In 2010 computer scientists uncovered a highly complex malicious computer program whose characteristics were less like a traditional malware and more like a sophisticated cyber-weapon.
Although classified as a worm, Stuxnet is actually much more than that. Unlike a simple worm which would randomly replicate and infect machines throughout the network, the Stuxnet is a computer program that is carefully engineered to specifically target machines which fulfill certain criteria. The malware is so targeted in its attack that an infected machine can only spread the malware to at-most 3 other machines.
Once inside the target network, Stuxnet takes control of the programmable logic controllers where it modifies the code to disrupt the normal working of hardware components. Due to this high level of complexity and the malware’s targeted nature, it is alleged that the malware was designed by a specific organization(s) for a very specific purpose. That is, to delay or derail Iran’s nuclear program.
Generic Structure of a Cyber-Attack
Launching a targeted cyber attack on an organization is a fairly complex process which contains well defined steps of execution.
Scientists at Lockheed-Martin derived the “Kill-chain” model which outlined the basic phases of a cyber-attack. Although the sequence model was created to defend networks from cyber attacks, but it is also widely accepted by various organizations for breaking down the entire cyber-attack process into phases.
The chain starts with the attacker collecting as much information as possible about the target system. All the vulnerabilities are noted down for possible exploitation. In the next phase, the attacker designs and develops the exploit that is to be sent to the target machine. This exploit is basically the program that will take advantage of the known vulnerability to perform the malicious action. Finally, the exploit is sent to the target system via email, internet or any other possible medium.
Once on the target machine, the exploit starts to execute itself and gets installed on the machine. After successful installation, the malware starts to execute the required commands to gain control of the target machine and finally performs the action it was designed to do.
Coming Back to Stuxnet
Stuxnet comes under the category of Advanced Persistent Threat. This means that Stuxnet gains access to the target network and performs its task in a very stealthy manner, over an extended period of time.
If we are to compare Stuxnet’s infiltration process with the Cyber-Kill Chain, then the very first step would be to collect as much information as possible about the target (Reconnaissance), based on which the payload and the delivery process would be designed. As it turns out, Stuxnet’s target was an “air gapped” system, which means that it was isolated from unsecured networks like the public internet that we use.
Due to this nature of the target, physical delivery of the malware was necessary, which was done via thumb drive. Once inside the target network, the malware looks for certain specific criteria. The post-delivery working of the malware is depicted in the following flowchart.
Stuxnet, acting like a worm, propagates through the network independently and searches out machines that have Siemens Step7 software installed in them. Once this criterion is met, the malware checks if the machine is associated with programmable logic controllers (PLC) which are responsible for automation of mechanical processes. One of which is controlling the operations of “gas centrifuges” for separating nuclear materials.
The machines that don’t fulfill the above mentioned criteria are not effected by Stuxnet, as the malware lays dormant in them. The machines which do however, are exploited by it.
Stuxnet modifies the code in PLC so that it provides erroneous commands, causing the centrifuges to behave in an undesirable way. This causes massive physical damage to the centrifuges. While performing this action, Stuxnet makes sure that the PLCs return values that are within the normal range to the checking mechanisms so that it can remain undetected within the system for an extended period of time.
It is reported that Stuxnet was able to damage almost one-fifth of Iran’s nuclear centrifuges. However, it must be noted that although Iran’s system may have been the primary target for Stuxnet but the malware was NOT limited to Iran. Along with Iran, other countries such as Indonesia, India, Azerbaijan and United States were also majorly affected by the malware. All in all, Stuxnet caused damage to almost 1000 machines.
Stuxnet’s code and design can be modified to attack modern controllers also which can lead to considerable mayhem. Due to its targeted nature, its ability to cause massive physical damage and the fact that Stuxnet is actually a generic malware that can work on any type of programmable controllers, Ralph Langner, a well respected cyber security expert rightly called Stuxnet a “Cyber weapon of mass destruction”.
Malware : Malware is a type of software that is specifically designed to cause harm to a computer.
Worm: Worm is a sub-category of malware which can self replicate and spread itself independently using a computer network.
PLC: PLC stands for Programmable Logic Controllers. These are a type of computers which are used for controlling manufacturing processes.
Vulnerability: It is a fault or weakness in cyber-security, that an attacker can take advantage of.
Exploit: In cyber-security terms, exploit is basically a program that is designed to take advantage of a known vulnerability.
Gas Centrifuges: These are delicate machines which spin at over 100000 rotations per minute. These centrifuges are used to extract heavy concentration of Uranium 235 from the raw ore.