How it worked
Stuxnet specifically targets Windows 7 operating systems, which is, not coincidentally, the same operating system used at the Iranian nuclear power plant. The worm uses four zero-day attacks and specifically targets Siemens’ WinCC/PCS 7 SCADA software. A zero-day threat is a vulnerability that is either unknown or unannounced by the manufacturer. These are generally system-critical vulnerabilities, and once they are discovered, immediately patched. In this case, the two of the zero-day elements had been discovered and were close to having a fixes released, but two others had never been discovered by anyone. Once the worm was in the system, it then began to exploit other systems in the local network it was targeting.
As Stuxnet worked its way through the Iranian systems, it was challenged by the system’s security to present a legitimate certificate. The malware then presented two authentic certificates, one from the circuit manufacturer JMicron, and the other from computer hardware manufacturer Realtek. Both companies are located in Taiwan just blocks away from each other, and both certificates were confirmed to have been stolen. These authentic certificates are one of the reasons that the worm was able to remain undetected for so long.
The malware also had the ability to communicate via peer-to-peer sharing when an Internet connection was present, which allowed it to upgrade as necessary and report back its progress. The servers that Stuxnet communicated with were located in Denmark and Malaysia, and both were shut down once the worm was confirmed to have entered the Natanz facility.
As Stuxnet began to spread throughout the Iranian systems, it began to target only the “frequency converters” responsible for centrifuges. Using variable-frequency drives as markers, the worm looked specifically for drives from two vendors: Vacon, which is based in Finland, and Fararo Paya, which is based in Iran. It then monitors the specified frequencies, and only attacks if a system is running between 807Hz and 1210Hz, a fairly rare frequency that explains how the worm could so specifically target Iranian nuclear plants despite spreading around the world. Stuxnet then sets about altering the output frequency, which affects the connected motors. Although at least 15 other Siemens’ systems have reported infection, none have sustained any damage from the worm.
To first reach the nuclear facility, the worm needed to be brought into the system, possibly on a USB drive. Iran uses an “air gap” security system, meaning the facility has no connection to the Internet. This might explain why the worm spread so far, as the only way for it to infect the system is was to target a wide area and act as a Trojan while waiting for an Iranian nuclear employee to receive an infected file away from the facility and physically bring it into the plant. Because of this, it will be almost impossible to know exactly where and when the infection began, as it may have been brought in by several unsuspecting employees.
But where did it come from, and who developed it?
Suspicions of where the worm originated are rampant, and the most likely single suspect is Israel. After thoroughly researching the virus, Kaspersky Labs announced that the level of attack, and the sophistication with which it was executed could only have been carried out “with nation-state support”, which rules out private hacker groups, or even larger groups that have been using hacking as a means to an end, such as the Russian Mafia, which is suspected of creating a Trojan worm responsible for stealing over $1 million from a British bank.
Israel fully admits that it considers cyberwarfare to be a pillar of its defense doctrine, and the group known as Unit 8200, an Israeli defense force considered to be the rough equivalent of the United States’ NSA, would be the most likely group responsible.
Unit 8200 is the largest division in the Israeli Defense Force, and yet the majority of its operations are unknown- even the identity of the Brigadier General in charge of the unit is classified. Among its many exploits, one report claims that during an Israeli airstrike on a suspected Syrian nuclear facility in 2007, Unit 8200 activated a secret cyber kill switch that deactivated large sections of the Syrian radar.
To further lend credence to this theory, in 2009, Israel pushed back the date of when it expects Iran to have rudimentary nuclear weaponry to 2014. This may have been a result of hearing of problems, or it could suggest that Israel knew something no one else did.
The U.S. is also a prime suspect, and in May of this year, Iran claimed to have arrested 30 people it claims were involved in helping the U.S. wage a “cyber war” against Iran. Iran has also claimed that the Bush administration funded a $400 million plan to destabilize Iran by using cyber attacks. Iran has claimed that the Obama administration has continued that same plan, and even sped up some of the projects. Critics have stated that Iran’s claims are simply an excuse to stamp out “undesirables”, and the arrests are one of many points of contentions between Iran and the U.S.
But as the virus continues to be studied and more answers emerged regarding its function, more mysteries are being raised about its origins.
According to Microsoft, the virus would have taken at least 10,000 hours of coding, and taken a team of five people or more, at least six months of dedicated work. Many are now speculating that it would require the combined efforts of several nations’ intelligence communities all working together to create the worm. While the Israelis might have the determination and the technicians, some are claiming that it would require the United States’ level of technology to code the malware. To know the exact nature of the Siemens machinery to the extent that Stuxnet did might suggest German involvement, and the Russians may have been involved in detailing the specs of the Russian machinery used. The worm was tailored to operate on frequencies that involved Finnish components, which suggests that Finland, and perhaps NATO is involved as well. But there are still more mysteries.
The worm was not detected because of its actions at the Iranian nuclear facilities, but rather as a result of the widespread infection of Stuxnet. The central processing core of the Iranian nuclear processing plant is located deep underground, and is totally cut off from the Internet. For the worm to infect the system, it must have been brought in on the computer or a flash drive of a member of the staff. All it would take is a single employee to take work home with them, then return and insert something as innocuous as a flash drive into the computer, and Stuxnet would begin its silent march to the specific machinery it wanted.
But the question then becomes: Why did the people responsible for the virus develop such an incredibly sophisticated cyberweapon, and then release it in what is arguably such a sloppy method? If the goal was to remain undetected, the release of a virus that has the ability to replicate at the speed that it has shown is sloppy. It was a matter of when, not if, the virus would be discovered.
The most likely reason is that the developers simply didn’t care. To plant the malware more carefully would have taken far more time, and the transmission of the worm into the specific systems might take much longer. If a country is looking for immediate results to halt what it might see as an impending attack, then speed might trump caution. The Iranian nuclear plant is the only infected system to report any real damage from Stuxnet, so the risk to other systems seems to be minimal.
So what next?
Siemens has released a detection and removal tool for Stuxnet, but Iran is still struggling to remove the malware completely. As recently as November 23, the Iranian facility of Natanz was forced to shut down, and further delays are expected. Eventually, the nuclear program should be back up and running.
In a separate, but possibly related story, earlier this week two Iranian scientists were killed by separate but identical bomb attacks in Tehran, Iran. At a press conference the following day, President Ahmadinejad told reporters that “Undoubtedly, the hand of the Zionist regime and Western governments is involved in the assassination.”
Earlier today, Iranian officials claimed to have made several arrests in the bombings, and although the suspects identities have not been released, Iran’s Intelligence Minister has said “The three spy agencies of Mossad, CIA and MI6 had a role in the (attacks) and, with the arrest of these people, we will find new clues to arrest other elements,”
The combination of the bombings and the damage caused by the Stuxnet virus should weigh heavily over the upcoming talks between Iran and a six-nation confederation of China, Russia, France, Great Britain, Germany, and the U.S. on December 6 and 7. The talks are meant to continue the dialogue regarding Iran’s possible nuclear ambitions.
A interesting and well-written article. Kudos to you, Mr. Fleming.
Really incredible story. It’s like something out of 24!
Well, as we have show the world…if we need to we can bomb them next.
back to the 20th century for iran they will get the god o'mighty stike they pray for mosses split the red sea and benny will nuke iran they had it comming for a long time
Clearly, Stuxnet was written by people with more degrees than they've had dates!
Keep in mind that if Iran does get a nuke it will be Hiroshima sized- any loged at Isreal will be returned with thermonuclear (hydrogen bombs) or neutron bombs- i.e.- no more Iran, and plenty of room for the Palestineans….
Thanks Mannie for reminding what this article is about. As said, a well researched article on how subtle a substantial attack can nowadays look like. To those critisizing Siemens, has it occurred to you that if Siemens would not sell the centrifuges to Iran, someone else would? Or that Siemens might actually have been helpful about the design of the virus? It is for sure much easier to design one against well known systems largely available in the West. No doubt that Irans ambitions are frightening an that they should be dealt with, as they were in this case and I must add in a remarkably sophisticated way. Seriously damaging the Iranian nuclear program quietly and without starting World War 3 was in my opinion the most valid way to deal with the issue.
I think blaming Siemens is the wrong conclusion to this article and misses the point. Siemens or not Siemens does not fundamentally change the equation. Smart action ,however, can.
By the way, Siemens surely pays Congressmen far more than you ever will, sounds like a tough battle.
I think we need to go viral on this. If you are a US citizen do as I did. Write your congressmen this.
"Dear congressmen,
I just read an article which stated that "Siemens" is responsible for helping the IRANians build their centrifuges. See "http://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/2/" We have business with Siemens in this state as well as with other states. Why can't we use our leverage with Siemen's to get them to stop their collusion with the enemy. IRAN support all the terror groups in the middle east. How come we can't tell Siemens either they want to do business with us or the IRANians, not both. I want you to bring this up in the senate. I think your strong support of the defense establishment would be helpful in stopping Siemens. Also, I'm sure each computer OS the IRANians use is licensed from Microsoft. How can we let the IRANians continue to license Microsoft software. Should Microsoft revoke our enemies licenses. And if they are using the software illegally, shouldn't we go after them in an international court of law. They are using our technology to fight us. We have mechanisms in place to fight them. All we do is have to use them. Go after them economically. Don't let them have Window's 7. Send them back to the stone age where they belong!"
I'm sure if the people speak they will be heard. While in IRAN and elsewhere they can keep being quashed by their GOVT while complaining about everyone else! Let freedom ring!
Good point, Barry. I did some digging and you aren't alone. The protests got so bad that Siemens did cut ties with Iran. Eventually. http://www.jpost.com/IranianThreat/News/Article.a…
Why is Siemen's allowed to deal with IRAN to build the cents? Siemens should not be allowed to trade with the USA. Such a threat would stop the IRANIANS in a day. I don't understand how the Germans let this relationship continue! As for the IRANIANS I think they are very clever. So too were the Germans of bygone days. The fate is sealed in their 12th century attitudes towards females. Their repression of their own people will be their down fall, just you wait and see.
I sure hope the Iranians hack the Israelis back for this stunt
And I hope that Iran is incapacitated BEFORE they get the capability to launch ANY nukes. Iran is an adolescent regime run by a paranoid psychopath (president). They will get what they deserve eventually. I mean, really, the ONLY reason the U.S. hasn't invaded or declared war on Iran is because the Iranian region holds SO many of the worlds historic artifacts in cave drawings and original locations from thousands of years ago. I say wipe THEM (Iranians) off of the face of the Earth, starting with Ahmadinejad.
Come-on theirs a lot more to it then paranoid psychopaths. Its a religious government lead by the Muslims version of the pope. Your country is drowning in propaganda just like Iran; take your head out of the bucket an have a look around.
This guy is typical of the racist zionists who run Israel. He is filled with self righteous hatred toward an entire race of people, Arabs. He believes that it is righteous to advocate the mass murder of all of these people because he believes them to be inferior. He believes that God has chosen his people as superior to the Arabs and all other people. He believes that his god has given him the title to all the real estate in Jerusalem.
He thinks we should give him weapons and support his genocidal racist ideas.
Our government agrees. Our government is giving them over 3 BILLION dollars a year to carry out a broad campaign of assassination, sabotage and espionage against all of their neighbors.
It will not last.
I agree Ahmadinejad is a nutbag, but seriously people, are you reading the same article I am? It was a well written article regarding the advancement of viruses, specifically outlining the Stuxnet virus, how it incapacitated Iran's centrifuges, and how the virus works. There is no between the lines propaganda or support of Iran's hateful regime, which I agree, is hateful. I believe Mr. Fleming has written a really thorough, insightful article.