“Stuxnet” Worm Cyber-Attack in Iran

Description

The Stuxnet Worm first appeared in the summer of 2010. This worm was a 500-kilobyte computer worm that attacked different computer systems. The attack effects were first detected by the inspectors working with the International Atomic Energy Agency, who during a visit to a uranium enrichment plant in Iran, discovered that the centrifuges used to enrich the uranium gas were becoming faulty at an unprecedented rate. It was noted that more than 15 Iranian facilities became infiltrated by the Stuxnet worms. It was only after Iranian technicians hired computer security consultants in Belarus to check their computer systems, that it was discovered that the Iranian computer systems had several malicious files. Further exploration into the issue revealed that the malicious files were the Stuxnet worms. The Stuxnet worm attack on the Iranian nuclear facilities is estimated to have destroyed over 900 uranium-enriching centrifuges (Holloway, 2015). The effect was a reduction of 30% in the enrichment efficiency.

The Stuxnet worm is noted to spread fast across the computer system in the presence or absence of internet, which was contrary to the action of other computer viruses. The Stuxnet worm proved to be quite impossible to predict and stop. The Stuxnet Worm was regarded to be different from other worms evident in the manner that it was designed to release its payload, only when it was within an industrial control system, that had the matching characteristics as was in the Iran Nuclear enrichment facility at Natanz (Denning, 2012).

How Stuxnet Worked

It is believed that the Stuxnet worm was introduced to the nuclear facilities’ through the workers’ USB drives. The worm was designed in a unique manner that allowed it to spread undetected between computers operating on Windows, irrespective of whether the computer was connected to the internet or not. The introduction to the systems using the USB drive was quite unconventional as most people would not suspect that a worm would spread through these avenues.

After the infiltration to the computer system, the Stuxnet Worm became operational in three distinct stages. In the first stage, the worm targets the vulnerabilities within the Windows operated machines and networks, where it quickly multiplies itself and penetrates deep into the system and broader by gaining access to more vulnerable systems. In the second stage, the worm gains access into the Siemens step7 software, which is also a system that is based on windows. The software is specifically used in the process of programming industrial control systems. In the third stage, the Stuxnet Worm moves to the logic controllers, thereby, granting them access to its creators to the industrial system and the ability to take control of the whole system (Rao, 2014).

Analysis of the Stuxnet Worm by experts revealed unique features that this worm possessed, unlike other previously known worms. The worm was observed to have had a minimum of four new “zero days”, or vulnerabilities that had not been previously known. The Stuxnet also used digital signatures with the private keys of two certificates that had been illegally acquired from distinct but well-known companies. The worm was able to become functional in all Windows operating stems including the Windows 95 version that was a decade old system (Swinger, 2015). The case of Stuxnet was a peculiar one as Hackers are known to highly value zero days and like to keep them unknown. In this worm, the developers used four zero days where just one would have been enough. This was a likely indicator that the developers were not ready to take chances of the worm not reaching the target. The analysts revealed that the Stuxnet worm got past the Windows defense using what could be equated to a stolen passport.  To acquire the access to the operating system’s control system, the Stuxnet worm had to put in place a component that could communicate to the kernel. In this case, Stuxnet used a device driver, that normally enables the hardware devices to interact with the operating system. Windows is known to use a scheme of digital signatures that allows trusted hardware manufacturers to write device drivers that are allowed by the operating system. In case unsigned drivers are used, they alert the user. The driver that Stuxnet worm used had signatures for two known companies in Taiwan, thereby, revealing that its developers had most likely stolen the secret signing keys (Swinger, 2015).

Analysis of the Stuxnet worm revealed that contrary to the normal action of worms of being truly infectious, the Stuxnet worm sought to perpetrate a specific attack. The worm was not targeting computers or Windows operating system in general but rather a specific computer program used in Siemens WinCC/PCS 7 SCADA control software (Swinger, 2015). Where the Siemen’s software was missing, the worm had controls that made it inert. The Stuxnet worm also operated differently from other worms, which seeks to spread as much as possible as it was set to spread to not more than three other computers. The Stuxnet worm had a self-destruction mechanism that would make the worm erase itself in 2012 (Swinger, 2015).

It was thereby clear that the Stuxnet was targeting a specific industrial controller, produced by Siemens that was used in running nuclear centrifuges. The target was not just on nuclear centrifuges but only ones that had a structure comprised of cascade centrifuges of a certain size and had 984 centrifuges connected (Swinger, 2015). Such was the set up as the one used at Natanz Nuclear facility. The attack on the nuclear facility did not stop the centrifuges from operating but rather made them run a number of subroutines. The Stuxnet worm caused small adjustments in the pressure inside the centrifuges. The worms also adjusted the speed of the centrifuges spinning rotors. This involved first slowing them down, then resuming the normal speed. The effect was destabilizing to the rotors and destroyed their work. The work would at times make the centrifuges exceed the maximum designed speed. The resulting outcome of this attack was that the centrifuges could not produce refined uranium fuel, had frequent breakdowns, caused damaging vibrations due to random surges, and at times made the machines get out of control and explode (Swinger, 2015).

Vulnerability of the USA to an Attack such as Stuxnet Worm

The United States is vulnerable to a worm attack such as the Stuxnet worm attack. The USA notes that the country has eighteen infrastructures that are deemed essential to the nation’s security, public health and safety, and economic vitality. These systems range from nuclear, water, power management and transport,t and communication infrastructures. The systems used in this case are known to use industrial control systems, which are managed by programmable logic controllers (PLCs) (Hanson, 2011). This presents the ideal condition for an attack by a malware as was the case of the Stuxnet worm attack to the Iranian nuclear facility where the industrial control system was the target of the attack.

It is to be noted that the Stuxnet poses a significant threat to the United States. The code for the worm is still available and could be accessed and reused with some variation in the effort. This may be a crucial weapon for hackers, foreign intelligence service, organized criminal gangs, and terrorists who may adopt the Stuxnet code for carrying out a cyber-attack against the critical facilities in the U.S. Such an attack is likely to cause damages to the networks for the critical infrastructures and the manipulation of the PLCs because to an attack similar to Stuxnet is likely to degrade or cause cessation of operation of facilities that supply water, gas, and power of communication. An isolated attack to a single critical infrastructure system is likely to have a cascading effect on other systems and facilities as a result of their interdependence on one another. There have been minor attacks that have been recorded after the Stuxnet attack, which further highlights the vulnerabilities that still exist in the industrial control system. An example of such was the watering hole attack that was detected in 2014 and manufacturers of industrial applications and machines across Europe and USA were targeted by Havex, which was a remote access trojan that gathered vital data from ISC/SCADA systems (Lipovsky, 2017). While this did not affect the performance of the infrastructures, it indicated an initiative to acquire intelligence to carry out attack on infrastructures using the systems of the targeted manufacturers. It can thereby be indicated that the U.S. remains vulnerable to cyber-attacks.

References

Hanson, G. I. (2011). Investigation of the Stuxnet Worm and the Vulnerability of the United States to Similar Cyber Attacks. Retrieved from  https://ay12-14.moodle.wisc.edu/prod/pluginfile.php/20462/mod_resource/content/1/MTR%20example%20-%20Stuxnet.pdf

Holloway, M. (2015). Stuxnet Worm Attack on Iranian Nuclear Facilities. Retrieved April 13, 2017.

Denning, D. E. (2012). Stuxnet: what has changed?. Future Internet, 4(3), 672-687.

Lipovsky, R. (2017). Seven Years after Stuxnet: Industrial Systems Security Once Agan in the Spotlight. Retrieved from https://www.welivesecurity.com/2017/06/16/seven-years-stuxnet-industrial-systems-security-spotlight/

Rao, S. P. (2014). Stuxnet, A New Cyber Weapon: Analysis from a Technical Point of VIew. Research Gate.

Singer, P. W. (2015). Stuxnet and its hidden lessons on the ethics of cyberweapons. Case W. Res. J. Int’l L., 47, 79.