How the Worm Turned
Stuxnet versus the Iranian nuclear program.
Dec 13, 2010, Vol. 16, No. 13 • By JONATHAN V. LAST
Stuxnet spread in other ways, too. It was not designed to propagate over the Internet at large, but could move across local networks using print spoolers. In any group of computers which shared a printer, when one computer became infected, Stuxnet quickly crawled through the printer to contaminate the others. Once it reached a computer with access to the Internet, it began communicating with command-and-control servers located in Denmark and Malaysia. (Whoever was running the operation took these servers offline after Stuxnet was discovered.) While they were functional, Stuxnet delivered information it had gathered about the systems it had invaded to the servers and requested updated versions of itself. Several different versions of Stuxnet have been isolated, meaning that the programmers were refining the worm, even after it was released.
Finally, there’s the actual payload. Once a resident of a Windows machine, Stuxnet looked for WinCC and PCS 7 SCADA programs. If the machine had neither of these, then Stuxnet merely went about the business of spreading itself. But on computers with one of these two programs, Stuxnet began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. For months, no one knew exactly what Stuxnet was looking for with this block of code or what it intended to do once it found it. Three weeks ago, that changed.
As cybersecurity engineer Ralph Langner puts it, Stuxnet was one weapon with two warheads. The first payload was aimed at the Siemens S7-417 controller at Iran’s Bushehr nuclear power plant. The second targeted the Siemens S7-315 controller at the Natanz centrifuge operation, where uranium is processed and enriched. At Bushehr, Stuxnet likely attempted to degrade the facility’s steam turbine, with unknown results. But the attack on Natanz seems to have succeeded brilliantly.
Once again, Stuxnet’s design was unexpectedly elegant. With control of the centrifuge system at Natanz, the worm could have triggered a single, catastrophic incident. Instead, Stuxnet took over the centrifuge’s frequency converters during the course of everyday operation and induced tiny bursts of speed in the machinery, followed by abrupt decelerations. These speed changes stressed the centrifuge’s components. Parts wore out quickly, centrifuges broke mysteriously. The uranium being processed was corrupted. And all the while, Stuxnet kept sending normal feedback to the Iranians, telling them that, from the computer’s standpoint, the system was operating like clockwork. This slow burn went on for a year, with the Iranians becoming increasingly exasperated by what looked like sabotage, and smelled like sabotage, but what their computers assured them was perfectly routine.
In sum, Stuxnet wasted a year’s worth of enrichment efforts at Natanz, ate through centrifuge components and uranium stores, sowed chaos within Iran’s nuclear program, and will likely force Iran to spend another year disinfecting its systems before they can operate at peak levels again. All in all, a successful operation.
Who deserves credit for Stuxnet? There are three possibilities: (1) a lone state actor; (2) a consortium of states; or (3) a private group. Each of these is at first glance plausible. But the exploit was even more complicated than it appears on first inspection.
The planning and implementation of Stuxnet involved three layers of complication. First, there’s the sophistication of the worm itself. Microsoft estimates that the coding of Stuxnet consumed somewhere in the neighborhood of 10,000 man-work days. With a team of 30 to 50 programmers, that’s a year or two of effort, at least. Between the workload, the zero day exploits, and the innovative design of the worm, Stuxnet required not just time but enormous technical sophistication and sizable financial resources.
On the next level, the creators of Stuxnet needed competency in the more traditional cloak-and-dagger elements of espionage. The digital verification certificates had to be stolen from the companies in Taiwan, and the infected USB drives had to be planted on or around the community of people who worked in the Iranian nuclear program—modern espionage tradecraft at its best.