RU’s resident weapons expert ADAM FIRESTONE  returns with a post that will make you wary of flash drives, computer worms and cyber attacks.
Stuxnet is widely described as the first cyber weapon. In fact, Stuxnet was the culmination of an orchestrated campaign that employed an array of cyber weapons to achieve destructive effects against a specific industrial target. This piece explores Stuxnet’s technology, its behavior and how it was used to execute a cyber-campaign against the Iranian uranium enrichment program.
Stuxnet, a computer worm, was discovered in June 2010. It was designed to attack industrial programmable logic controllers (PLC). PLC automate electromechanical processes, such as those used to control machinery on factory assembly lines, amusement rides, or, in Stuxnet’s case, centrifuges for separating nuclear material. Stuxnet’s impact was significant, as it may have damaged or destroyed as many as 1,000 centrifuges at the Iranian nuclear enrichment facility located in Natanz. Since its discovery, Stuxnet has been “in the wild,” and has appeared in other countries, most notably Russia.
There are many aspects of the Stuxnet story, including who developed and deployed it. While recent events seem to have definitively solved the attribution puzzle, Stuxnet’s operation and technology remain both clever and fascinating.
A Stuxnet attack begins with a USB flash drive infected with the worm. Why a flash drive? Because the targeted networks are not usually connected to the internet. These networks have an “air gap” physically separating them from the internet for security purposes. That being said, USB drives don’t insert themselves into computers. The essential transmission mechanism for the virus is, therefore, biological; a user.
I’m tempted to use the word “clueless” to describe such a user, but that wouldn’t be very fair. Most of us carbon-based, hominid, bipedal Terran life forms are inherently entropic – we’re hard-wired to seek the greatest return for the least amount of effort. In the case of a shiny new flash drive that’s just fallen into one’s lap, the first thing we’re inclined to do is to shove it into the nearest USB port to see what it contains. And if that port just happens to be on your work computer, on an air-gapped network. . .well, you get the picture.
It’s now that Stuxnet goes to work, bypassing both the operating system’s (OS) inherent security measures and any anti-virus software that may be present. Upon interrogation by the OS, it presents itself as a legitimate auto-run file. Legitimacy, in the digital world, is conferred by means of a digital certificate. A digital certificate (or identity certificate) is an electronic cryptographic document used to prove identity or legitimacy. The certificate includes information about a public cryptographic key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person or system examining the certificate trusts the signer, then it is assumed that the public cryptographic key or software signed with that key is safe for use.
Stuxnet proffers a stolen digital certificate to prove its trustworthiness. Now vetted, the worm begins its own interrogation of the host system: Stuxnet confirms that the OS is a compatible version of Microsoft Windows and, if an anti-virus program is present, whether it is one that Stuxnet’s designers had previously compromised. Upon receiving positive confirmation, Stuxnet downloads itself into the target computer.
Specifically, it drops two files into the computer’s memory. One of the files requests a download of the main Stuxnet archive file, while the other sets about camouflaging Stuxnet’s presence, using a number of techniques, including modifying file creation and modification times to blend in with the surrounding system files and altering the Windows registry to ensure that the required Stuxnet files run on startup. Once the archived file is downloaded, the Stuxnet worm unwraps itself to its full, executable form.
Meanwhile, the original Stuxnet infection hasn’t ever left the USB flash drive. After successfully infecting three separate computers, it commits “security suicide.” That is, like a secret agent taking cyanide to ensure that she can’t be tortured to reveal her secrets, Stuxnet deletes itself from the flash drive to frustrate the efforts of malware analysts.
Internally to the target computer, Stuxnet has been busy. It uses its rootkit to modify, and become part of the OS. Stuxnet is now indistinguishable from Windows; it’s become part of the computer’s DNA. It’s now that Stuxnet becomes a detective, exploring the computer and looking for certain files. Specifically, Stuxnet is looking for industrial control system (ICS) software created by Siemens called Simatic PCS7 or Step 7 running on a Siemens Simatic Field PG notbook (a Windows-based system dedicated for ICS use).
The problem facing Stuxnet at this point is that a computer can contain millions, if not tens of millions of files and finding the right Step 7 file is a bit like looking for a needle in a haystack. In order to systematize the search, Stuxnet needs to find a way to travel around the file system as it conducts its stealthy reconnaissance. It does this by attaching itself to a very specific kind of process: One that is trusted at the highest levels by the OS and that looks at every single file on the computer. Something like. . .
. . .the scan process used by anti-virus software. Stuxnet compromised and used the scan processes from leading anti-virus programs including McAfee, Symantec and Kaspersky. Along the way, Stuxnet compromises every comparable process it comes across, pervading the computer’s memory and exploiting every resource available to execute the search.
All the while, Stuxnet is constantly executing housekeeping functions. When two Stuxnet worms meet, they compare version numbers, and the earlier version deletes itself from the system. Stuxnet also continuously evaluates its system permission and access level. If it finds that it does not have sufficient privileges, it uses a previously unknown system vulnerability (such a thing is called a “Zero-Day,” and will be discussed below) to grant itself the highest administrative privileges and rights. If a local area network (LAN) connection is available, Stuxnet will communicate with Stuxnet worms on other computers and exchange updates – ensuring that the entire Stuxnet cohort running within the LAN is the most virulent and capable version. If an Internet connection is found, Stuxnet reaches back to its command and control (C2) servers and uploads information about the infected computers, including their internet protocol (IP) addresses, OS types and whether or not Step 7 software has been found.
As noted earlier, Stuxnet relied on four Zero-Day vulnerabilities to conduct its attacks. Zero-Days are of particular interest to hacker communities: Since they’re unknown, they are by definition almost impossible to defend against. Stuxnet’s four Zero-Days included:
- The Microsoft Windows shortcut automatic file execution vulnerability which allowed the worm to spread through removable flash drives;
- A print spooler remote code execution vulnerability; and
- TWO different privilege escalation vulnerabilities.
Once Stuxnet finds Step 7 software, it patiently waits and listens until a connection to a PLC is made. When Stuxnet detects the connection, it penetrates the PLC and begins to wreak all sorts of havoc. The code controlling frequency converters is modified, and Stuxnet takes control of the converter drives. What’s of great interest is Stuxnet’s method of camouflaging its control.
Remember the scene in Mission Impossible, Ocean’s 11 and just about every other heist movie where the spies and/or thieves insert a video clip into the surveillance system? They’re busy emptying the vault, but all the hapless guard monitoring the video feed sees is the undisturbed safe contents. Stuxnet turned this little bit of fiction into reality. Reporting signals indicating abnormal behavior sent by the PLC are intercepted by Stuxnet and in turn signals indicating nominal, normal behavior are sent to the monitoring software on the control computer.
Stuxnet is now in the position to effect a physical attack against the gas centrifuges. To understand the attack it’s important to understand that centrifuges work by spinning at very high speeds and that maintaining these speeds within tolerance is critical to their safe operation. Typically, gas centrifuges used to enrich uranium operate at between 807hz and 1,210hz, with 1,064hz as a generally accepted standard.
Stuxnet used the infected PLCs to cause the centrifuge rotors to spin at 1,410hz for short periods of time over a 27 day period. At the end of the period, Stuxnet would cause the rotor speed to drop to 2hz for fifty minutes at a time. Then the cycle repeated. The result was that over time the centrifuge rotors became unbalanced, the motors wore out and in the worst cases, the centrifuges failed violently.
Stuxnet destroyed as much as twenty percent of the Iranian uranium enrichment capacity. There are two really fascinating lessons that can be learned from the Stuxnet story. The first is that cyber attacks can and will have effects in the kinetic and/or physical realm. Power grids, water purification facilities and other utilities are prime targets for such attacks. The second is that within the current design and implementation paradigms by which software is created and deployed, if a bad actor with the resources of a nation-state wants to ruin your cyber-day, your day is pretty much going to be ruined.
But that assumes that we maintain the current paradigm. And there’s nothing except self imposed limits on imagination and creativity that says we have to do that. There is, I promise, cyber-hope.
Have you ever used a cyber-crime to intensify your plot?
Monday, July 21 – Cooperative Marketing with Robin Covington, Avery Flynn & Kimberly Kincaid
Bio: Adam Firestone brings more than 25 years of experience with weapon systems including small arms, artillery, armor, area denial systems and precision guided munitions to Romance University. Additionally, Adam is an accomplished small arms instructor, editor, literary consultant and co-author of a recently published work on the production of rifles in the United States for Allied forces during the First World War.
Adam has been providing general and technical editing services to authors and publishing houses specializing in firearms books since the early 2000s. Additionally, Adam provides literary consulting services to fiction authors including action scene choreography, technical vetting and technical editing. In this line of experience, Adam has had the fortune to work with well known authors including Shannon McKenna and Elizabeth Jennings.
Check out Adam’s blog here: http://adamfirestoneconsultant.blogspot.com/ 
- Adam Firestone: Information System Security and Identity Management Concepts for Writers 
- The Things That Keep Me Up at Night, or How to Kill a Million People with a Keystroke by Adam Firestone 
- Adam Firestone: I’m Sorry Ma’am, That’s Classified: Security Clearances and Classified Information Basics for Writers 
- How to Choreograph Direct Action Scenes by Adam Firestone 
- Weapons Expert Adam Firestone on The Reality of 3-D Printed Firearms