DeMISTIfying Infosec: Stuxnet | SC Media

DeMISTIfying Infosec: Stuxnet

February 4, 2016
By Katherine Teitler

Stuxnet 

Stuxnet is a malware created jointly by the U.S. and Israeli governments to temper the production of nuclear weapons in Iran. While the authors of the malware are still unknown, it has been confirmed that the program was  originally developed during U.S. President George W. Bush's term in the mid-2000s and continued with President Barak Obama.

Stuxnet was discovered accidentally in June 2010 by a Russian security researcher named Sergey Ulasen. The company for which Ulasen worked noticed an unusual computer reboot problem with one of its clients, and the investigation of the problem led to a series of events that revealed how Stuxnet spread.

The malware contained four zero-day exploits that allowed it to spread stealthily throughout Windows systems. The computers at the Iranian nuclear facilities, though, were air gapped, meaning they had their own, separate networks not connected to the Internet. The malware, therefore, was created with this in mind and relied upon social engineering – the relative certainty that a human could be exploited to connect an infected USB into one of the facilities’ computers. It is not known if the person who used the infected USB was merely curious as to its contents or was operating in collusion with the attackers.

Once the malicious code was dropped onto a facility computer, it targeted a vulnerability in the LNK file of Windows Explorer. Included in one of the virus driver files was a stolen but still valid digital certificate, which allowed the malware to pass through the system. While Microsoft revoked the stolen certificate when it was reported, a second stolen certificate was later found in a Stuxnet driver.

Learn about the latest breaches and their implications at InfoSec World 2016

As any good virus would, Stuxnet replicated itself. The aim of this virus, unlike most others that are written to affect as much widespread damage as possible, was to find and infect systems with Siemens Simatic WinCC Step7 software. Step7 was used to program the industrial control systems (ICS) that operate equipment inside the nuclear facilities. If found, the malware would decrypt and dump a fake .DLL file on to the machine, which would later be used to disable alarms and intercept status reports that could tip-off plant workers to the nefarious activity.

The Step7 software was used to program the programmable logic controllers (PLC) which regulate the speed of the motors on the facilities’ centrifuges. Centrifuges are “fast-spinning machines that enrich uranium, an essential step toward building an atomic bomb,” and are used in the Iranian facilities. Now, with the ability to alter commends in the PLC, the attackers could raise and lower the speed at which the centrifuges were spinning, thereby damaging and burning them out more quickly than usual, but not destroying them outright and in such a way that it was overly apparent to facility workers (especially given that alarms and status reports were deactivated).

Stuxnet is credited with changing the geopolitical landscape. The malware is the first-known cyber attack to target a physical structure. While the U.S. and Israel did not succeed in destroying the facility, it is believed that short term damage was done to Iran’s program. The U.S and Iran continue to be in talks about the production and regulation of nuclear weapons. 

 

prestitial ad