The Stuxnet Story: How a Digital Worm Changed Cyber Warfare Forever

1. How Stuxnet Was Discovered

Stuxnet was first discovered in 2010 by an antivirus company called Belarusian malware-detection firm VirusBlokAda. It was found effecting Windows machines. It affected the ICS(Industrial Control Systems) deployed by Siemens. It was found that it was not a simple malware, it has special code to affect the Supervisory Control and Data Acquisition (SCADA) which contolled industrial systems.

It's the firstime we see a threat so planned, and specifically attacking the SCADA. It contained a Programmable Logic Controller(PLC) Rootkit along with it. Making something like this is very difficult and needs a lots of resources.

First Discovery

Iran was affected in large scale compared to other countries. It was interfearing with the centrifuges in nuclear enrichment facilities. Siemens stated that the worm caused no damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured secretly, was damaged by Stuxnet. About 60% of the the total effected systems were from iran.

Targeted Systems and Centrifuges.

The targetted systems were connected to Centrifuge rotors by overpressure. They are machines that separate uranium-235 from uranium-238. Malware tries to affect the rotor speeds delaying the enrichment. Enriching uranium gives it its radioactive properties which are later useful in reactors.

Next, why it was created at first place? Who created it?

2. Who Created Stuxnet?

Kaspersky Lab concluded that the sophisticated attack could only have been conducted with a nation-state support. In some press release in 2011 US Gary Samore stated that US might have direct involment in this. US and israel collaborated to get this worm ready. It took them 5 years to build it, and its around 500,000 lines of code around 50 Kb in size.

Operation Olympic Games

Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort, known as Operation Olympic Games.

It took a massive toll to build it costing millions in R&D. Israel's involvement was important to the United States because they had deep intelligence about operations at Natanz(City in Iran where the nuclear plants were located). That would be vital for the cyber attack to succeed.

Countries Affected

Many countries were affected by this, here is a table from Wikipedia:

These countries are not direcly affected. It did not cause any disruption to normal PC's. It was a clever and stealthy code. It does not get detected by antivirus and gets propogated through internet to other devices.

These systems are the focus points of the attack:

1)The Windows operating system,
2)Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows
3)One or more Siemens S7 PLCs.

Now, lets get technical and look at what top technical teams found out about this malware through reversing.

Detailed Analysis of the Worm Which Shook Cyber Forensics

There is a good paper written by Symantec which is very detail. I will try to provide brief and shot overview which will give a good picure of the threat.

Stuxnet Architecture

The primary goal was not to break things in one shot. It was to modify the internal code of the PLCs to make them work for the attacker. In order to achieve this they used zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.

Lets get into its archetecture. At the heart it has a DLL(Dynamic Link Library) file with lots of exports. It contains all of the code to control the worm.

There is a Dropper program that unpacks the DLL into memory. There is also a stub that stores the DLL and the encrypted configs. The stub files are shared through processes to maintain acess and keep the program running.

So next problem is how to be strealthy? Stuxnet prevents itself rom getting detected by hijacking Windows process like svchost.exe or lsaas.exe. It also self adjusts its behaviour so that it does not get detected by McAfee or Kaspersky.

It follows memory only attack(loads malicious code in memory instead of a hard disk). It also uses fake filenames to trick security tools. (eg: SHELL32.DLL.ASLR.<some hex value>). It also uses fake certificates to appear legitimate.

Now, let's see how it propagates to other systems. It affected 100,000 computers globally.

Stuxnet Propagation Methods

Propogation is one of the morst important feature in a worm. All infected computers communicate with each other usign RCP to share new version updates of the worm.

It used multiple Zero Days like Print Spooler(MS10-061), Server Service(MS08-067) in windows.

Another propogations mechanism was through usb drives. It hid itself as a ~WRT*.tmp file. Also these files are made hidden exploiting the windows search hack.

The main point is it did't rely on one method to stay hidden or propogate, it had multiple methods, it spread through everything with great precision.

4. What to Expect in the Future

The stuxnet has created a new era in cyberwarefare. It was the first weaponised software ever written and used. It's like a movie came true to many people at that time. This reflects on how fragile out infrastucture can be against large scale attacks which are nation sponsored.

In near future there will be time where weaponised software will come equiped with AI capbiliies. As an end note I would like to remind my fellow reader and friends to take secure measures while trying anything online. Thanks for the read.

Sources:
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
https://spectrum.ieee.org/the-real-story-of-stuxnet
https://en.wikipedia.org/wiki/Stuxnet
https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en