STUXNET and the Rise of the Digital Weapon

When we think of weapons of war doing damage to physical things, we tend to think of solid objects, whether they be spears, swords, guns, bombs, tanks, or aircraft. But in June of 2010, a group of computer programmers stumbled on one of the most innovative of a new type of weapon that had recently emerged: one made up of nothing more substantial than lines of ones and zeroes, but every bit as precise and destructive to certain physical objects as any laser-guided bomb. It was an opening shot in a new, shadowy theatre of warfare that threatens the very foundations of our digital, connected society. This is the story of STUXNET, one of the world’s first digital weapons.

On June 24, 2010, Sergey Ulasen and Oleg Kupreev, analysts for Minsk-based anti-malware firm VirusBlokAda, received a set of suspicious files which were causing computers in Iran to enter an endless reboot loop. Even wiping the computers and reinstalling all the software didn’t seem to help; the files somehow always managed to reinfect the system. At first Ulasen and Kupreev thought little of the assignment; after all, VirusBlokAda dealt with thousands of new pieces of malware every year. But as soon as they looked closer at the code, they realized that this was something very different indeed.

For one thing, it was big: 500 kilobytes compared to 10-15 for most viruses. And when the files were uncompressed this ballooned to a colossal 1.2 megabytes. The next surprise came when Ulasen transferred the files to his work computer; not only did they install and run themselves automatically, but they did so without triggering any alarms or warnings. This could only mean one thing: the worm had a kernel-level rootkit that allowed it to burrow deep into the computer’s operating system and evade detection by virus-scanning software. But the biggest shock came when Ulasen looked at how the worm installed itself. Most viruses exploit Windows’s AutoRun feature, which automatically detects and opens flash drives and other devices. But this exploit is easily thwarted by simply disabling AutoRun. Instead, this worm used a series of .LNK files, used by Windows to automatically display files and applications as icons. It was a fiendishly clever exploit, and one Ulasen and Kupreev had never seen before. A quick check of VirusBlokAda’s malware registry confirmed their suspicions: they had stumbled upon the holy grail for malware hunters – a zero-day exploit.

Zero-day exploits are software vulnerabilities which neither manufacturers nor antivirus companies are yet aware of. So-named because such companies would have zero days’ warning of an attack, zero-days are highly coveted by hackers, cybercriminals, and intelligence agencies, and can fetch rather hefty prices when ordered on illicit markets. Given the danger they pose, true zero-day exploits are exceedingly rare; of the 12 million new viruses discovered each year, you can generally count on two hands the number of zero-day ones from that number. So try and imagine Ulasen and Kupreev’s shock when they discovered not one, not two, but three more zero-day exploits hidden in the worm. A single zero-day was rare enough; four was unheard of.

And the surprises didn’t end there. The worm contained four separate .LNK files to allow it to infect every version of Windows since Windows 2000, and appeared designed to spread not via the internet like normal viruses but via flash drives. It also featured what appeared to be genuine digital certificates signed by Realtek Semiconductor in Taiwan – a highly valuable security feature almost impossible for most hackers to obtain. But strangest of all, the worm was programmed to specifically seek out SIMATIC Step 7 or WinCC software on Siemens Programmable Logic Controllers, or PLCs – small computers used in industry to control things like robotic arms on automated assembly lines. If the machine the worm infected didn’t have this software installed, the worm would shut itself down and leave the machine alone. Ulasen and Kupreev were baffled; not only was the worm designed to seek out an extremely specific target, but the target itself made no sense. Most malware is designed to steal credit card numbers, passwords, and other information with the intent of making money, but this worm seemed specifically designed to attack industrial systems. But what systems, and for what purpose? Unfortunately by this time Ulasen and Kupreev had been assigned to other projects. But before moving on, they announced their discovery on the company website and a cybersecurity forum. They also gave the mysterious worm a name, derived from one of its system files: STUXNET.

And there the story of STUXNET would have ended, were it not for the perseverance of another pair of malware hunters: Liam O’Murchu  and Eric Chien of California firm Symantec. Upon receiving the STUXNET files on July 16, 2010, the pair immediately spotted an unusual feature: whenever STUXNET infected a new computer, it sent a confirmation message with the machine’s IP address to a pair of IP addresses masquerading as soccer fan sites, allowing its creators to track its progress as it hopped from machine to machine. O’Murchu and Chien diverted the DNS of these sites to a sinkhole – a dedicated server in their office – and watched as the pings started flooding in. Within four days STUXNET had infected over 38,000 machines – 3700 in India, 6700 in Indonesia, and 22,000 in Iran. A quick internet search revealed the connection between these countries: the 2700 – kilometre-long Peace Pipeline stretching from the South Pars Oil Field in Iran through Pakistan and India. The attack had apparently begun in Iran and spread via infected flash drives along the pipeline. But what was being targeted in Iran? Despite gaining a better understanding how STUXNET spread and operated, O’Murchu and Chien were no closer to determining its purpose than Ulasen and Kupreev.

The final piece of the STUXNET puzzle would be uncovered by Dutch programmer Ron Hulsebos, who in November 2010 discovered in the worm’s payload an application designed to attack two specific models of frequency converters – devices for controlling extremely precise electric motors. When Hulsebos looked up these devices, to his surprise he found that they were regulated for export by the US Nuclear Regulatory Commission. Putting together all the pieces, Hulsebos came to the only reasonable conclusion: STUXNET was designed to interfere with the nuclear program of Iran. But how, exactly? Little did Hulsebos realize, but the answer had already been revealed some eleven months before.

In January 2010, inspectors from the International Atomic Energy Agency began noticing some strange activity at Iran’s Natanz Uranium enrichment complex. The complex, located 320 kilometres south of Tehran, was completed in 2008 at a cost of $300 million. Covering 100,000 square meters and buried 50 meters underground, in 2010 Natanz operated some 8700 gas centrifuges. Gas centrifuges are devices used for separating the rare Uranium-235 isotope – which can be used to fuel nuclear reactors and build atomic bombs – from the more common Uranium-238. Refined uranium is converted into Uranium Hexafluoride gas and passed through a set of concentric high-speed rotors; centrifugal force causes the slightly heavier U-238 to move towards the wall of the rotor while the U-235 moves towards the centre and is tapped off. This slightly enriched gas is then passed through a series of centrifuge cascades, becoming more and more enriched in U-235 as it goes along. Gas centrifuges spin at such high rates that  the outside of the rotors exceed the speed of sound, requiring all air to be pumped out of the casing. This speed also makes centrifuges extremely delicate and easily unbalanced, with the weight of a single human fingerprint being enough to make a rotor shake itself apart. Given this fragility, a facility like Natanz  is expected to burn through a certain number of centrifuges per year – in this case,  around 10% or 900 units. But starting in November 2009, IAEA cameras installed outside the facility began seeing a sharp increase in centrifuges being removed and replaced; by January the number had reached an astonishing 2000 units. But under the IAEA’s inspection agreement with Iran, the inspectors had no right to ask why – and no way of knowing that what they were witnessing was the handiwork of  none other than STUXNET.

Based on what has been learned about STUXNET in the past 10 years, let us take you on a tour of how this sophisticated digital weapon carried out its devious mission.

Sometime in June 2009, STUXNET was introduced to the computer systems of 5 companies closely involved with Iran’s nuclear program. The worm’s creators assumed that at some point, an engineer from one of these companies would travel to Natanz and use an infected flash drive to program a PLC controlling the gas centrifuges, allowing STUXNET to slip aboard. STUXNET then lay low, monitoring and recording the flow of data between the PLC, centrifuges, and plant operators. Then, after 13 days, the worm performed a trick straight out of Ocean’s Eleven, cutting off the flow of data from the centrifuges to the plant operators and replacing it with the data it had collected over the past 13 days. With the operators believing everything to be running normally, STUXNET sprang into action, spinning the centrifuges up to 1410 Hertz for 15 minutes before returning to normal. Then the worm went dormant again, waiting 26 days before dropping the frequency down to 200 Hertz. These wild swings in frequency served to induce vibrations and distortions in the centrifuge rotors, eventually causing them to destroy themselves. Over the course of a year, STUXNET gradually wore out up to a fifth of the centrifuges at Natanz, all while leaving the plant’s operators oblivious to the digital havoc being wrought.

But the question remains: who created STUXNET, and why? The why is rather straightforward. Ever since the 1979 Islamic Revolution which saw the West-friendly regime of the Shah deposed and replaced by the theocracy of Ayatolla Komeinei, Western powers and neighbouring countries like Israel have feared that Iran might use its nuclear infrastructure to build an atomic bomb. These fears seemed confirmed when in 1987 Iran secretly began a program of Uranium enrichment using centrifuge designs stolen from Pakistan. Tensions further increased in 2005 with the election of Mahmoud Ahmadinejad, under whose administration the massive Natanz enrichment plant was constructed. However, given the slow nature and timing of the STUXNET attack, it is believed that the worm was not intended to destroy Iran’s enrichment capability outright but rather to delay it until a diplomatic solution could be found to the Iranian nuclear problem. This solution finally came in 2015 with the signing of the Joint Comprehensive Plan of Action, better known as the Iran Nuclear Deal.

As for who created STUXNET, its creators may have left clues within the worm’s code itself. One line of code which serves as an inoculation value – a safety device to prevent STUXNET from infecting its creator’s computer – appears to refer to May 9, 1979, the date prominent Jewish-Iranian businessman Habib Ehghanian was executed by firing squad in Tehran. Another file is named “myrtus”, a possible reference to the biblical story of Esther, who saved the Jewish people from being massacred by the Persians. This would indicate that at least some of STUXNET’s programmers were from Israel. However, most evidence  points to STUXNET having largely been programmed in the United States, with collaboration from Israel, Germany, France, the UK, and the Netherlands. Based on the types of exploits used and other signatures in the code, the Kaspersky Lab, a prominent Russian cybersecurity organization, has concluded that STUXNET is likely the work of the Equation Group, a cyber attack division of the US National Security Agency or NSA.

But the importance of STUXNET goes far beyond who created it and the specific damage it caused. Its creators demonstrated that using only a few lines of code it was possible attack physical infrastructure in a manner that previously would have taken an air strike or a human saboteur – and all without the attackers having ever set foot inside the Natanz facility. In the past such an attack would have been nearly impossible, as most companies used their own custom-built PLCs with proprietary software. But today the use of off-the-shelf PLCs running Windows is widespread, and these devices control an alarming amount of our modern infrastructure, from sewage plants to electrical grids to nuclear power plants. And more alarming still, many of these systems are connected to the internet, meaning a digital weapon in the wrong hands has the potential to inflict far more damage than any conventional terrorist attack. The ancient world saw warfare move from the land to the sea, while the twentieth century took it to the air and into space. The twenty-first century will see warfare expand into the unknown frontier of cyberspace.

If you liked this article, you might also enjoy our new popular podcast, The BrainFood Show (iTunes, Spotify, Google Play Music, Feed), as well as:

Bonus Fact

On March 4, 2007, the Idaho National Laboratory conducted the Aurora Generator Test, launching a prototype worm composed of only 21 lines of code against a PLC controlling a 5000-horsepower diesel generator. Within three minutes, the code had reduced the giant machine to a smoking ruin, vividly demonstrating the potential of such a digital attack on physical infrastructure.

But the history of digital attacks on physical infrastructure goes back further still. In 2003 the Sobig virus interrupted railway signalling systems along the US East Coast, while the Slammer virus forced the Davis Besse nuclear power plant in Ohio to shut down for 5 hours. In 2000, disgruntled employee Vitek Boden hacked a sewage plant in Maroochy Shire, Australia, unleashing 750,000 gallons of raw sewage into the city water supply. Earlier still, in March 1997 a hacker known as “Jester” hacked into the Bell Atlantic switching system at Worcester Airport, Massachusetts, forcing air traffic to shut down for 6 hours.

But perhaps the oldest digital attack in history reportedly took place in 1982. The year before, Lt. Col. Vladimir Vetrov of the KGB’s Line X Technology Directorate had defected to the West, bringing with him a collection of classified documents known as the “Farewell Dossier.” The dossier revealed the existence of a Soviet spy ring dedicated to stealing Western technology – including industrial control software. According to former Secretary of the Air Force Thomas C. Reed, in response the CIA created a special piece of software for controlling natural gas pipelines, with the intention that it would be copied and used by the Soviets. As expected, the software was stolen and installed on the trans-Siberian pipeline. After a certain amount of time, the Trojan horse hidden in the software kicked into action, closing valves and ramping up pump speeds to produce extremely high pressures. The CIA had only intended for this to cause broken welds, leaks and other minor damage, but instead the pipeline proceeded to explode, creating a massive 3-kiloton blast bright enough to be picked up by American spy satellites.

But while this makes for an amusing story, Reed’s version of events has been called into question. No intelligence agency has independently confirmed the existence of the blast, and former KGB operative Vasily Pchelintsev points out that while there was a pipeline explosion in 1982, it was far smaller in scale and in a different location than Reed reports. Furthermore, at the time the Soviet Union did not employ digital controls on its pipelines, making such a cyberattack impossible.

Expand for References

Zetter, Kim, Countdown to Zero Day: STUXNET and the Launch of the World’s First Digital Weapon, Broadway Books, NY, 2014.

Anderson, Nate, Confirmed: US and Israel Created STUXNET, Lost Control of It, Are Technica, June 1, 2012 https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/

Falliere, Nicolas et al. W.32 Stuxnet Dossier, Symantec November 2010 https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Kushner, David, The Real Story of Stuxnet, IEEE Spectrum, February 26, 2013 https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

Equation Group: Questions and Answers, Kaspersky Lab, February 2015 https://web.archive.org/web/20150217023145/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Markoff, John, Old Trick Threatens the Newest Weapons, The New York Times, October 26, 2009, https://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1&ref=science&pagewanted=all

Share the Knowledge! FacebooktwitterredditpinteresttumblrmailFacebooktwitterredditpinteresttumblrmail
Print Friendly, PDF & Email
Enjoy this article? Join over 50,000 Subscribers getting our FREE Daily Knowledge and Weekly Wrap newsletters:

Subscribe Me To:  | 

Leave a Reply

Your email address will not be published. Required fields are marked *