Stuxnet
Stuxnet is a malicious computer worm first uncovered on 17 June 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition systems and is believed to be responsible for causing substantial damage to the Iran nuclear program after it was first installed on a computer at the Natanz Nuclear Facility in 2009. Although neither the United States nor Israel has openly admitted responsibility, multiple independent news organizations claim Stuxnet to be a cyberweapon built jointly by the two countries in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.
Stuxnet specifically targets programmable logic controllers, which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including gas centrifuges for separating nuclear material. Exploiting four zero-day flaws in the systems, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems, most of which are in Europe, Japan and the United States. Stuxnet reportedly destroyed almost one-fifth of Iran's nuclear centrifuges. Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack, a link file that automatically executes the propagated copies of the worm and a rootkit component responsible for hiding all malicious files and processes to prevent detection of Stuxnet. It is typically introduced to the target environment via an infected USB flash drive, thus crossing any air gap. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.
Discovery
Stuxnet, discovered by Sergey Ulasen from a Belarusian antivirus company VirusBlokAda, initially spread via Microsoft Windows, and targeted Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems, nor the first publicly known intentional act of cyberwarfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller rootkit.The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran; Symantec noted in August 2010 that 60 percent of the infected computers worldwide were in Iran. Siemens stated that the worm caused no damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured secretly, was damaged by Stuxnet. Kaspersky Lab concluded that the sophisticated attack could only have been conducted "with nation-state support". F-Secure's chief researcher Mikko Hyppönen, when asked if possible nation-state support were involved, agreed: "That's what it would look like, yes."
In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said "we're glad they are having trouble with their centrifuge machine and that we the U.S. and its allies are doing everything we can to make sure that we complicate matters for them", offering "winking acknowledgement" of United States involvement in Stuxnet. According to The Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defense Forces, Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.
On 1 June 2012, an article in The New York Times reported that Stuxnet was part of a US and Israeli intelligence operation named Operation Olympic Games, devised by the NSA under President George W. Bush and executed under President Barack Obama.
On 24 July 2012, an article by Chris Matyszczyk from CNET reported that the Atomic Energy Organization of Iran e-mailed F-Secure's chief research officer Mikko Hyppönen to report a new instance of malware.
On 25 December 2012, an Iranian semi-official news agency announced there was a cyberattack by Stuxnet, this time on the industries in the southern area of the country. The malware targeted a power plant and some other industries in Hormozgan province in 2012.
According to Eugene Kaspersky, the worm also infected a nuclear power plant in Russia. Kaspersky noted, however, that since the power plant is not connected to the public Internet, the system should remain safe.
History
The worm was first identified by the security company VirusBlokAda in mid-June 2010. Journalist Brian Krebs's blog post on 15 July 2010 was the first widely read report on the worm. The original name given by VirusBlokAda was "Rootkit.Tmphider;" Symantec, however, called it "W32.Temphid", later changing it to "W32.Stuxnet". Its current name is derived from a combination of keywords found in the software. The timing of the discovery has been attributed to the virus accidentally spreading beyond its intended target due to a programming error introduced in an update. This may have caused the worm to spread to an engineer's computer connected to the centrifuges, further propagating when the engineer later connected to the internet at home.Kaspersky Lab experts initially estimated that Stuxnet began spreading around March or April 2010, but the first variant of the worm appeared in June 2009. On 15 July 2010, the day the worm's existence became widely known, a distributed denial-of-service attack targeted the servers of two leading mailing lists on industrial-systems security. This attack, from an unknown source but possibly related to Stuxnet, disabled one of the lists, interrupting a key information source for power plants and factories. Separately, researchers at Symantec uncovered a version of the Stuxnet computer virus that was used to attack Iran's nuclear program in November 2007, with evidence indicating it was under development as early as 2005, when Iran was still setting up its uranium enrichment facility.
The second variant, with substantial improvements, appeared in March 2010, reportedly due to concerns that Stuxnet was not spreading fast enough. A third variant, with minor improvements, followed in April 2010. The worm contains a component with a build timestamp from 3 February 2010. On 25 November 2010, Sky News in the United Kingdom reported receiving information from an anonymous source at an unidentified IT security organization claiming that Stuxnet, or a variation of the worm, had been traded on the black market.
In 2015, Kaspersky Lab reported that the Equation Group had used two of the same zero-day attacks prior to their use in Stuxnet, in another malware called fanny.bmp. Kaspersky Lab noted that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together".
In 2019, Chronicle researchers Juan Andres Guerrero-Saade and Silas Cutler presented findings indicating that at least four distinct threat actor malware platforms collaborated in developing the different versions of Stuxnet. The collaboration was referred to as 'GOSSIP GIRL', a name derived from a threat group mentioned in classified CSE slides that included Flame. GOSSIP GIRL is described as a cooperative umbrella encompassing the Equation Group, Flame, Duqu, and Flowershop.
In 2020, researcher Facundo Muñoz presented findings suggesting that Equation Group may have collaborated with Stuxnet developers in 2009 by providing at least one zero-day exploit, and one exploit from 2008 that was actively used by the Conficker computer worm and Chinese hackers. In 2017, a group of hackers known as The Shadow Brokers leaked a collection of tools attributed to Equation Group, including new versions of both exploits compiled in 2010. Analysis of the leaked data indicated significant code overlaps, as both Stuxnet's exploits and Equation Group's exploits were developed using a set of libraries called the "Exploit Development Framework", also leaked by The Shadow Brokers.
Affected countries
A study of the spread of Stuxnet by Symantec showed that the main affected countries in the early days of the infection were Iran, Indonesia and India:| Country | Share of infected computers |
| Iran | 58.9% |
| Indonesia | 18.2% |
| India | 8.3% |
| Azerbaijan | 2.6% |
| United States | 1.6% |
| Pakistan | 1.3% |
| Other countries | 9.2% |
Iran was reported to have fortified its cyberwar abilities following the Stuxnet attack, and has been suspected of retaliatory attacks against United States banks in Operation Ababil. Operation Ababil campaign in 2012-2013 against U.S. financial institutions and also the 2012 Shamoon attack against oil giant Saudi Aramco, and the 2014 strike against Las Vegas Sands Corporation.