Stuxnet

PLC The story of Stuxnet deserves to be told.

In short, Stuxnet is a virus. But it's not just any old virus, created by a random lamer or a professional spammer. Nor is it a proof-of-concept, a virus created to demonstrate that a vulnerability exists and can be exploited.

Stuxnet was detected in January, but it wasn't until July of this year that some of its uncommon characteristics were noticed, and in Symantec's analysis, it immediately appeared to be a somewhat unusual product. Indeed, this virus infects Windows systems, but it isn't interested in just any system. He's looking for industrial control systems, generically known as SCADA Systems.

However, these types of systems usually don't reside on machines connected to the Internet, or if they do, they only connect to specific addresses, often via VPN (highly secure, encrypted private networks). You can't read email or surf the web safely on a computer that controls, for example, a power plant. You can't even plug in USB sticks because these machines are purpose-built with various I/O cards and don't have the interfaces of normal computers, but only those connected to sensors and control actuators. Often, they don't even have a keyboard or monitor (see image above right). So, how can a virus install itself on one of these computers?

The fact is that these systems, called Programmable Logic Controller (PLC), are actually microcomputers into which the program that will control the automation of an industrial process must be loaded, and this program is created using a development system running on a Windows computer. What happens is that a programmer prepares, on a Windows emulator, the code intended to be loaded into the PLC.

At this point, it's clear that, even if the PLC isn't connected to the internet, there's a way to infect it. This involves reaching the computer hosting the development system used to create the PLC software and infecting that software. Thus, when the program is loaded into the PLC, the virus will also be loaded with it.

Stuxnet looks for these types of machines, but not all of them: it targets only a specific software configuration present in control systems made by Siemens. To infect its victims, it uses a new and original infection method that doesn't require user interaction: all it needs to do is display its icon on an unpatched Windows system. It exploits four previously unknown vulnerabilities. Furthermore, it can make itself invisible to Windows and inject itself into software created for PLCs, making itself invisible to them as well. Finally, it contains 70 encrypted blocks that replace some of these systems' fundamental functions. To prevent its discovery, its authors stole the secret digital signatures of two Taiwanese chip manufacturers and used them in Stuxnet to make it appear to be certified software.

This is a staggering display of force for a virus, even a non-trivial one. Four previously unknown vulnerabilities, blocks of encrypted code, substitution of key functions, and stolen digital signatures indicate the possession of knowledge beyond that of a single hacker or cracker, and also raises suspicions that the companies producing these PLCs have provided more than one piece of information. So who made such an effort, and why?

The chart in this Symantec page shows that the distribution of infections is concentrated in Iran: nearly 60% of the affected machines are in that country. Liam O'Murchu of Symantec told the BBC that

The fact that we're seeing so many more infections in Iran than in any other country in the world makes us think that this cyber threat was targeted at Iran and that there was something in Iran that was very, very valuable to whoever wrote it.

But Symantec's analysis continued, discovering that even when Stuxnet finds a machine that meets the required specifications and infects it, it doesn't always take action. It performs other checks first. It looks for a system with a specific configuration and that is connected to frequency converters manufactured by just two companies, one Finnish and the other based in Tehran, Iran.

Not only that, the virus also checks whether the converters operate at high frequencies, between 807 and 1210 Hz. There are few facilities with components that require such frequencies. One such facility is the centrifuges used for uranium enrichment.

A frequency converter is a device that can vary its output frequency, which controls the speed (number of revolutions) of a motor. Stuxnet can interfere with this control and vary the speed of the motors, thus sabotaging the entire process.

In conclusion, we have a very sophisticated virus that exploits knowledge that is not easily obtainable, uses difficult-to-implement infection methods, and targets facilities with components common in Iran. It also checks whether the facility in question has characteristics typical of Iranian uranium enrichment plants. Other sources mention the Bushehr nuclear reactor.

In fact, the BBC reported that, according to the official Iranian news agency IRNA, Stuxnet infected the personal computers of staff at the Bushehr nuclear power plant, but the plant's operating system was not damaged. According to Mahmoud Liay, head of the Iranian Industry Ministry's information technology council, electronic warfare has been launched against Iran and the infected IP addresses in Iran are estimated to be around 30,000.

From what we can see, we are likely witnessing one of the first publicly known cases of a cyber attack on a country's nuclear facilities. It's unclear exactly what the attacker intended, because such high-speed centrifuges shouldn't exist in a nuclear power plant, but they do in a uranium enrichment facility. However, the numbers clearly show that the virus was primarily aimed at Iran and was able to operate for about a year before being fully analyzed.

Who carried out this attack is unknown. The virus code contains a biblical reference that suggests Israel. It's the word "Myrtus." This can be read as an allusion to the Book of Esther in the Old Testament, which tells of how the Jews foiled a Persian plot to destroy them.

However, one wonders why Israel would have signed such an attack, and one might even think that the aforementioned reference was deliberately placed to mislead. On the other hand, the megalomania of those who carry out such work is well known and often translates into leaving a signature. Furthermore, it could simply be a threat or a test, to show that one is capable of doing it and therefore of doing even worse.

Sources: Symantec here, here and here (full report in PDF); il Disinformatico, here e here.

Back