Security Encyclopedia

Stuxnet

5 Fast Facts about the Worm that Crippled Iran’s Nuclear Program

In June 2010 the infosec research community revealed that Iran’s nuclear weapons program was the target of a novel nation-state sponsored cyberattack. A key uranium-enrichment facility in Natanz was crippled when a malware worm — called Stuxnet — infected Windows computers, resulting in the self-destruction of industrial equipment used for uranium enrichment. The novel attack succeeded in destroying one-fifth of Iran’s nuclear capabilities. Yet, against the backdrop of failed diplomacy on the issue of a nuclear Iran, the cyberattack was called a “peaceful” alternative to airstrikes or other intervention. 

Photo credit: AP/Space Imaging/ INTA Spaceturk

Here’s what you need to know about Stuxnet, the novel digital attack against a nation-state. 

1. Stuxnet set a precedent as the first industrial Internet of Things (IoT) attack of its kind.

Stuxnet was specially designed to inflict real-world damage outside the digital realm, incorporating self-propagation, surveillance, stealth and meaningful destruction. It determined whether an infected system was a target, it mismanaged hardware connected to that network, and it concealed itself by reporting normal operating conditions. For its “success” across those aims, Stuxnet has forever changed the way we think about attacks on critical infrastructure, including warfare conducted by nation-states. Today the world, from academics, infosec practitioners, utility board members and the military all expect IoT attacks such as Stuxnet to be repeated and iterated upon. 

2. Stuxnet was hyper-specific, designed for a single use case.

Stuxnet’s estimated 10 software developers write 150,000 lines of code over the course of perhaps two to three years, and with a single, multi-part mission in mind. Stuxnet was created to be deployed on USB drives, it inspected Windows computers by exploiting zero-day vulnerabilities to learn if the PCs were connected to a particular kind of Siemens programmable logic controller (PLC). Once (and only if) detected, the worm’s rootkit component corrupted Siemens software to mismanage the centrifuge, spinning it far faster than intended to where it destroyed the equipment. What’s more, Stuxnet reported normal operating conditions to the PCs, concealing itself and the damage it was causing. It even had a kill switch that ended its replication at the time it was no longer needed, confirmed to be a malware feature not a bug.  

Photo credit: Office of the Presidency of the Islamic Republic of Iran

3. Stuxnet was discovered, fortuitously, by security researchers.

Stuxnet was revealed to the world around mid-June 2010 but it wasn’t meant to be, and with a built-in kill switch it was meant to remain undiscovered. Stuxnet is thought to have been accidentally introduced to the open internet when a person whose computer was connected to Stuxnet-infected systems at Natanz took their computer home and connected it to the open web. This exposed it to security researchers, bloggers, and others. Antivirus software detected the malware, however Brian Krebs’s 15 July 2010 blog post was the first widely viewed report. As attention turned to Stuxnet, researchers weighed in on the novelty and severity of such an attack. They also settled on its name, derived from keywords (“.stub” and “mrxnet.sys”) found in the Stuxnet software.

4. Stuxnet required direct human deployment, rather unexotic considering the subject matter.

Suxnet targeted WIndows PCs and was deployed via infect USB drive, a far cry from the cloak and dagger scenarios associated with nation-state sabotage or even with many cyberattacks. Rather than bungee cording into Iran’s Natanz facility to the sounds of machine-gun fire, Stuxnet’s architect targeted the headquarters and personnel of four systems suppliers to the rogue nation’s nuclear project. Windows, the ubiquitous, market-dominant operating system provided a worthy entry point. This reinforced the sense of awe and dread the infosec community felt by the outsize effects on a complex target by what is also a straightforward attack. Reuters has reported that a similar attack on North Korea failed simply because the hermit kingdom is too insular, secretive, supply-chain constrained — and secure — for the attack to have succeeded.  

5. Stuxnet is all but confirmed to have been deployed by the US and Israeli military.

Beyond the motive to delay Iran’s fast-paced nuclearization, the US and Iran have been implicated in the attack ranging from news reports to tacit acknowledgment. The two allies have both maintained cyberwarfare for offensive and defensive means, but more concretely there have been reports, research, sworn testimony, whistleblower accounts, and other data points linking the countries to the Stuxnet attack. Far from being evasive, officials of both governments have expressed satisfaction and agreement to Stuxnet’s, or their, creation of a third way of solving intractable foreign policy or security challenges: cybertage.

That’s five things you now know about Stuxnet. To learn more, watch the Zer0Day (2016) documentary: