Stuxnet explained: How code can destroy machinery and stop (or start) a war
- 22 August, 2017 19:39
Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect computers and spread. Its purpose was not just to infect PCs but to cause real-world physical effects. Specifically, it targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors.
Stuxnet was first identified by the infosec community in 2010, but development on it probably began in 2005. Despite its unparalleled ability to spread and its widespread infection rate, Stuxnet does little or no harm to computers not involved in uranium enrichment. When it infects a computer, it checks to see if that computer is connected to specific models of programmable logic controllers (PLCs) manufactured by Siemens.
PLCs are how computers interact with and control industrial machinery like uranium centrifuges. The worm then alters the PLCs' programming, resulting in the centrifuges being spun too quickly and for too long, damaging or destroying the delicate equipment in the process. While this is happening, the PLCs tell the controller computer that everything is working fine, making it difficult to detect or diagnose what's going wrong until it's too late.
Who created Stuxnet?
It's now widely accepted that Stuxnet was created by the intelligence agencies of the United States and Israel. The classified program to develop the worm was given the code name "Operation Olympic Games"; it was begun under President George W. Bush and continued under President Obama. While neither government has ever officially acknowledged developing Stuxnet, a 2011 video created to celebrate the retirement of Israeli Defense Forces head Gabi Ashkenazi listed Stuxnet as one of the successes under his watch.
While the individual engineers behind Stuxnet haven't been identified, we know that they were very skilled, and that there were a lot of them. Kaspersky Lab's Roel Schouwenberg estimated that it took a team of ten coders two to three years to create the worm in its final form.
Several other worms with infection capabilities similar to Stuxnet, including those dubbed Duqu and Flame, have been identified in the wild, although their purposes are quite different than Stuxnet's. Their similarity to Stuxnet leads experts to believe that they are products of the same development shop, which is apparently still active.
What's the purpose of Stuxnet?
The U.S. and Israeli governments intended Stuxnet as a tool to derail, or at least delay, the Iranian program to develop nuclear weapons. The Bush and Obama administrations believed that if Iran were on the verge of developing atomic weapons, Israel would launch airstrikes against Iranian nuclear facilities in a move that could have set off a regional war. Operation Olympic Games was seen as a nonviolent alternative. Although it wasn't clear that such a cyberattack on physical infrastructure was even possible, there was a dramatic meeting in the White House Situation Room late in the Bush presidency during which pieces of a destroyed test centrifuge were spread out on a conference table. It was at that point that the U.S. gave the go-head to unleash the malware.
Stuxnet was never intended to spread beyond the Iranian nuclear facility at Natanz. The facility was air-gapped and not connected to the internet. That meant that it had to be infected via USB sticks transported inside by intelligence agents or unwilling dupes, but also meant the infection should have been easy to contain.
However, the malware did end up on internet-connected computers and began to spread in the wild due to its extremely sophisticated and aggressive nature, though as noted it did little damage to outside computers it infected. Many in the U.S. believed the spread was the result of code modifications made by the Israelis; then-Vice President Biden was said to be particularly upset about this.
Stuxnet source code
Liam O'Murchu, who's the director of the Security Technology and Response group at Symantec and was on the team there that first unraveled Stuxnet, says that Stuxnet was "by far the most complex piece of code that we've looked at — in a completely different league from anything we’d ever seen before."
And while you can find lots of websites that claim to have the Stuxnet code available to download, O'Murchu says you shouldn't believe them: he emphasized to CSO that the original source code for the worm, as written by coders working for U.S. and Israeli intelligence, hasn't been released or leaked and can't be extracted from the binaries that are loose in the wild.
(The code for one driver, a very small part of the overall package, has been reconstructed via reverse engineering, but that's not the same as having the original code.)
However, he explained that a lot about code could be understood from examining the binary in action and reverse-engineering it. For instance, he says, "it was pretty obvious from the first time we analyzed this app that it was looking for some Siemens equipment." Eventually, after three to six months of reverse engineering, "we were able to determine, I would say, 99 percent of everything that happens in the code," O'Murchu said.
And it was a thorough analysis of the code that eventually revealed the purpose of the malware. "We could see in the code that it was looking for eight or ten arrays of 168 frequency converters each," says O'Murchu.
"You can read the International Atomic Energy Association’s documentation online about how to inspect a uranium enrichment facility, and in that documentation they specify exactly what you would see in the uranium facility — how many frequency converters there will be, how many centrifuges there would be. They would be arranged in eight arrays and that there would be 168 centrifuges in each array. That’s exactly what we were seeing in the code."
"It was very exciting that we’d made this breakthrough," he added. "But then we realized what we had got ourselves into — probably an international espionage operation — and that was quite scary." Symantec released this information in September of 2010; analysts in the west had known since the end of 2009 that the Iranians had been having problems with their centrifuges, but only know understood why.
Alex Gibney, the Oscar-nominated documentarian behind films like Enron: The Smartest Guys In The Room and Going Clear, directed Zero Days, which explains the history of Stuxnet's discovery and its impact on relations between Iran and the west. Zero Days includes interviews with O'Murchu and some of his colleagues, and is available in full on YouTube.
One dramatic sequence shows how the Symantec team managed to drive home Stuxnet's ability to wreak real-world havoc: they programmed a Siemens PLC to inflate a balloon, then infected the PC it was controlled by with Stuxnet. The results were dramatic: despite only being programmed to inflate the balloon for five seconds, the controller kept pumping air into until it burst.
The destruction of the Iranian uranium centrifuges, which followed the same logic—they were spun too quickly and destroyed themselves—was perhaps less visually exciting, but was ultimately just as dramatic. As the documentary explains, we now live in a world where computer malware code is causing destruction at a physical level. It's inevitable that we'll see more in the future.