Stuxnet – the first “weaponized” computer virus

Stuxnet (more here) is a computer virus that was designed to attack Supervisory Control and Data Acquisition (SCADA) systems manufactured by Siemens. These systems are used in a variety of industrial applications including power plants, energy distribution networks and water supplies. The primary target of this sophisticated virus appears to be the Iranian nuclear program and it had a significant effect on their progress. Thus far no one knows exactly who developed Stuxnet but as more info is revealed, it is clear that this was not the work of some kid looking for a thrill. The sheer complexity and stealthiness of this virus pushes the envelope of cyberwarfare. The whole scenario has all the makings of a spy thriller.

The mission: Infiltrate the highly advanced, securely guarded enemy headquarters where scientists in the clutches of an evil master are secretly building a weapon that can destroy the world. Then render that weapon harmless and escape undetected.

But in the 21st century, Bond doesn’t get the call. Instead, the job is handled by a suave and very sophisticated secret computer worm, a jumble of code called Stuxnet, which in the last year has not only crippled Iran’s nuclear program but has caused a major rethinking of computer security around the globe.

Intelligence agencies, computer security companies and the nuclear industry have been trying to analyze the worm since it was discovered in June by a Belarus-based company that was doing business in Iran. And what they’ve all found, says Sean McGurk, the Homeland Security Department’s acting director of national cyber security and communications integration, is a “game changer.”

The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was the first to sound the alarm about Stuxnet. Others have called it the first “weaponized” computer virus.

Simply put, Stuxnet is an incredibly advanced, undetectable computer worm that took years to construct and was designed to jump from computer to computer until it found the specific, protected control system that it aimed to destroy: Iran’s nuclear enrichment program.

The virus was designed to damage (but not destroy) the complex centrifuges which are used to enrich uranium. It did this by changing the rotational speed while hiding it from the built-in sensors. This not only damaged the centrifuge but also the uranium contained inside. Because this was hidden from the internal sensors and controls, the causes for the damage could not easily be determined.

The real genius of Stuxnet however, is in how it penetrated the many levels of security in the Iranian nuclear facilities.

–The nuclear facility in Iran runs an “air gap” security system, meaning it has no connections to the Web, making it secure from outside penetration. Stuxnet was designed and sent into the area around Iran’s Natanz nuclear power plant — just how may never be known — to infect a number of computers on the assumption that someone working in the plant would take work home on a flash drive, acquire the worm and then bring it back to the plant.

–Once the worm was inside the plant, the next step was to get the computer system there to trust it and allow it into the system. That was accomplished because the worm contained a “digital certificate” stolen from JMicron, a large company in an industrial park in Taiwan. (When the worm was later discovered it quickly replaced the original digital certificate with another certificate, also stolen from another company, Realtek, a few doors down in the same industrial park in Taiwan.)

–Once allowed entry, the worm contained four “Zero Day” elements in its first target, the Windows 7 operating system that controlled the overall operation of the plant. Zero Day elements are rare and extremely valuable vulnerabilities in a computer system that can be exploited only once. Two of the vulnerabilities were known, but the other two had never been discovered. Experts say no hacker would waste Zero Days in that manner.

–After penetrating the Windows 7 operating system, the code then targeted the “frequency converters” that ran the centrifuges. To do that it used specifications from the manufacturers of the converters. One was Vacon, a Finnish Company, and the other Fararo Paya, an Iranian company. What surprises experts at this step is that the Iranian company was so secret that not even the IAEA knew about it.

–The worm also knew that the complex control system that ran the centrifuges was built by Siemens, the German manufacturer, and — remarkably — how that system worked as well and how to mask its activities from it.

–Masking itself from the plant’s security and other systems, the worm then ordered the centrifuges to rotate extremely fast, and then to slow down precipitously. This damaged the converter, the centrifuges and the bearings, and it corrupted the uranium in the tubes. It also left Iranian nuclear engineers wondering what was wrong, as computer checks showed no malfunctions in the operating system.

It may take the Iranians more than a year to clean their systems of Stuxnet. Meanwhile a clampdown by the state counterintelligence services will hamper the normal activities of the scientists – a side benefit of the virus.

One additional impact that can be attributed to the worm, according to David Albright of the Center for Strategic and International Studies, is that “the lives of the scientists working in the facility have become a living hell because of counter-intelligence agents brought into the plant” to battle the breach. Ironically, even after its discovery, the worm has succeeded in slowing down Iran’s reputed effort to build an atomic weapon. And Langer says that the efforts by the Iranians to cleanse Stuxnet from their system “will probably take another year to complete,” and during that time the plant will not be able to function anywhere normally.

More details will likely emerge about this affair, although we may never find out who was responsible. Hopefully it will serve as a lesson that we need to step up our efforts to protect all vital computer systems – not just military. Cyberwarefare is real and Stuxnet just raised the threat level.