The Stuxnet worm

There has been a recent flurry of discussion online about a piece of malware that targets the control systems of industrial facilities – specifically, one that seems designed to sabotage one particular facility. The speculation is that the target is either the Bushehr nuclear reactor in Iran or Iran’s uranium enriching centrifuge cascades at Natanz. If so, the idea would presumably be to slow down the development of Iranian nuclear weapons.

The sophistication of the worm has led many security researchers to speculate that only a nation state would have the resources to assemble it. That said, there are a great many unknown factors in play. The entire situation could be someone’s attempt at misdirection, or making a threat. Assuming the basic elements of speculation are correct, this would be an interesting development in unconventional military tactics. It probably wouldn’t be entirely unprecedented, however. There have already been three generations of Suter: a computer program developed by a British defence corporation, designed to interfere with communications and communications systems in a military context. Suter or similar software may have been used in Israel’s 2007 airstrike on a suspected nuclear facility in Syria.

Author: Milan

In the spring of 2005, I graduated from the University of British Columbia with a degree in International Relations and a general focus in the area of environmental politics. In the fall of 2005, I began reading for an M.Phil in IR at Wadham College, Oxford. Outside school, I am very interested in photography, writing, and the outdoors. I am writing this blog to keep in touch with friends and family around the world, provide a more personal view of graduate student life in Oxford, and pass on some lessons I've learned here.

32 thoughts on “The Stuxnet worm”

  1. That was an unprovoked act of agression, the same thing Nazi generals hanged for.

    The military use of software is something to seriously think about – could a software attack constitute an act of agression? A crime against peace? Could a president be hanged for dispatching a virus?

    I can’t see why not.

  2. The fact that Stuxnet appears designed to attack a certain type of Siemens industrial control computer, used widely to manage oil pipelines, electrical power grids and many kinds of nuclear plants, may be telling. Just last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program.

    “What we were told by many sources,” said Olli Heinonen, who retired last month as the head of inspections at the International Atomic Energy Agency in Vienna, “was that the Iranian nuclear program was acquiring this kind of equipment.”

    Also, starting in the summer of 2009, the Iranians began having tremendous difficulty running their centrifuges, the tall, silvery machines that spin at supersonic speed to enrich uranium — and which can explode spectacularly if they become unstable. In New York last week, Iran’s president, Mahmoud Ahmadinejad, shrugged off suggestions that the country was having trouble keeping its enrichment plants going.

    Yet something — perhaps the worm or some other form of sabotage, bad parts or a dearth of skilled technicians — is indeed slowing Iran’s advance.

    The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent. (At the same time, production of low-enriched uranium has remained fairly constant, indicating the Iranians have learned how to make better use of fewer working machines.)

  3. Unit 8200 (Unit Eight Two-hundred) (יחידה 8200 or shmone matayim in Hebrew) is an IDF Intelligence Corps unit, responsible for collecting signal intelligence and code decryption. It is also known in military publications as the Central Collection Unit of the Intelligence Corps.

  4. Iran Arrests Alleged Spies Over Stuxnet Worm

    “Reports surfacing from Iran claim ‘nuclear spies’ have been arrested over the infection at the Busheher nuclear station, which opened in August. According to Intelligence Minister Heydar Moslehi, because Stuxnet is so sophisticated, cost so much to write and uses two stolen security certificates, he believes only a national intelligence agency or a huge private company could have devised it, calling them ‘enemies’ spy services.”

    Stuxnet Analysis Backs Iran-Israel Connection

    “Liam O’Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm’s inner workings to an audience of some of the world’s top computer virus experts. O’Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O’Murchu’s hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention.”

  5. “But the worm also highlights the limitations of cyber-attacks. Iran admits that some computers at its Bushehr nuclear plant were infected, but says no damage was done. The target may have been the centrifuges at its nuclear refinery at Natanz. Last year the number of working centrifuges at Natanz dropped, though it is unclear whether this was the result of Stuxnet. Even if it was, the attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.

    “For security reasons SCADA systems are not usually connected to the internet. But Stuxnet can spread via infected memory sticks plugged into a computer’s USB port. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet, and then to contact a server in Denmark or Malaysia for instructions. (Analysis of traffic to these servers is continuing, and may offer the best chance of casting light on Stuxnet’s purpose and origins.) If it cannot find WinCC, it tries to copy itself on to other USB devices. It can also spread across local networks via shared folders and print spoolers.”

  6. “None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Lagner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the origina caveats.

    My guess is that Stuxnet’s authors, and its target, will forever remain a mystery.

    My alternate explanations for Stuxnet were cut from the essay. Here they are:

    * A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team.

    * A criminal worm designed to demonstrate a capability. Sure, that’s possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not.

    * A message. It’s hard to speculate any further, because we don’t know who the message is for, or its context. Presumably the intended recipient would know. Maybe it’s a “look what we can do” message. Or an “if you don’t listen to us, we’ll do worse next time” message. Again, it’s a very expensive message, but maybe one of the pieces of the message is “we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it.” If that message were for me, I’d be impressed.

    * A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life.

    Note that some of these alternate explanations overlap.”

  7. In July, there were reports that a computer worm, known as Stuxnet, had infected thousands of computers worldwide. Victims, most of whom were unharmed, were able to overcome the attacks, although it sometimes took hours or days to even notice them. Some of the computers were inside the Bushehr nuclear-energy plant, in Iran, and this led to speculation that Israel or the United States might have developed the virus. A Pentagon adviser on information warfare told me that it could have been an attempted “semantic attack,” in which the virus or worm is designed to fool its victim into thinking that its computer systems are functioning properly, when in fact they are not, and may not have been for some time. (This month, Microsoft, whose Windows operating systems were the main target of Stuxnet, completed a lengthy security fix, or patch.)

    If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran, and the virus could easily have spread in a different direction, and hit Israel itself. Again, the very openness of the Internet serves as a deterrent against the use of cyber weapons.

    Bruce Schneier, a computer scientist who publishes a widely read blog on cyber security, told me that he didn’t know whether Stuxnet posed a new threat. “There’s certainly no actual evidence that the worm is targeted against Iran or anybody,” he said in an e-mail. “On the other hand, it’s very well designed and well written.” The real hazard of Stuxnet, he added, might be that it was “great for those who want to believe cyber war is here. It is going to be harder than ever to hold off the military.”

  8. Stuxnet: A Breakthrough

    Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

    Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

    However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

    Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.

  9. The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

    The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

    Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.

    Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009.

    “We don’t see direct confirmation” that the attack was meant to slow Iran’s nuclear work, David Albright, president of the Institute for Science and International Security, a private group in Washington that tracks nuclear proliferation, said in an interview Thursday. “But it sure is a plausible interpretation of the available facts.”

    Intelligence officials have said they believe that a series of covert programs are responsible for at least some of that decline. So when Iran reported earlier this year that it was battling the Stuxnet worm, many experts immediately suspected that it was a state-sponsored cyberattack.

    Until last week, analysts had said only that Stuxnet was designed to infect certain kinds of Siemens equipment used in a wide variety of industrial sites around the world.

  10. Stuxnet ‘hit’ Iran nuclear plans

    The Stuxnet worm might be partly responsible for delays in Iran’s nuclear programme, says a former UN nuclear inspections official.

    Olli Heinonen, deputy director at the UN’s nuclear watchdog until August, said the virus might be behind Iran’s problems with uranium enrichment.

    Discovered in June, Stuxnet is the first worm to target control systems found in industrial plants.

    Iran has denied that delays to its nuclear plans were caused by Stuxnet.

    Code clues point to Stuxnet maker
    By Mark Ward
    Technology correspondent, BBC News

    Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it.

    The sophisticated malware is among the first to target the industrial equipment used in power plants and other large scale installations.

    New research suggests it was designed to disrupt centrifuges often used to enrich uranium.

    Detailed analysis of the worm has revealed more about the team behind it and what it was supposed to do.

  11. WikiLeaks: US advised to sabotage Iran nuclear sites by German thinktank

    As Stuxnet cyber attack pinned on US and Israel, US embassy cable reveals advice to use undercover operations

    The United States was advised to adopt a policy of “covert sabotage” of Iran’s clandestine nuclear facilities, including computer hacking and “unexplained explosions”, by an influential German thinktank, a leaked US embassy cable reveals.

    Volker Perthes, director of Germany’s government-funded Institute for Security and International Affairs, told US officials in Berlin that undercover operations would be “more effective than a military strike” in curtailing Iran’s nuclear ambitions.

    A sophisticated computer worm, Stuxnet, infiltrated the Natanz nuclear facility last year, delaying Iran’s programme by some months. The New York Times said this week that Stuxnet was a joint US-Israeli operation.

    On Monday, Iran’s top nuclear negotiator blamed the US for the cyber-attack. Saeed Jalili told NBC News an investigation had found the US was involved in the attack that apparently shut down a fifth of Iran’s nuclear centrifuges in November. “I have witnessed some documents that show [US participation],” he said.

    A diplomatic cable sent by the US ambassador to Germany, Philip Murphy, in January 2010, records that Perthes said a policy of “covert sabotage (unexplained explosions, accidents, computer hacking etc) would be more effective than a military strike, whose effects in the region could be devastating”.

    Perthes is a leading western expert on Iran. An earlier diplomatic cable, sent by Murphy on 14 December 2009 showed that his advice was heeded by politicians and officials – including Condoleezza Rice, the former US secretary of state.

  12. More Stuxnet News

    This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: “Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium.”

  13. Last fall, when I learned of the Stuxnet attack on the computers running Iran’s nuclear program, I briefly thought that here, finally, was the real thing: a cyberweapon purpose-built by one state actor to strategically interfere with the business of another.

    But as more details emerged, it began to look less like something new and more like a piece of hobbyist “street” technology, albeit one expensively optimized for a specific attack. The state actor — said to be Israel, perhaps working with the United States, though no one is sure — had simply built on the unpaid labor of generations of hobbyist vandals.

    Stuxnet isn’t spectacularly original, as computer worms go, and those Iranian systems aren’t terribly exotic. They’re like ours. As a result, I expect we’ll see a wave of unpleasant backwash, with military money and technology beefing up the code, the digital DNA, of the descendants of Brain.

    Any hobbyist worth his or her salt will, in turn, be admiring the Stuxnet code that shut down the Iranian centrifuges, looking to imitate and improve on it. And non-state players, from digital vandals to terrorists, will be casting an appraising eye, if they haven’t already, at the computers that monitor and control more ordinary but nonetheless critical systems: water treatment and distribution, sewage, oil and gas pipelines, electrical transmission lines, wind farms and nuclear power plants.

  14. Iran Forced To Replace Centrifuges To Stop Stuxnet

    “Reports that Iran had recovered from the infection of the Stuxnet worm may have been overblown, as a new report suggests the country is being forced to replace thousands of expensive centrifuges damaged by the worm. The report from the website DEBKAfile cites ‘intelligence sources’ in claiming that Stuxnet was not purged from Iran’s nuclear sites and that the country was never able to return its uranium enrichment efforts to ‘normal operation.’ Instead, the country has said in recent days that it is installing newer and faster centrifuges at its nuclear plants and intends to speed up the uranium enrichment process, according to the country’s foreign ministry.”

  15. Iran Admits Nuclear Sites Hit by ‘Duqu’ Cyberweapon

    Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus — labeled “Son of Stuxnet” by cyber experts — at the Islamic Republic’s nuclear sites, state-controlled IRNA news agency reported.

    “We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.”

    Duqu is the second major weaponized virus to turn computers into lethal weapons with devastating destructive power.

  16. Experts say Iran has ‘neutralized’ Stuxnet virus

    Feb 14 (Reuters) – Iranian engineers have succeeded in neutralizing and purging the computer virus known as Stuxnet from their country’s nuclear machinery, European and U.S. officials and private experts have told Reuters.

    The malicious code, whose precise origin and authorship remain unconfirmed, made its way as early as 2009 into equipment controlling centrifuges Iran is using to enrich uranium, dealing a significant but perhaps temporary setback to Iran’s suspected nuclear weapons work.

    Many experts believe that Israel, possibly with assistance from the United States, was responsible for creating and deploying Stuxnet. But no authoritative account of who invented Stuxnet or how it got into Iran’s centrifuge control equipment has surfaced.

    U.S. and European officials, who insisted on anonymity when discussing a highly sensitive subject, said their governments’ experts agreed that the Iranians had succeeded in disabling Stuxnet and getting it out of their machinery.

  17. The first attacks were small, and when the centrifuges began spinning out of control in 2008, the Iranians were mystified about the cause, according to intercepts that the United States later picked up. “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said.

    The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

    Later, word circulated through the International Atomic Energy Agency, the Vienna-based nuclear watchdog, that the Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.

    “The intent was that the failures should make them feel they were stupid, which is what happened,” the participant in the attacks said. When a few centrifuges failed, the Iranians would close down whole “stands” that linked 164 machines, looking for signs of sabotage in all of them. “They overreacted,” one official said. “We soon discovered they fired people.”

    Imagery recovered by nuclear inspectors from cameras at Natanz — which the nuclear agency uses to keep track of what happens between visits — showed the results. There was some evidence of wreckage, but it was clear that the Iranians had also carted away centrifuges that had previously appeared to be working well.

  18. America and its allies are by no means passive victims. Either America, Israel or the two working together almost certainly hatched the Stuxnet worm, found in 2010, that was designed to paralyse centrifuges at Iran’s Natanz uranium-enrichment plant. The Flame virus, identified by Russian and Hungarian experts this year, apparently came from the same source. It was designed to strike at Iran by infecting computers in its oil ministry and at targets in the West Bank, Syria and Sudan.

    Few would argue against improving resilience, particularly of critical national infrastructure such as power grids, sewerage and transport systems. But such targets are not as vulnerable as is now often suggested. Cyber-attacks on physical assets are most likely to use what Mr Libicki calls “one-shot weapons” aimed at industrial control systems. Stuxnet was an example: it destroyed perhaps a tenth of the Iranian centrifuges at Natanz and delayed some uranium enrichment for a few months, but the vulnerabilities it exposed were soon repaired. Its limited and fleeting success will also have led Iran to take measures to hinder future attacks. If that is the best that two first-rate cyber-powers can do against a third-rate industrial power, notes Mr Libicki, it puts into perspective the more alarmist predictions of impending cyber-attacks on infrastructure in the West.

  19. That’s because Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet’s smaller and simpler attack routine — the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and “forgotten” routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security. And strangely, this more sophisticated attack came first. The simpler, more familiar routine followed only years later — and was discovered in comparatively short order.

    Stuxnet’s later, and better-known, attack tried to cause centrifuge rotors to spin too fast and at speeds that would cause them to break. The “original” payload used a different tactic. It attempted to overpressurize Natanz’s centrifuges by sabotaging the system meant to keep the cascades of centrifuges safe. “Protection systems” are used anywhere where abnormal process conditions can result in equipment damage or threaten the health of operators and the environment. At Natanz, we see a unique protection system in place to enable sustained uranium enrichment using obsolete and unreliable equipment: the IR-1 centrifuge. This protection system is a critical component of the Iranian nuclear program; without it, the IR-1s would be pretty much useless.

  20. Then Stuxnet begins its malicious work. It closes the isolation valves for the first two and last two enrichment stages. That blocks the outflow of gas from each affected cascade and, in turn, raises the pressure on the rest of the centrifuges. Gas centrifuges for uranium enrichment are extremely sensitive to increases of pressure above near vacuum. An increase in pressure will result in more uranium hexafluoride getting into the centrifuge, putting higher mechanical stress on the rotor. Rotor wall pressure is a function of velocity (rotor speed) and operating pressure; more gas being pressed against the rotor wall means more mechanical force against the thin tube. Ultimately, pressure may cause the gaseous uranium hexafluoride to solidify, thereby fatally damaging centrifuges.

    The attack continues until the attackers decide that enough is enough, based on monitoring centrifuge status. Most likely, they would use vibration sensors, which let them abort a mission before the matter hits the fan. If catastrophic destruction is intended, one simply has to sit and wait. But in the Natanz case, causing a solidification of process gas would have resulted in simultaneous destruction of hundreds of centrifuges per infected controller. While at first glance this might sound like a goal worthwhile achieving, it would also have blown the attackers’ cover; the cause of the destruction would have been detected fairly easily by Iranian engineers in postmortem analysis. The implementation of the attack with its extremely close monitoring of pressures and centrifuge status suggests that the attackers instead took great care to avoid catastrophic damage. The intent of the overpressure attack was more likely to increase rotor stress, thereby causing rotors to break early — but not necessarily during the attack run.

  21. Duqu Malware Techniques Used by Cybercriminals

    Duqu 2.0 is a really impressive piece of malware, related to Stuxnet and probably written by the NSA. One of its security features is that it stays resident in its host’s memory without ever writing persistent files to the system’s drives. Now, this same technique is being used by criminals

  22. He was responsible for securing vital uranium-enrichment technology, photographing centrifuge blueprints that a German executive had been bribed into temporarily “mislaying” in his kitchen. The same blueprints, belonging to the European uranium enrichment consortium, Urenco, were stolen a second time by a Pakistani employee, Abdul Qadeer Khan, who used them to found his country’s enrichment programme and to set up a global nuclear smuggling business, selling the design to Libya, North Korea and Iran.

    For that reason, Israel’s centrifuges are near-identical to Iran’s, a convergence that allowed Israeli to try out a computer worm, codenamed Stuxnet, on its own centrifuges before unleashing it on Iran in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *