Stuxnet is an example of a virus whose threat goes far beyond the digital sphere. Let’s learn more about the Stuxnet attack crippling Iran’s nuclear facilities.
Stuxnet is a powerful and malicious computer worm that first surfaced in 2010. It is also reportedly the largest and costliest of this type of malware. It exploited the previously unknown Windows zero-day vulnerabilities to infect target systems and spread to other systems. The virus primarily targeted the centrifuges of Iran’s uranium enrichment facilities. However, cyber attackers modified it over time and adapted it to target other facilities such as power plants and gas pipes.
While no country has officially admitted to creating Stuxnet, it is widely believed that the US and Israel jointly developed the worm. Stuxnet was the first virus to cause the physical destruction of infected devices. It severely crippled Iran’s nuclear program, though the malware also accidentally spread beyond the limits of Iran’s nuclear facilities due to its aggressive nature. However, it didn’t cause much damage to external devices outside of the original target areas.
Stuxnet is a highly sophisticated and intrusive piece of malware. However, it is also carefully designed to only affect targets with specific configurations and cause minimum damage on other devices.
As targeted nuclear facilities were air-gapped and isolated from the global network, Stuxnet was most likely transmitted via USB sticks carried inside these facilities by agents.
Stuxnet is complex malware. It has code for a man-in-the-middle attack that fakes sensor signals so that a targeted system won’t shut down due to abnormal behavior. It is also unusually large, written in different programming languages, and spreads quickly.
Stuxnet targets three systemic layers:
Stuxnet infiltrated Windows systems by exploiting various zero-day vulnerabilities such as remote code execution. It employed enabled printer sharing or LNK/PIF vulnerability executing the file when it is viewed in Windows Explorer.
This malware accesses both user and kernel levels. Its device drivers are signed by two public certificates, so it can access kernel drivers without users’ knowledge and remain undetected for a long time.
After penetrating Windows systems, Stuxnet infects files belonging to Siemens industrial software applications and disrupts their communications. It also modifies code on PLC devices.
Stuxnet installs malware blocks in PLC monitors. Then it constantly changes the system’s frequency and affects the operation of motors by changing their rotational speed. Stuxnet also contains a rootkit that hides the worm from monitoring systems.
Stuxnet was identified and reported in 2010, although it had been in development since 2005. Stuxnet 0.5 [McD13] is the first known version of Stuxnet. In January 2010, inspectors visiting the Natanz uranium enrichment plant noticed that its centrifuges were failing at an unprecedented rate. They couldn’t discover the cause for the failure at that time. After five months, researchers found malicious files in one of the systems.
The worm started to spread around March of 2010, but the first variant appeared in 2009. On July 15, 2010 the worm’s existence became widely known due to a DDoS attack on an industrial systems security mailing list. This attack interrupted an essential source of information for factories and power plants.
Stuxnet spread in two waves. The first wave was less visible and more targeted than the second. Stuxnet became known to the public during the second wave, which was more aggressive and widespread. The worm managed to infect more than 20,000 devices in 14 Iranian nuclear facilities and ruined around 900 centrifuges.
While Stuxnet didn’t do much damage outside its target, it serves as an example for later pieces of malware targeting various infrastructure and nation-states. Modified versions also target non-nuclear facilities.
Stuxnet has had a significant influence on future malware development. Here is a few examples of Stuxnet’s legacy:
Here are a few interesting facts about Stuxnet:
As I mentioned above, Stuxnet doesn’t pose a direct threat to individual users, so here are a few tips for companies:
Want to read more like this?
Get the latest news and tips from NordVPN