Today, we’re going to be talking about the famous Stuxnet attack, which was first discovered in 2010. Stuxnet is one of the most famous cyberattacks of all time, renowned for both its complexity, as well as its ramifications in the physical world. Fortunately, most of us aren’t going to have to face an attacker with the sophistication of the threat actor behind Stuxnet—unless we’ve made some very powerful enemies.
Stuxnet was a cyberattack that targeted the Iranian nuclear program. The specifics are hard to know, but it is believed that it managed to destroy up to 1,000 centrifuges used in uranium enrichment at the Natanz nuclear facility in Iran, about ten percent of the total capacity. And it was achieved all via cyber—no missiles or drones necessary.
But how did it all happen?
The beginnings of Stuxnet
It’s rumored that preparations for the attack go all the way back to 2005, with the virus first being deployed in 2007. Another two updated versions of Stuxnet appeared in early 2010. But before we can understand just how sophisticated this attack is, we need to consider the target. Iran’s nuclear program is immensely valuable to the country, and carefully guarded against its enemies. Many of its most sensitive systems are air-gapped and not connected to the Internet in order to make it incredibly difficult to infect them.
This raises the question: How do you get a virus onto air-gapped industrial control systems (ICSs)? Through trusty old USB drives. We aren’t sure of the exact method that was used. Sure, the attackers could have just loaded up Stuxnet on some flash drives and littered them around the carpark, hoping for someone to insert them into the air-gapped network. However, due to the sophistication of the rest of the attack, it seems likely that a more careful approach would have been taken
Once the USB drive gets plugged in, we know much more about how it works. First of all, Stuxnet is a fairly promiscuous piece of malware. It spreads easily, but it lays low and doesn’t cause any problems unless a few conditions are satisfied—it only aims to harm a certain type of industrial control system. An infected system drops a copy of the virus as well as a link file onto any flash drive that is attached. Once this flash drive is inserted into another machine and the user opens the flash drive through an app like Windows Explorer, Stuxnet abuses the CVE-2010-2568 zero day to make the link file point to the copy of Stuxnet on the drive and execute. This allowed it to spread even if autorun was disabled. On top of this, it used both CVE-2008-4250 and CVE-2010-2729 to spread via internal networks.
The ultimate goal of Stuxnet is to target a specific type of programmable logic controller (PLC) that is used by the Iranian nuclear program. Once it ends up on one of these systems, it checks the speeds that the frequency converter drives are operating at. If the speed is between 807 Hz and 1210 Hz (which is very high), the system is likely to only be used in a narrow set of applications, one of which is as part of the centrifuges for enriching uranium.
The fact that Stuxnet only acts upon PLCs within this range shows just how targeted the attack was—it appears that the attackers were attempting to be incredibly targeted to avoid destroying PLCs used across the world for other applications.
On the PLCs that do operate within this range, Stuxnet changes the output frequency to 1410 Hz, then 2 Hz and then 1064 Hz over a period of months. Changing the frequency sabotages the system and stops it from running properly, which is likely what led to Iran needing to replace the 1,000 centrifuges.
All up, Stuxnet did not completely annihilate Iran’s nuclear program—it’s likely that it only brought down a fraction of one facility. However, given that this occurred back in 2010, it was a radical departure to how cyberweapons had been used in the past, and how they can impact physical systems in the real world.
