Stuxnet – Analyzed

A malware was located, on some machines which kept rebooting for no apparent reason in Iran. Sergey Olasen, who was working for VirusAdaBlock, a small antivirus company in Belarus, received a call from a curios tech support operator who was contacted by an Iranian about his machine rebooting problem. (Which eventually was a result of Antivirus installed on it and Stuxnet’s rootkit)

After analyzing it for sometime Olasen, published his findings to Microsoft and the security community, which then apparently was taken up by Liam O’Murchu and Chein’s team at Symantec, who detailed the malware. It was microsoft who came up with the name “Stuxnet” which is a concatenation of two words “stub” and “net”.

A lot of research was done simultaneously by different teams around the world, and they concluded that “Stuxnet” was the first digital cyber weapon(well not really, if you read Dark Territory) launched to sabotage Iranian Nuclear Enrichment plant at Natanz.

Diversions:

  • There was an underlying conflict that if Iran is able to gain Nuclear Weapons capacities, if could undermine Israel’s dominance over the middle east region, which US saw as a threat.
  • The official name of Stuxnet’s development was called “Operation Olympic Games”.
  • Stuxnet was launched because the other operation to sabotage the Natanz plant was to bomb it(NSA did a similar activity before called “Aurora Generator Test” where it was proved that hackers can damage a Transformer over the internet just by violating the controlled resonant frequency of the transformer), which was deemed not feasible by the US as it worked back fire on them just like Taliban or Al-Qaeda. A Cyberweapon is more stealthy with very less chance of tracing it back to whoever launched it.

For Intermediates:

Main Features:

  1. Hide itself in USB key as an infection device for Patient Zero.
  2. Check whether a specific type of Windows Machine is found, if yes, then check if it is connected to a specific type of PLC. (PLC’s were controlling the Centrifuges which are used to extract weapons grade uranium hexa-fluoride gas, which when cooled gives rise to enriched Uranium.
  3. Installs a windows kernel module whose signature keys were stolen from Taiwan Realtek office, as while installing no alarm should be triggered, as windows XP did not allow installation on unsigned kernel modules or required user to manually accept the alert. Stuxnet launch elements wanted that it should make no noise.
  4. Stuxnet Core code checked whether
  • Host is already infected
  • Check Nearby host and copy itself if all previous windows fingerprint matched
  • Install rootkit to hide infection
  • Intercept commands between PLC controller software and actual controller and modify them.
  • Send spurious commands to Centrifuges to spin at very high speed and then slow them down below the angular momentum causing them to blow or get damaged completely.
  • These erroneous behavior was intercepted by Stuxnet and all OK responses were sent to PLC monitoring software so that engineers at Natanz don’t get suspicious.

For the Paranoid:

Stuxnet was absolutely benign if any one of its checklist conditions evaluated to false or on any other machines if it was installed on it somehow. But on the contrary if it found the right combination then it had the capability to completely cause physical damage to equipment and possibly human all from the comfort of the NSA’s office which is what made it right for the silent type of kill.
Note: Road to Stuxnet was not charted overnight, rather, the US cyber policies evolved pretty much madly over a period of 3 decades, right from the start of The Morris worm. US firmly believed that the “What we can do to them, they can do to us as well”. I personally think US did that to test their cyber warfare capabilities as they have been doing for the past years, for ex: with the Atom Bomb, and form policies related to Cyber Warfare on a global level that benefit them from any such cyber attack on their soil from other State Sponsored nations.

Conspiracies:

  • It was a joint operation between Israel and US (which is True)
  • It was designed by VirusAdaBlock to gain publicity
  • Aliens wanted to control Iran (This one is insane)
  • Organized crime gangs designed it

Some people like Nate Lawson felt stuxnet was embarrasing, well that might be true as well.

Simple packers, Encrypted code which was easy to crack. It seemed that it was designed by different set of teams, one for payload, one for hiding, one for reconn and ground team for deployment.

In in all, Stuxnet was a well planned and dangerous attack on critical infrastructure of a major country, although the attack succeeded, but Nuclear program of Iran did not see a setback rather it got propelled and Iran now has Nuclear weapons capability. Now it has become ironic, that the plan to setback Iran’s nuclear program bite the accelerated it and not undermine.

Leave a Reply

Your email address will not be published. Required fields are marked *