Stuxnet was the first true cyber-kinetic weapon, designed to cripple the Iranian – and perhaps also the North Korean – nuclear weapon programs. It succeeded in slowing the Iranian program, although it was discovered before it could deal the program a fatal blow.
Its significance goes far beyond what it did. It marks a clear turning point in the military history and cybersecurity. Its developers hoped for a weapon that could destroy strategic targets without civilian damage possible in traditional warfare. Instead, it opened the door to cyberattacks that can deliver widespread disruption to the very civilian populations it was designed to protect.
Stuxnet has, years ago, disappeared from the digital world. Its unintended release beyond its target, though, made its code readily available to other nations, cybercriminals and terrorist groups, providing them with a wealth of advanced techniques to incorporate into their own malicious cyber efforts. Its impact on the future cannot be overstated.
Stuxnet is thought to have been conceived in 2005 or 2006 as a joint U.S.-Israeli plan to slow Iran’s nuclear weapon development without military strikes. Indications suggest that the U.S. also wanted to use it to slow North Korea’s nuclear weapon program, as well. Ideally, from a U.S.-Israeli perspective, it would accomplish its purpose without Iran and North Korea even realizing that they had been attacked.
An early version of Stuxnet was deployed in 2007, judging from malware discovered in the wild at that time that later was identified as an early version of Stuxnet. This version failed to infect either Iranian or North Korean facilities. It appears, however, that related espionage malware eventually gathered enough intelligence about Iranian operations to facilitate a successful 2009 infection of Iran’s Natanz facility.
Attackers covertly infected five Iranian companies that installed equipment in Natanz. The malware was then carried on infected laptops into the air-gapped facility (a facility not connected to the internet), where it spread to its targets. Additional attacks appear to have used this process again to breach Natanz equipment in 2010, and the spread of these versions beyond their targets onto untargeted devices ultimately led to its discovery in the wild.
North Korean facilities were never breached because North Korean placed much tighter controls on their program than Iran did. Not only are North Korea facilities air-gapped, but all who work in them are banned from computer access outside their facilities. That effectively prevented either espionage or sabotage malware from entering the facilities.
How it was designed
Experts believe that Stuxnet required the largest and most expensive development effort in malware history. They agree that only a nation-state would have the resources to produce it, and the safeguards and self-destruct functionalities built into it to prevent it from damaging untargeted networks suggest that its target was extremely specific.
How it infected devices
Unlike most malware, Stuxnet was not designed to spread via the internet. Instead, it traveled via infected thumb drives that contained malicious code. Thus, it was necessary to get the malicious code onto the laptops of personnel who had access to the targeted facility, not an easy task.
The malicious code used several zero-day exploits of Windows Explorer to infect the laptops of targeted personnel. Here again, use of multiple zero-day exploits suggests developers who had extraordinary resources.
Zero-day exploits are extremely rare. They target vulnerabilities that are – at the time of their launch – unknown to the software manufacturer whose software is exploited. Finding a single zero-day exploit is extremely difficult and considered the Holy Grail of hackers. Uncovering multiple zero-day exploits and reserving them for a single piece of malware is unheard of in the hacker community.
As Windows Explorer would scan an infected thumb drive inserted into a USB port, the malicious files would instantly download onto the device. Then, whenever the device connected to a network, those files would upload and spread across it.
The malware was able to bypass antivirus software because it contained one of several valid security certificates that had been stolen from trusted software companies. Certificates like those used are highly secured, making them almost impossible to obtain. This, too, suggests that Stuxnet’s creators had far greater resources than any typical hacker.
What it did with PLCs
Once Stuxnet entered a network, it looked for PLCs. It looked only for Siemens PLCs and only those that possessed two specific blocks of code that were known to be used by PLCs that controlled Iranian uranium enrichment centrifuges. If it didn’t find the PLCs it sought, it would erase itself from the system. In this way, it was designed not to spread beyond its targeted facilities, although, eventually, it did.
Once it found the PLCs it targeted, Stuxnet renamed the library files through which the programmer communicated with them and replaced them with fake duplicates through which the new, Stuxnet-installed library files could intercept communications and effectively control each PLC. It sent most commands to the original library files to process as usual. This prevented the operator from detecting anything wrong with the PLC.
The Stuxnet-installed library file did not pass all communication to the original, though. It intercepted 16 key read/write requests and reprogrammed them so they could be used to cause physical damage to the centrifuges.
How it disguised its presence
Stuxnet also used rootkit functions to counteract any attempts to discover or remove it. It monitored the blocks it had altered so, if a programmer requested to see them, Stuxnet could either redirect the request so the programmer saw the unaltered block, or rewrite the altered block on the fly so the programmer would see the PLC’s original code. Stuxnet would then re-infect the block after the programmer left. It also did the same with any changes a programmer would make to key blocks, rewriting them after the programmer left to restore or maintain the malicious code.
If a programmer attempted to detect malicious code by comparing file sizes against the sizes they should be, Stuxnet countered by selectively skipping malicious blocks, so all file sizes would match the programmer’s expected profile. These built-in “safeguards” made Stuxnet extremely difficult to detect or disable.
Its additional complexities
Stuxnet’s overall complexity also made it hard to combat. It contained three main systems and 15 separate components, each with layer upon layer of encryption and complex interconnections that allowed the malware to decrypt and extract each component only when needed. It even contained an ingenious system that allowed it to carry updates to the malware when infected devices were connected to the internet.
It searched for other versions of Stuxnet on the network on a peer-to-peer basis and determined which version was the newest. The older version would then update itself with the newer one to ensure that all versions in the network were equipped with the latest enhancements.
Through this complicated delivery, the malware developers could tweak more than 400 functions of Stuxnet on devices that were, themselves, not connected to the internet. And once one PLC was updated in this manner, it would spread the instructions to every PLC on its closed network.
The malware was highly modular in construction, allowing it to be tailored for almost any purpose by simply reconfiguring modules to fit the desired target. This type of platform was designed to enable rapid development of new targeted tools by simply rearranging or reconfiguring existing modules.
How it damaged its target equipment
The actual attack involved two different routines aimed at damaging centrifuge rotors. One attack attempted to dramatically speed up the centrifuges well above their maximum safe speed for short periods of time and later slowing them dramatically below their minimum safe speed. The malware generally waited weeks between these cycles of altered behavior to reduce the risk of operators detecting the sabotage. The second, an order of magnitude more complex routine involved over-pressurizing centrifuges in order to increase rotor stress over time.
The goal was to exert years’ worth of wear on the centrifuges in a matter of months, thus speeding the failure rate of the equipment to the point where they were failing faster than the Iranians could replace them. It is thought that Stuxnet disabled one-fifth of Natanz centrifuges in a year’s time.
Stuxnet’s discovery and unraveling
When researchers first detected Stuxnet, they were puzzled. It clearly was the most sophisticated piece of malware they had ever seen, yet it appeared to have only the modest goal of finding and monitoring PLCs, something that offered neither financial incentive nor bragging rights for hackers. Those early researchers were inclined to write the malware off as nothing more than a surprisingly sophisticated tool for low-level industrial espionage.
As researchers traced infections, they found an unexpected pattern. Rather than finding the bulk of infections in highly digitized countries like the U.S. and Europe, most infections appeared in Iran, a country that rarely appears prominently on malware infection lists. Researchers ultimately traced the infection’s source to the five targeted Iranian organizations.
By this time, researchers realized they were on to something significant, but they couldn’t figure out what it was. Antivirus experts had little experience with ICS security and turned to the ICS security world for help. Even then, progress in figuring out Stuxnet’s purpose was slow. Apparently, the only people who had sufficient expertise in both disciplines to unravel Stuxnet were those who created it. And they were unknown.
Ultimately, the two sets of researchers concluded that Stuxnet was designed not to perform industrial espionage, but industrial sabotage. This was the first malware confirmed to be a true cyberweapon, inflicting physical damage through cyber means.
Attention focused on Iran’s Natanz facility, which had been rumored to have suffered an attack, and in which international inspectors had noticed an unexpectedly high replacement rate of centrifuges. This fulfilled the warnings that cybersecurity experts had been giving for years that even closed systems, like Natanz, were becoming vulnerable to cyberattacks as industries increasingly incorporated cyber-connectivity into their industrial controls.
Experts in ICS security were stunned. The only positive to Stuxnet was the fact that it was extremely selective in delivering its payload, deleting itself from systems for which it was not designed to target. But if it could be so effective on such specific systems, what implications could it hold for adaptation to a broader range of attacks, especially with its capacity to be readily modified for new targets?
Stuxnet damaged nearly 1,000 centrifuges, but was discovered – ironically, by Western security organizations – long before it could deliver a crippling blow to Iran’s nuclear program. Its use for its original purpose was thwarted; any similar mass malfunction of Iranian uranium enrichment equipment would immediately raise suspicions before an attack could accomplish its goals.
What Stuxnet means in our physical world
The key significance of Stuxnet is in its targeting each of the three layers of a cyber-physical system – the cyber layer used to distribute the malware and identify the targets, the control system layer (PLC in this case) used to manipulate physical processes, and the physical layer in which the actual damage was created. Stuxnet became the epitome of a cyber attack that can lead to kinetic impacts resulting in the physical destruction.
Moreover, it set a precedent and an example for:
- infecting air-gapped systems (systems not connected to the internet);
- precisely targeting the systems to be infected;
- introducing subtle, almost undetectable flaws into physical processes that could be just as damaging, if not more, than crashing a system, while much harder to detect. Consider the result of subtle defects built into cars or airplanes so that the finished product malfunctions only after it has been placed into service. Similarly weaknesses could be built into power grids, or toxic additions could be made to food or water where the danger is not in a single dose, but in a cumulative affect over time.
The Stuxnet family
Stuxnet is not the only such sophisticated cyberweapon discovered. Kaspersky Labs found a whole family of them. They found significant enough similarities between Stuxnet and other malware to believe that they were based on the same platform, which they dubbed Tilded. Their research suggested that this platform contained Stuxnet, another highly advanced malware known as Duqu and possibly three other pieces of malware that remained undetected as of their assessment in 2011.
Since then, two other pieces of malware have been linked to Stuxnet and Duqu, namely, Flame and Gauss, although it is not clear whether either is among the undetected cyberweapons mentioned by Kaspersky. Whether they are or not, the point remains that the malware based on the Tilded platform are not necessarily the only advanced cyberweapons that were developed – and the existence of such a platform increases the possibility that developers could create more super-cyberweapons.
The use of an established platform aids developers in two crucial components of cyberweapon building: time and secrecy. It reduces the time needed for development, as only the payload needs to change when the weapon is used for a different target instead of developing an entirely new weapon. It also reduces the number of people that need to be involved in developing and approving the new weapon. This offers fewer possibilities for leaks.
Like Stuxnet, Duqu is built upon the same modular platform. Researchers at Kapersky Labs believe that Duqu was originally a surveillance tool that enabled its developers to copy blueprints from Iran’s nuclear program, providing the information needed for Stuxnet to sabotage it. Its code is so similar to Stuxnet that some automated detecting systems misidentified it as Stuxnet.
Its purpose, however, did not appear to be to take control of PLCs, but espionage. Duqu looked for information useful in attacking ICSes. As far as has been discovered, it has been used both for intelligence and for stealing certificates and their private keys. It operated even more stealthily than Stuxnet, deleting itself from infected systems after 36 days.
Unlike Stuxnet, Duqu infected systems via a phishing email and used only one zero-day vulnerability targeting Microsoft Word fonts. Once the Word document was opened, Duqu installed a keylogger to capture system keystrokes. It also allowed the developer to download critical files from infected computers, such as security certifications.
A more advanced version of Duqu, dubbed Duqu 2.0, was detected in 2014-2015, suggesting that the team behind Stuxnet remained in operation – at least at that time – and that further attacks using the same basic platform were still possible.
Flame, which emerged in 2012, used the same zero-day exploits as Stuxnet. Whether it was created by the same team, a separate team with access to the original Stuxnet framework, or a well-financed team reverse engineering Stuxnet is unknown. Flame, like Duqu, was an espionage tool, although it could capture a wider variety of data.
Flame could grab infected computer screen images, emails and user chats, as well as monitor keystrokes and network traffic. It could spread to devices not connected to the internet via Bluetooth connectivity and could also turn on microphones remotely.
It sent the information it gathered to its command and control server in small increments to avoid detection. It also infected machines in a highly atypical way, by posing as a Windows 7 update. It is estimated that only a handful of developers in the world could achieve such an incredible programming feat. It most likely took teams of programmers working with a super computer to accomplish it.
It, like Stuxnet, appears to have targeted high-ranking Iranian oil ministry officials. It may also have had sabotage capabilities via a command module named Wiper that previously was thought to be an independent computer virus. Wiper was designed to erase the hard drive of targeted computers.
Flame was 20 megabytes large, 40 times as large as Stuxnet, which was already unusually large for malware. Yet it was so good at hiding itself that it escaped detection for nearly five years.
Flame is believed to have begotten Gauss. Gauss has proven even harder to study than Flame because of its large number of object-oriented structures and advanced encryption. Like Stuxnet, Gauss was designed to be extremely targeted, deploying only on computers that gave it access to Lebanese banking credentials. Its goal remains unknown to the public and its payload has not been decrypted.
Stuxnet as a continuing weapon
Although Stuxnet failed to cripple either the Iranian or North Korean nuclear weapon programs, it appears that what success it had made it a continuing weapon in U.S. diplomacy. As negotiations to limit Iran’s nuclear weapons program dragged on unsuccessfully during Barack Obama’s U.S. presidency, information leaked about an even more advanced cyberweapon, code-named Nitro Zeus, that the U.S. was prepared to unleash on Iran if negotiations failed.
The leaks suggested that Nitro Zeus could enable the U.S to cripple Iran’s air control command, communication network and power grid. The program may have been real, or it may have been nothing more than a well-crafted misinformation campaign to leverage the Iranian government, which already had been embarrassed by Stuxnet, into reaching an agreement with Western nations rather than risking the possibility that Nitro Zeus was real.
Stuxnet’s continuing legacy
Although Stuxnet has long since ceased to function – researchers believe it was programmed to stop in 2012 – its legacy continues. Its threat plays out in how it changed the world.
Blueprints for the proliferation of future cyberweapons
Most likely, those who launched Stuxnet hoped it would be confined to the Natanz facility, but that was not the case. Stuxnet spread beyond its intended target and was discovered on other computers. Safeguards in the software rendered Stuxnet inoperative on systems that did not have the targeted configuration, but its spread points out the unpredictability of cyberweapons.
The unintended release of the code onto the internet allowed other malware developers to capture this malware into which millions of dollars and thousands of hours had been poured. Granted, the four zero-day exploits that Stuxnet used have been patched, but the many targeting and infection techniques developed for this cyberweapon now provide hackers and cyberterrorists with platforms on which they can build the next generation of cyberweapons.
The problem with Stuxnet does not lie so much with hackers copying its code, but in offering them innovative techniques to adapt to their cyberweapons. Defending against specific code is easy for a security expert. Defending against an innovative technique is harder, and Stuxnet is filled with them.
Threats to cyber-physical systems
By targeting cyber-physical systems, Stuxnet revealed their vulnerability and made them an inviting target. Recall that one of the things that hampered early research on Stuxnet was the fact that those who specialized in antivirus protection and those who specialized in ICS security had almost no experience in the other field. While that situation is no longer as extreme, cyber-kinetic attacks still represent a threat that requires skill in two disciplines.
Furthermore, cyber-kinetic attacks, when used for maximum disruption, could be crippling. Remember the early days of the internet, when many users were wary of making purchases online? Commerce is now so dependent on the internet that retail stores are closing at records rates.
Imagine, now, how it would affect the global economy if consumers suddenly went back to that level of wariness, but now with a large chunk of brick-and-mortar stores gone, and the remaining ones highly dependent on ecommerce. Imagine also the chaos if essential services, like utilities, were suddenly no longer able to be taken for granted.
The legitimization of cyberwarfare
The use of Stuxnet to launch cyber-kinetic attacks on a nation’s enemies has legitimized them as a weapon. Just as U.S. use of nuclear weapons on Japan in World War II led to a global race to obtain and perfect nuclear weapons, today’s nations are believed to be pursuing similar cyberweapon capability.
The 2017 WannaCry ransomware attacks now tied to North Korea are an example of a nation pursuing such capability as it tries to disrupt a global community that has united to curb its nuclear aspirations. Would other nations have ignored the tantalizing promise of attacking enemies from the comfort of their own capital if the U.S. and Israel not developed Stuxnet? Probably not. But the success that Stuxnet demonstrated encouraged other nations to follow their lead.
Known attacks on cyber-physical systems
Although examples of cyberwarfare attacks are not yet commonly known, some have been detected. North Korea’s WannaCry attack stands out. While it largely affected information systems rather than cyber-physical ones, physical hospital equipment in some locations were affected, causing delays or cancellations of medical procedures.
Most other known cyberattacks were less successful. The U.S., in 2016, formally charged five Iranian nationals believed to be working on behalf of the Iranian government with cybercrimes for cyberattacks on 46 financial institutions or financial sector companies. Notable is that they also are accused of failed attempts to compromise the Bowman Avenue Dam in Rye Brook, New York, from 2011 to 2012.
Leading us into uncharted territory
Conventional weapon attacks contain a clear expectation of how the recipient will respond. Cyberweapons do not yet have such a clear escalation ladder. How an adversary will respond is unknown, making any cyberattack fraught with uncertainty.
Attempts have been made to define and codify what constitutes an act of war in a digital environment and what are appropriate responses. The Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations seeks to define how international law applies to cyberspace, but its provisions do not restrict non-signatories – not to mention cybercriminals or terrorists. In addition, even signatories differ on their interpretations of provisions. The threat remains real, but not clearly defined.
While Stuxnet – at least in the form that was discovered and publicized – has long disappeared from the scene, it has forever changed our world. It brought a recognition of how cyber-physical systems can be targeted to inflict physical damage. It blurred the lines between cybersecurity and industrial security and left experts in both fields scrambling to address this convergence of their disciplines.
It made some of the most advanced strategies and techniques for infiltrating the most secure systems available to whomever wants it. It threw open the doors to the possibility of cyberwarfare and it left us to sort through the details of what widespread cyberwarfare might entail, so we can at least try to proactively apply some limits to its possible effects.
Pandora’s box has been opened. The world has seen the harm that can be done by those intent on inflicting it through cyber-kinetic attacks. Developing Stuxnet called for deep pockets and the talents of some of the world’s best minds. Dare we put anything less toward securing the cyber-physical systems that Stuxnet has exposed?
Marin Ivezic is a Cybersecurity & Privacy Partner in PwC Canada focused on risks of emerging technologies.