Throwback Attack: How Stuxnet changed cybersecurity

Courtesy of CFE Media and Technology

During the second Bush Administration, there was great concern about the rapid progress of the Iranian enrichment program, which would likely lead to the attainment of weapons-grade uranium. The center of that operation was, and is, the Natanz Laboratory located in the middle of the desert about 33 km from civilization.

The facility, technically known as a “fuel enrichment plant,” is one of 17 other Iranian nuclear facilities. It uses centrifuges to concentrate and separate U-235 from uranium hexafluoride gas. The facility was planned to operate 19,000 centrifuges. Natanz is air-gapped, in that it is isolated from the outside world. The underground processing facility is heavily fortified, covered by 22 meters of earth, and was designed to be impregnable, both physically and electronically.

Code named “Olympic Games,” an effort was begun to avoid a direct conflict with Iran. Olympic Games was a collaboration (still unacknowledged) between U.S. and Israeli intelligence and was part of a larger effort to infiltrate and disrupt Iran called “Nitro Zeus.” Out of this operation came the malware known as Stuxnet (a combination of keywords .stub & mrxnet.sys).

Stuxnet, technically a worm, is the first known offensive cyberweapon specifically designed to inflict damage on equipment in the real world. It is worth noting it was not the last purpose-built offensive malware; had there not been a flaw in the code, the world may never have heard of it. It escaped into the wild sometime in 2010, infecting thousands of computers worldwide with what was generally referred to as “the bug.”

Operation Olympic Games

Stuxnet takes advantage of what are termed zero-day vulnerabilities. Zero days are unknown vulnerabilities in software that threat actors use to infiltrate and exploit unpatched operating systems. Stuxnet used four zero-day vulnerabilities to infect the Microsoft Windows operating system. Zero-day vulnerabilities are very valuable to hackers, so the use of four of them was unusual, if not unprecedented.

Once injected, the code used other vulnerabilities to replicate and spread throughout the industrial control systems (ICSs) monitoring and controlling the centrifuge operations. The worm installed rootkits, allowing complete control of the operation; Stuxnet is the first known use of programmable logic controller (PLC) rootkits. Command and control of the worm were done through two websites located in Denmark and Malaysia, though these were not used after the initial stages of the operation. The worm also used stolen digital certificates for many drivers to allow it to appear legitimate.

There has always been some mystery behind how the worm was deployed at Natanz. The prevailing theory was infected USB drives were planted at venues frequented by the Natanz technical staff, as one of the zero-day vulnerabilities allowed loading of malware from a USB drive without notification to or interaction with the operating system upon insertion. This method was used later in the operation but in a different way. Initially, the Dutch intelligence service, AIVD, in collaboration with the Israeli intelligence service, Mossad, used established moles and a front company in Iran to insert the malware into the air-gapped systems on-site. This was the result of several years of intelligence gathering at the facility.

Germany also supplied technical data on the ICSs that controlled the centrifuge operation. In addition, a shipment of centrifuges, identical to those being used at Natanz, was seized by the U.S. on its way to Libya. These centrifuges were reassembled at Oak Ridge and in Israel – and were subsequently destroyed by an early Stuxnet prototype. The parts of a destroyed centrifuge were famously dumped on the conference table in the White House situation room as proof of concept of their plan, which got them the green light to proceed.

The worm was initially designed to close the discharge valves of the centrifuges to create over-pressurization and waste gas – the centrifuges operate in a vacuum, and the gas solidifies at low pressures — instantly destroying the centrifuge. This method wasn’t too effective; the Iranians found a workaround, and damage was limited. This version of the worm was updated on-site several times as more operational data was observed by the mole and reported back to the consortium.

At this point, the mole lost access to the facility for reasons unknown; it’s also possible the mole did not need access any longer. Concurrent to the on-site injection operations, several Iranian contractors performing work at the facility were compromised or their computers were infected with the second version of the worm.

It is likely the newer version of the worm was delivered by these unwitting employees using the planted USB drive method; however, it would have been easier to infect the contractor’s internal networks. The worm does not attack computers, rather, it was designed to attack supervisory control and data acquisition (SCADA) software and PLCs.

There was a hitch: To ensure the worm spread efficiently, code had been written to take advantage of several spreading methods, which made it promiscuous and caused it to go wildly out of control. It spread to several of the contractor’s other clients and then to the world. Unfortunately, several of the contract employees were arrested and executed for introducing the worm into Natanz.

The Stuxnet Attack

Stuxnet is a very sophisticated piece of software. It is estimated that a multinational team of coders took up to three years to develop the worm. This, of course, included feedback from the Dutch mole, which allowed the team to fine-tune and develop a different attack method. Key to the attack was the ability of the worm to monitor and record normal operating data. The operator saw what looked like normal operating parameters on the human-machine interface (HMI) screen while the centrifuge was operating adversely.

The worm ran silently in the background, recording operating data and storing it in hidden files the mole downloaded and then sent back to the programming team. This data was analyzed, and in concert with the data gleaned from the operating centrifuges in Oak ridge and Israel, an attack vector was designed and the code modified.

The worm was designed to infect the SCADA software files and compromise PLCs that controlled the centrifuges’ rotational speed. The centrifuges normally spin at a rate of 63,000 RPM; due to manufacturing defects, however, the Iranians ran the centrifuges at about 4,000 RPM lower to avoid cracking the rotors. The actual attack was silent and autonomous. While the operators observed normal operation on their screens, the worm brought the centrifuges almost to a halt and then ran them rapidly up through the critical intermediate speed of 59,000 RPM to 40% over normal operating speeds, or 84,000 RPM. This alternation between low and overspeed conditions created significant vibration in the rotor and rotor bearings, which essentially destroyed themselves after a few cycles. This method effectively destroyed more than 1,200 centrifuges but did not significantly delay the enrichment program.

As one commentator describes it, the Iranian operators could not mistake what was happening despite what they were seeing on their screens. Centrifuges spinning at their rated speeds have a characteristic noise signature. At 59,000 RPM, the centrifuge sounds different than one running at 84,000 RPM. Anyone who has spent time in a plant with large rotating equipment for any length of time can hear whether the machine is operating properly. Experienced technicians can hear a failing bearing or other mechanical anomalies simply by listening. This is speculated to be the primary reason why Stuxnet had limited effect. After numerous failures, the technical staff had to do a full-court press diagnostic program involving all means of detection and troubleshooting. This would also include a full-scale audit of the controlling software.

While this may seem obvious in 2021, these were uncharted waters in 2010. It should be noted there was no expectation of anyone using an offensive cyberweapon for any purpose. It only existed in concept, or so we thought.

The Counterattack

The Iranians quickly dissected the code and determined with reasonable certainty that the U.S. and its allies were behind the cyberattack. The escape of the code into the wild had allowed several firms, most notably Symantec, to reverse engineer the code and report their findings to the technical press. The United States and Israel were immediately identified as the perpetrators, but this has never been confirmed by either country. It was reported the parties involved were the National Security Agency (NSA), Central Intelligence Agency (CIA) and Mossad, specifically Unit 8200, their signal intelligence (SIGINT) branch.

Following discovery of the Stuxnet attack and attribution in the technical press, Iran embarked on an aggressive counterattack involving businesses and critical infrastructure in both countries and launching suspected attacks on facilities in allied countries.

For example, ARAMCO refineries were hit by the Shamoon virus, which wiped data from 30,000 computers. Intellectual property (IP) was stolen from numerous businesses and universities by suspected Iranian hackers.

Perhaps the best example of determined threat actors was Iran’s attack on critical infrastructure that was not only a harbinger of things to come, but also provided some unintended comic relief.

The Arthur Bowman Dam in Oregon is 245 feet high and 800 feet wide, impounding 233,000 acre-feet of water for irrigation purposes. It was targeted by the Iranians in 2013 in response to the Natanz attack.

Iran’s Revolutionary Guard Corps used commonly available tools to seek out vulnerable critical infrastructure. Their attack followed the classic steps of reconnaissance, assessment and deployment. Their reconnaissance used Google. There are several search techniques and syntax that are called “Google Dorking.” They turn Google from a simple search engine into a powerful research tool. The next tool in their arsenal is Shodan, a specialized search engine that seeks out ICSs connected to the internet. Shodan is constantly being updated with internet-facing SCADA and standalone control systems.

Another very useful tool was social media. There is a treasure trove of personal and professional data to be mined at sites like Facebook and LinkedIn. Finally, common IT and auditing tools like ICMP and SNMP were also used.

What the Iranians attacked instead was the Bowman Avenue Dam in Rye Brook, New York. The Bowman Avenue Dam is 20 feet high and 50 feet wide, impounding the flood stage of the Blind Brook. The Iranian team found an unsecured wireless modem that would have been used to control the dam’s slide gate remotely (it was not connected to the gate’s control system). It is speculated this was the attack vector for the Arthur Bowman Dam; the dam gates would have been opened or closed to cause flooding or overtopping – either would have been a problem, though loss of life was not likely.

In their assessment, they neglected to do on-the-ground reconnaissance. This led to a high-profile failure for them, but it still served as a wake-up call. It showed any facility can be attacked. This was the beginning of cyberwarfare.

Stuxnet Epilogue

In the wake of Stuxnet, it is speculated that the same international team continued to exploit vulnerabilities in Iranian control systems. Three variants, known as the “cousins of Stuxnet,” shared much of Stuxnet’s code but were relegated to information-gathering roles. Duqu, Flame and Gauss are variants that while only information-gathering, are thought to be similar to Stuxnet but have not been activated.

Cyberwarfare is now the preferred way of conducting conflict between nation-states. While Stuxnet and its cousins ushered in the era of cyberwarfare, this sea change in international relations has been overshadowed by the recent wave of ransomware attacks that have targeted critical infrastructure. One ominous occurrence occurred in Florida in February, where an attack on a water treatment plant was thwarted; this attack was similar to an attack on an Israeli water treatment facility.

As the paradigm for international relationships shifts from open, physical conflict to virtual warfare, it is imperative we begin to recognize we are all responsible for not only our own security, but for the institutions we rely on for our way of life.

Daniel E. Capano is senior project manager, Gannett Fleming Engineers and Architects, a CFE Media content partner and is on the Control Engineering Editorial Advisory Board. Edited by Chris Vavra, web content manager, CFE Media, cvavra@cfemedia.com.

YOU MAY ALSO LIKE

GET ON THE BEAT

 

Keep your finger on the pulse of top industry news

RECENT NEWS
HACKS & ATTACKS
RESOURCES