Stuxnet and Beyond:
The Age of Cyberwarfare
Kim Zetter
“Netwars are not real wars, traditionally
defined. But netwar might be developed
into an instrument for trying, early on, to
prevent a real war from arising.”
“As an innovation in
warfare, we
anticipate that
cyberwar may be to
the 21st century
what blitzkrieg was
to the 20th century.”
1993 RAND article
Air Force - 1st Cyber Division
August 21, 1995
• Low cost of entry to conduct campaigns
• Flexible base of deployment - didn’t have to be in range of target
• Diverse and ever-expanding set of targets
1997
Build roadmap of technologies on shelves
Anticipate future technologies
Develop attack capabilities
Stockpile/catalogue hacking tools
- viruses, worms, logic bombs, backdoors
Natanz
Located about 200 miles south of Tehran
Centrifuge Halls in Process of Being Buried - Sept. 2002
Buried Halls Invisible from Air
Timeline 2002: Aug 2002 Natanz exposed; Iran claims
secret enrichment program harmless; nuclear energy is its basic right
2003-2004: Western attempts to halt program result in suspension agreement
Sept. 2005: Iran announces withdrawal from suspension agreement
Feb 2006: Iran begins enriching uranium in pilot plant; Israel seeks U.S. backing for airstrike
Feb 2006: 50 centrifuges at pilot plant explode
Feb 2007: First centrifuges installed in underground hall; by June, 1,400 installed/enriching gas
April 2008 - 3,000 centrifuges installed; Israel fear Iran will master enrichment and by 2010 will have enough LEU to produce bomb
Nov. 2009: ~ 8,700 Centrifuges Installed
Dec. 2009 - Jan. 2010 IAEA notices 1,000-2,000 centrifuges replaced
Photo: IAEA
June 2010 - VirusBlokAda office (Belarus)
Sergey Ulasen - VirusBlokAda
Liam O’Murchu - Symantec
Eric Chien - Symantec
Nico Falliere - Symantec (Paris)
Two Parts - Missile and Payload
Missile - Guidance and Delivery System
7 Ways to Spread
Four Zero-Day Exploits (actually five)
- .LNK exploit
- Print-spooler (computers w/shared printer)
- Task scheduler (privilege escalation)
- Windows keyboard (privilege escalation)
Network shares
Step 7 Project Files
Hardcoded Siemens database password
Plus: Stolen digital certificate
Peer-to-peer for updating
Payload - Explosives
Stuxnet Seeks: Siemens Step 7/ WinCC Control Software
Siemens S7-315 and S7-417 PLCs
PLC - Programmable Logic Controller
Warhead - Two Payloads
Stuxnet 0.5 - discovered in late 2012 One payload
• S7-417 PLC (fully enabled)
Stuxnet 1.0 - discovered in July 2010 Two payloads
• S7-315 PLC
• S7-417 PLC (mysteriously disabled)
Stuxnet 0.5 - Launched 2007-2008
Targets S7-417 PLC Controlling Valves
Stuxnet 0.5
30 days recording normal activity
Closes exit valves - gas goes in, but not out
Waits 2 hrs or until pressure increases 5x
Feeds false data to operators; disables safety
Rinse/Repeat
• When pressure increases 5x
normal level gas
condenses/solidifies
• Solid gas catches in spinning
rotors causing imbalance - rotor
strikes centrifuge wall
• Wobbles, teeters off balance
•Whirling/unmoored centrifuge
at high speed = destruction
• Wasted gas
Consequences
First centrifuges installed Feb 2007 - Iran plans to install 3,000 by May
By August only 1,900 installed; takes until Nov to install rest
124 kg of enriched
uranium expected;
got only 75 kg
Evidence of Effects
Jan 2009 - Bush briefs Obama; Obama re-authorizes and accelerates attack
June 2009 - Stuxnet 1.0 launched
March/April 2010 - at least two more rounds of Stuxnet 1.0 launched
2009 - 2010
Stuxnet 1.0: Targets S7-315 Controlling Frequency Converters
Stuxnet 1.0 - Launched 2009-2010
13 days records normal operations
Increases frequency to 1,410 Hz for 15 min. (close to max speed)
Reduces frequency to 1,064 Hz
After 26 days, reduces frequency to 2 Hz for 50 minutes
Reduces to 1,064 Hz
Feeds operators false data; disables safety system
After 26 days - Rinse/Repeat
June 2009 - 12 cascades in Module A26 enriching gas; 6 under vacuum but not enriching
Aug. 2009 - 10 cascades enriching; 8 now under vacuum not enriching
Nov. 2009 - 6 cascades enriching; 12 under vacuum not enriching
Dec. 2009 - Jan. 2010 - IAEA inspectors notice workers replacing centrifuges at unusual rate
Estimated 1,000 - 2,000 centrifuges replaced
Effects Evident
Timeline
2003 - 2005: Attempts to halt Iran’s
nuclear program; suspension agreement
2004 - Centrifuges seized from Libya
2005 - Domain for Stuxnet 0.5 C&C
server registered
Feb 2006: Iran withdraws from
suspension agreement; begins enriching
uranium in pilot plant
2006 - Bush advisors propose digital
weapon
2006 - 2007 - Centrifuges tested at Oak
Ridge; code written
Feb 2007: First centrifuges installed underground hall; by June, 1,400 centrifuges
installed/enriching gas
Nov. 2007 - Stuxnet 0.5 in the wild; targets valves
April 2008 - 3,000 centrifuges installed; US/Israel fear Iran will master enrichment by year
end; by 2010 will have enough LEU to produce bomb
July 2008 Fanny worm compiled (uses .LNK exploit)
June 2009 - Stuxnet 1.0 unleashed W. .LNK exploit; targets frequency converters
Sept. 2009 - Obama announces discovery of 2nd secret uranium enrichment plant at
Fordow
March - April 2010 - Stuxnet 1.01 unleashed; targets frequency converters
June 2010 - Stuxnet discovered
Iranians Didn’t Know Cause
How Did Stuxnet Get Caught?
Stuxnet 1.0 - Three Waves of Attack June 2009; March and April 2010
Five - Patient Zeroes
Domain A: Foolad Technic
Domain B: Behpajooh
Domain C: Neda Industrial Group
Domain D: CGJ (Control Gostar Jahed?)
Domain E: Kala Electric (Kalaye)
March 2010 Attack
Spread to 100k+ Machines Around World
Did Stuxnet Succeed?
Enriched Uranium Didn’t Decline Substantially
Mistakes
Got caught
In 500kb of code just one bug - printer spooler error
Compatibility issue causing BSoD
Zero-Days
Failure to Kill Code
Pros of Digital Weapons
Save lives/prevent war?
If done right - no collateral damage
Plausible deniability
Cons
Difficult to control
Easily duplicated for blowback
Lowers bar for entry - teenager can build digital weapon
Legitimized their use for resolving political disputes
Opens door for similar attacks
U.S. lost moral high ground
Could attacker in Russia, China or North Korea make something in U.S. blow up simply by sending malicious commands
via computer?
“Somebody crossed the Rubicon” - Gen. Michael Hayden