uranium, to isolate the type (called ‘enriched uranium’) that is critical for both nuclear power and nuclear weapons.

It does little or no harm to computers not involved in uranium enrichment.

How was the worm able to get in?

Access to the protected facilities where the computers are stored are restricted. In addition, the computers in the nuclear facilities are air-gapped and not connected to the internet. Hence, attackers had to devise an alternative method. First, the attackers had to infect computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. The aim is to make each “patient zero” an unwitting carrier to transport the weapon on flash drives into the protected facility.

Once these infected USB flash drives are transported inside the facility by intelligence agents or unwilling dupes, all it takes is for someone to physically insert it into a computer attached to the network either deliberately or unknowingly and voilà, Stuxnet will be able to spread to the computers. 

How does it work?

Once the worm uploads itself into the plant’s computer system, it spreads through computers, checking to see if which computers are connected to specific models of programmable logic controllers (PLCs) manufactured by Siemens. PLCs are how computers interact with and control industrial machinery like uranium centrifuges.

After the worm manages to locate PLCs, it inserts itself and alters the PLCs’ programming, seizing control of centrifuges by reprogramming it. First, it makes the centrifuges spin dangerously fast, for about 15 minutes, before returning to normal speed. Then, about a month later, it slows the centrifuges down for around 50 minutes. This process is repeated for several months, resulting in the centrifuges being spun too quickly and for too long, damaging and destroying the delicate equipment in the process. While this is all happening, the PLCs tell the controller computer that everything is working fine, making it difficult to detect or diagnose what’s going wrong until it’s too late.

How was it discovered?

Inspectors observed that a strange number of uranium enriching centrifuges were breaking. The cause of these failures was unknown at the time. Later in 2010, Iran technicians contracted computer security specialists to examine their computer systems and eventually discovered multiple malicious files on the Iranian computer systems. It was subsequently revealed that these malicious files were the Stuxnet worm.

Learning Points

Stuxnet is the first discovered malware that spies on and subverts industrial systems. Similar computer worms are a major threat to a range of critical industries, including power production, electrical grids, and defence as they attack and destroy infrastructure.  Some learning points from the Stuxnet incident to best protect your organisation from Stuxnet-related malware attack are

  1. Employees to develop cyber awareness and cyber resilience

    • There should be regular patches, updates and proper password management (i.e. having strong passwords, changing them regularly). Employees should also be trained to restore systems quickly with the guidance of an incident response plan. It is highly recommended to carry out stimulated events to ensure that employees are adequately prepared.

  2. Strong network protection and monitoring

    • It is important to separate industrial networks from general business networks with firewalls and a DMZ. In addition, all activities on the network has to be monitored and logged. Special attention has to be given to machines that automate industrial processes. Application whitelisting is also recommended.

  3. Implement strong physical and cyber security for access to industrial networks

    • Steps should be taken to install identification and authentication software, for instance card readers and surveillance cameras. In addition, there should be virus scanning (or banning) of all USB sticks and other portable media and the implementation of endpoint security software to intercept malware.


Aftermath

A weapon with a specific intention, Stuxnet was never intended to spread beyond the Iranian facilities. However, it did eventually end up on internet-connected computers and began to spread in the wild due to its extremely sophisticated and aggressive nature, however no harm was done to computers not involved in uranium enrichment, as previously mentioned.

Over time, the virus was modified to target facilities including water treatment plants, power plants, and gas lines. Although Stuxnet was reportedly programmed it to expire in June 2012, and Siemens had already issued fixes for its PLC software, the legacy of Stuxnet lives on in other malware attacks based on the original code. These descendants include

Enjoyed this article? Curious to find out how you can better protect your organisation, data systems and critical accounts in the event of a cyberattack? Contact us now for an in-depth consultation to obtain cyber security measures best tailored for your needs. CyberForSec®  team will work with your employees, train them in cyber security awareness and guide them in adopting the appropriate cyber security skills in their work processes.

Leave a Reply

Your email address will not be published. Required fields are marked *