Security

Stuxnet: The smart person's guide

Stuxnet was one of the most advanced malware attacks in history. It might be long over, but there are important things for cybersecurity pros to learn from its outbreak that could affect everyone.

It has been almost seven years since Stuxnet first made headlines for its devastating attack on Iranian uranium enrichment centrifuges.

The years haven't made it less relevant though—it's still an important topic due to the fact the exploit Stuxnet took advantage of still ranked among the most widely used in 2016. Microsoft patched the exploit, CVE-2010-2568, in 2010, but malware that exploits it continues to live on—a prime example of why Stuxnet is still relevant.

Zero Days, a 2016 documentary on Stuxnet, helped cement the malware into public consciousness. Stuxnet has become synonymous with cyberattacks and cyberwarfare and questions continue to abound about its origin and the scope of its targets.

TechRepublic's smart person's guide about Stuxnet is a quick introduction to this government-created malware, as well as a "living" guide that will be updated periodically as news about its evolution and misuse occur.

SEE: All of TechRepublic's smart person's guides

stuxnetfilmmagnoliapictures.jpg
Image: Magnolia Pictures

Executive summary

  • What is Stuxnet? Stuxnet is a computer worm designed to disrupt the operation of programmable logic controllers (PLCs). It was first discovered in 2010, and its creation is widely believed to be a joint effort between the US and Israel though neither country admits it.
  • When did Stuxnet happen? Stuxnet's outbreak began in early 2010, and updates were pushed to it from its C&C servers over the course of several months. There is evidence to suggest that Stuxnet precursors were being used as early as 2007 to target Iran's burgeoning nuclear program and pave the way for the larger Stuxnet attack.
  • Who did Stuxnet affect? Stuxnet's effect was felt most strongly in Iran, where over 60% of infections were located. While there's no confirmation of the breadth of the damage in Iran, many experts believe Stuxnet destroyed 1,000 centrifuges. Stuxnet's impact on the rest of the world was negligible.
  • Why does Stuxnet matter? Stuxnet's command and control (C&C) servers may be offline, and it's no longer being spread, but the security community can still learn a lot from the malware attack. Stuxnet specifically targeted industrial machines; it was designed to spread to air-gapped networks; and it proved that attacking infrastructure is possible.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)

What is Stuxnet?

Stuxnet was malware that was able to spread without a host file, making it a worm. It was specifically designed to interfere with the operation of Siemens PLCs and supervisory control and data acquisition (SCADA) systems that manage them.

Stuxnet spreads from machine to machine while looking for Siemen's STEP 7 software used to control PLCs. Once it locates a machine with STEP 7 installed on it, Stuxnet begins to feed false information to the PLC, intercepting the data the PLC generates using the false information, and reporting normal operation states back to STEP 7 so that it appears as if everything is normal.

Stuxnet is incredibly sophisticated—it used four separate zero-day attacks (including CVE-2010-2568) to infiltrate systems and was precision built to only do damage to Siemens industrial control systems. It consists of three parts: The worm that does the bulk of the work, a link file that automates execution of propagated worm copies, and a rootkit that hides all the files from detection.

SEE: Ebook—Cyberwar and the future of cybersecurity (TechRepublic)

Researchers from Symantec have found evidence that Stuxnet was deployed against Iran's nuclear program as early as 2007, but that backdating of its birth was made well after Stuxnet's 2010 discovery when it was used to attack a nuclear facility in Iran. The attack destroyed 1,000 centrifuges by causing them to spin far faster than designed.

As more evidence about the complexity of Stuxnet emerged, popular opinion began to solidify around it being built with the support of a national government. Since then it has been reported that Stuxnet was the work of a joint US-Israeli cyberwarfare group, though absolute proof remains nonexistent.

Additional resources

When did Stuxnet happen?

Stuxnet was discovered in 2010, but it actually has a much more interesting timeline that goes back several years earlier. Several pieces of precursor malware, Duqu and Conficker, were launched in advance and were crucial in the development and spread of Stuxnet.

After targeting Iranian systems Stuxnet received several updates from its C&C servers before the C&C servers were discovered, blocked, and eventually taken offline. Stuxnet infections were purged over the next several months.

Additional resources

Who did Stuxnet affect?

Stuxnet's primary victim was Iran—around 60% of the computers it infected were located in the country. Indonesia had 18% and India 8% of Stuxnet infections, and other nations were affected in the low single-digit percents.

The Iranian nuclear program is widely believed to have been the primary target of Stuxnet, and while Iran may have denied Stuxnet's effect on its nuclear centrifuges, the sudden failure of over 1,000 of them at an enrichment facility in Natanz, Iran, has led security analysts to conclude that Stuxnet was the culprit.

Additional resources

Why does Stuxnet matter?

Stuxnet itself doesn't really matter anymore. Stuxnet's heydey has long since passed; its C&C servers are offline; and whatever government may have built it has abandoned it.

What matters is what Stuxnet revealed about the potential sophistication of malware and how effectively it could cripple industries and infrastructure.

Let's break down what Stuxnet revealed to the world about the capabilities of malware.

  • It used four different zero-day vulnerabilities to spread, which was nearly unheard of in 2010 and is still uncommon today. Among those exploits was one so dangerous that it simply required having an icon visible on the screen—no interaction was necessary.
  • Stuxnet was incredibly effective in its targeting of control systems. It infected over 200,000 machines and caused physical degradation in 1,000 of them, making it a piece of malware with physical consequences. The machines it targeted were centrifuges in this case, but industrial control systems do far more than just control lab equipment.
  • It was, according to many analysts, created by a state actor, and while Stuxnet was not the first cyberwar attack in history it was arguably the most sophisticated to date.
  • Stuxnet was designed to be initially delivered via USB drive to ensure it could infect air-gapped networks. Once Stuxnet was on a system, it was designed to spread rapidly, quickly searching out computers with control over Siemens software and PLCs.

While Stuxnet may be dead, its autopsied code is easily found online, which means its innovations are freely available. The legacy it leaves the world is why it matters.

There has been a lot of speculation on when a cyberattack will hit US infrastructure, and many security pros think it will happen soon. Stuxnet's intended purpose (i.e., attacking PLCs and other industrial controllers) could very well play a major part in a future attack on the infrastructure of the US or other countries.

The exploit that enabled Stuxnet to spread continues to be one of the most targeted exploits in malware seven years later, and that's a bad sign for the security of organizations running software that controls industrial hardware. And many of those organizations are important to the operation of power grids, water supplies, sanitation networks, and other critical infrastructure.

ESET, as part of its reporting on Stuxnet, said it "was a breakthrough event that should have served as a wake up call for all those involved in security of industrial systems." But with at least one of the exploits Stuxnet used still common it's clear that it wasn't the wake-up call cybersecurity professionals hoped for.

It's only a matter of time before the narrowly-targeted Stuxnet reappears in a similar, much more devastating form. As with any other security threat, attacks like those that could follow in Stuxnet's footsteps can be avoided by keeping software up to date.

Additional resources

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox