Some thoughts about Stuxnet

Some days ago, during a brief memory analisys demonstration with Volatility, I’ve used a memory dump of a system infected with the “old-but-gold” Stuxnet.
But, one of the spectators asked me additional info about this malware, so I decided to collect some informations about the story of this “iconic” malware strain.

Stuxnet was a computer virus specially created and spread by the US government in collaboration with the Israeli government. The purpose of the software was the sabotage of the Iranian nuclear power plant of Natanz: in particular, the virus was to disable the centrifuges of the plant, preventing the detection of malfunctions.

…so, let’s go back 11 years…

The following story is not mine: it’s a bad transcription/recap of a beautiful episode of Paolo Attivissimo italian podcast “Il Disinformatico” (here you can download the episode).

This story begins in June 2010, in Belarus: a malware analist, Sergei Ulasen, discovers a new virus strain and publicly reports this in an expert forum: however, that it is a virus that spreads using an unusual technique, evading the normal defenses of Microsoft Windows.

But this powerful virus also has another peculiarity: it does absolutely nothing . It doesn’t erase data, it doesn’t steal passwords: it just wanders around the Internet looking for something, but at first it’s not clear what.

It will take the coordinated work of the best civilian computer experts in the world, and some months, to solve this mystery: but then the virus had already reached its target, a nuclear plant!

That virus, called ”Stuxnet”, was able to bypass all the defenses of that nuclear plant and infect it invisibly, despite being heavily armored and physically isolated from the Internet, also causing physical damage to the machinery of the plant.


The “Air Gap”

There is an expression, in computer science, which indicates the highest possible level of data and systems security, “air gap”: it means that the computer system is not connected to the rest of the world. No Internet, no network cables, no Wi-Fi: nothing goes in and out. “An ‘air gapped’ system is an island, a fortress”.

This drastic isolation is used to protect strategic assets of a company or a country, like power and manufacturing plants, military systems, sensitive data archives: critical and expensive things, which absolutely must always work.

The Iranian nuclear plant of Natanz is one of these resources protected by an “air gap”: it’s an underground complex, inside which thousands of centrifuges used to separate uranium isotopes in order to using them in the production of nuclear energy or, potentially, to build nuclear weapons.

But someone has decided that those centrifuges, rightly or wrongly, must be stopped: however, a traditional military attack would be very difficult, and further would be a critical politically act. So, and technologic approach was preferred, but how does a cyber attack deliver to a system that is isolated from the rest of the world?


The infection

Therefore, let’s go back to Stuxnet: at first it looks like a fairly ordinary virus, exploiting a Microsoft Windows security flaw that allows it to infect a computer by simply inserting an infected USB stick, without any other action by the user: a powerful technique, patched by Microsoft with an update released a month after the discovery.

Furthermore, Stuxnet spreads indiscriminately, making thousands of attempts a day to infect other Windows computers, but it contains a series of instructions dedicated to targeting only specific programmable control devices (SCADA), widely used in industrial processes, and specifically written for only one brand, Siemens: but only if they are connected to specific machinery.

A Siemens Simatic S7-300

It is a very strange behavior: infections spread all over the planet, but as many as 60% of infected computers are in Iran, however Siemens SCADA systems are not salable to Iran due to the international embargo.

Why a virus hit industrial systems of a specific brand, but practically only if they are located in Iran, where that brand is not for sale?
In September 2010, three months after the discovery of Stuxnet, some experts triyng to propose an explanation to all these mysteries: it is a military cyber weapon, conceived and piloted by someone with geopolitical aims, used for military purposes for an attack that has destructive effects in the real world. According to Mikko Hypponen, one of the best known cybersecurity experts, “it as the most important malware of the year and probably of the decade” [2].

This explanation, ambiguously supported by some US and Israeli government and military statements, is consistent with all established facts and some other little-known facts that are revealed by experts with the contribution of Wikileaks [3], such as the fact that in reality there are Siemens controllers in Iran: they were purchased clandestinely, evading the embargo, and are located in the Natanz nuclear plant.


How did it work?

The most plausible reconstruction is that Stuxnet was implanted on laptops of some Iranian organizations that maintain industrial plants, including nuclear ones: then the virus waited until the technicians of these organizations brought their computers into the nuclear plants and used them to carry out maintenance on Siemens control equipment, bypassing the “air gap”.

Then, Stuxnet activated and installing itself in the Siemens systems, modifiyng the rotation speed of the centrifuges in an irregular way, in order to create excessive stresses that would have gradually damaged them and ruined them: in this way, the centrifuges given the impression of failing for absolutely inexplicable reasons [4].

But, when a technician connected to the Internet a computer that had been used for the maintenance of Iranian nuclear plants, Stuxnet spread throughout the Internet, infecting hundreds of thousands of computers and industrial systems, and thus was detected and analyzed by all security experts.


UPDATE 07/12/2021:

Paolo Luise, on Linkedin, pointed me to “a documentary called Zero Days focused on the discovery and investigation of stuxnet”. A very good suggestion, thanks Paolo!
“Zero Days” is available on Amazon Prime Video.


References

  1. “Il Disinformatico” Podcast
  2. https://www.youtube.com/watch?v=gFzadFI7sco
  3. https://archive.f-secure.com/weblog/archives/00002083.html
  4. https://www.bbc.com/news/world-middle-east-56734657
  5. Amazon Prime Video: Zero Days

Related posts

  1. If you’re a fan of Volatility, you’ll love CrowdStrike’s SuperMem
  2. How “Process Ghosting“ works
  3. Didier Stevens: finding Metasploit & Cobalt Strike URLs
  4. How to perform a digital forensic analysis using only free tools
  5. Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking