The Stuxnet worm has been significantly flogged and for good reason. It is a great historical example that can teach us what to look for, learn from the mistakes, and most significantly, raise awareness on the rise of cyberattacks on Industrial Control Systems (ICS).
In 2010, a highly complex malware was discovered lurking within Iran’s nuclear program. Its discovery was by chance as it began to infect machines beyond its intended capacity as it was set to spread indiscriminately. This malware was identified as the Stuxnet worm upon its reveal, and was believed to be responsible for causing substantial damage to the nuclear program by targeting the centrifuges managed by the ICS software Siemens Step 7.
The Stuxnet Worm presented a horrifying revelation: it indicated the ushering of cyberattacks in a new era of warfare. This wasn’t news to people then; it wasn’t a question of how but a matter of when. In 2007, Dr Samuel Liles insinuates this in a conference on information warfare, highlighting that the highly connected world is “one keystroke away from substantial disruption of support systems and destruction of key infrastructure.” (Liles 2007, p. 1)1
Stuxnet’s primary function and final goal is to gain control of the Industrial Control Systems (ICS). The worm had three parts to its operation: executing the payload; a linking file that executes propagation of the worm; and a rootkit to conceal malicious files and processes to prevent detection.
The worm exploited multiple zero-day vulnerabilities: in the Microsoft OS (shortcut vulnerability2 and print spooler vulnerability3 and privilege escalation vulnerability4) Siemens Step 7 software (SCADA)5 6.
This is very unusual as most malware do not exploit multiple zero-day vulnerabilities in one sitting. Attackers usually reserve them for other exploits. Zero-day vulnerabilities are precious. Once they are used, they become exposed to the public and security community.
A highly summarised overview of the Stuxnet worm’s behaviour is as follows:
- Initial attack vector is an infected removable drive.
- When connected to a Windows system, the worm is executed by disguising and transferring itself as .sys files into the system’s driver subdirectory.
- Registry keys are created to identify these .sys files as services.
- If the program does not have administrator privileges, the logic turns to exploiting CVE-2010-2743 by loading a keyboard layout file.
- Stuxnet injects itself into the iexplorer.exe process and kills security-related processes to evade detection.
- Stuxnet checks specifically for Siemens Step 7 software.
- Stuxnet gains control of the ICS through default password configuration,
- Stuxnet communicates with the attackers through port 80, communicating to two URLS set up as a site for command and control.
- Attackers modified code on the PLC (programmable logic controllers)
Before Stuxnet, the general consensus was that ICS were immune to cyber attacks, yet this assumption was proved very wrong. Even before the Stuxnet worm was discovered, the Refahiye pipeline was attacked 2 years prior. Nothing is ever truly secure and impenetrable, even with the tightest controls and tests.
Stuxnet has not just paved the way to a new generation of cyber warfare, but has also spawned descendants such as the Duqu and Flame worm. The threats on ICS has ramped up beyond these offshoots as well. Malware frameworks that operate on a similar level to Stuxnet and disrupt control systems are Havex (2013 attack on several industrial sectors) Industroyer/Crashoverride (2016 attack on Ukrraine power grid) and TRISIS (2017 attack on Schneider Electric).
Indepth analysis of the functioning of the Stuxnet worm was discussed at the Network Computing and Information Security Conference (2012)7 which can be read into for finer details.
Reference List
1. Liles, Samuel. (2007). Cyber warfare compared to fourth and fifth generation warfare as applied to the Internet. 1 – 3. 10.1109/ISTAS.2007.4362225.
2. CVE-2010-2568. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568
3. CVE-2010-2729. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729
4. CVE-2010-2743. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2743
5. CVE-2010-2772. https://nvd.nist.gov/vuln/detail/CVE-2010-2772
6. CVE-2012-3015. https://nvd.nist.gov/vuln/detail/CVE-2012-3015
7. Wang, Yong & Gu, Dawu & Peng, Daogang & Chen, Shuai & Yang, Heng. (2012). Stuxnet Vulnerabilities Analysis of SCADA Systems. 10.1007/978-3-642-35211-9_81.