Stuxnet explained — the worm that went nuclear

What is Stuxnet?

Stuxnet is a powerful and malicious computer worm that first surfaced in 2010. It is also reportedly the largest and costliest of this type of malware. It exploited the previously unknown Windows zero-day vulnerabilities to infect target systems and spread to other systems. The virus primarily targeted the centrifuges of Iran’s uranium enrichment facilities. However, cyber attackers modified it over time and adapted it to target other facilities such as power plants and gas pipes.

While no country has officially admitted to creating Stuxnet, it is widely believed that the US and Israel jointly developed the worm. Stuxnet was the first virus to cause the physical destruction of infected devices. It severely crippled Iran’s nuclear program, though the malware also accidentally spread beyond the limits of Iran’s nuclear facilities due to its aggressive nature. However, it didn’t cause much damage to external devices outside of the original target areas.

How does Stuxnet work?

Stuxnet is a highly sophisticated and intrusive piece of malware. However, it is also carefully designed to only affect targets with specific configurations and cause minimum damage on other devices.

As targeted nuclear facilities were air-gapped and isolated from the global network, Stuxnet was most likely transmitted via USB sticks carried inside these facilities by agents.

Stuxnet is complex malware. It has code for a man-in-the-middle attack that fakes sensor signals so that a targeted system won’t shut down due to abnormal behavior. It is also unusually large, written in different programming languages, and spreads quickly.

Stuxnet targets three systemic layers:

• Windows OS
• Siemens PCS 7, WinCC, and STEP7 industrial software applications
• Siemens S7 programmable logic controller

Stuxnet infiltrated Windows systems by exploiting various zero-day vulnerabilities such as remote code execution. It employed enabled printer sharing or LNK/PIF vulnerability executing the file when it is viewed in Windows Explorer.

This malware accesses both user and kernel levels. Its device drivers are signed by two public certificates, so it can access kernel drivers without users' knowledge and remain undetected for a long time.

After penetrating Windows systems, Stuxnet infects files belonging to Siemens industrial software applications and disrupts their communications. It also modifies code on PLC devices.

Stuxnet installs malware blocks in PLC monitors. Then it constantly changes the system’s frequency and affects the operation of motors by changing their rotational speed. Stuxnet also contains a rootkit that hides the worm from monitoring systems.

The history of Stuxnet

Stuxnet was identified and reported in 2010, although it had been in development since 2005. Stuxnet 0.5 [McD13] is the first known version of Stuxnet. In January 2010, inspectors visiting the Natanz uranium enrichment plant noticed that its centrifuges were failing at an unprecedented rate. They couldn’t discover the cause for the failure at that time. After five months, researchers found malicious files in one of the systems.

The worm started to spread around March of 2010, but the first variant appeared in 2009. On July 15, 2010 the worm’s existence became widely known due to a DDoS attack on an industrial systems security mailing list. This attack interrupted an essential source of information for factories and power plants.

Stuxnet spread in two waves. The first wave was less visible and more targeted than the second. Stuxnet became known to the public during the second wave, which was more aggressive and widespread. The worm managed to infect more than 20,000 devices in 14 Iranian nuclear facilities and ruined around 900 centrifuges.

While Stuxnet didn’t do much damage outside its target, it serves as an example for later pieces of malware targeting various infrastructure and nation-states. Modified versions also target non-nuclear facilities.

Sons of Stuxnet

Stuxnet has had a significant influence on future malware development. Here is a few examples of Stuxnet’s legacy:

• Flame. Flame is sophisticated spyware that also targets Iran and other Middle East countries. It mainly targeted educational and governmental institutions. Flamed logged keystrokes and recorded Skype conversations after injecting devices via USB sticks.
• Havex. Contrary to Flame, Havex targets primarily Western countries but has similar intentions. It spies on aviation, defense, energy, and pharmaceutical companies.
• Duqu. Duqu is a collection of computer malware that also exploited Windows zero-day vulnerabilities. It is very similar to Stuxnet and also targets nuclear entities in Iran.
• Industroyer. Industroyer is a piece of malware used to attack Ukraine’s power grid in 2016. The attack left part of Kyiv without electrical power for an hour.
• Triton. Triton targeted a petrochemical plant in Saudi Arabia. Triton is called “the world’s most murderous malware” and can contribute to a plant disaster.

Interesting facts

Here are a few interesting facts about Stuxnet:

• Stuxnet is the first piece of malware that infected target devices via USB drives.
• Stuxnet had self-update capabilities by using P2P communications and online connection.
• It used a stolen digital signature to install the rootkit.
• It has become a subject of several movies such as Zero Days, Blackhat, and others.

How to protect yourself from Stuxnet

As I mentioned above, Stuxnet doesn’t pose a direct threat to individual users, so here are a few tips for companies:

• Isolate your industrial networks from general business networks with firewalls to prevent malware spreading.
• Use application allowlisting to filter your network from malicious actors.
• Closely monitor your network for unusual activity.
• Maintain strict removable media policies to prevent dodgy USBs being connected to your devices.
• Practice host hardening by disabling unnecessary services.