I must confess that I hadn’t heard about Stuxnet until my close friend, colleague, ICT security expert and blogger Paolo Passeri, discussing about my recent visit to Decimomannu airbase for the Vega 2010, an exercise attended by Israeli Air Force aircraft (for the report, wait until Nov. 26), explained me the complexity of this virus and its potential catastrophic effects.
Stuxnet is a malware whose aim is to target industrial control systems implying a sabotage strategy that foresees speeding up and slowing down physical machinery at a plant. It was discovered for the first time in June in Iran and, since then, it has already infected more than 100.000 computers all around the world. Initially believed to be a “normal virus”, Stuxnet contains code designed to attack SCADA (Supervisory Control and Data Acquisition) control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment. According to researchers at Symantec, Stuxnet was most probably aimed at sabotaging Iran’s nuclear power plant in Bushehr or Natanz.
Below you can read an excerpt from a detailed article published by Wired.com (full article available at http://www.wired.com/threatlevel/2010/11/stuxnet-clues/). For the Italian readers, I suggest a look at the post on Paolo Passeri’s blog titled “Come ti impoverisco l’uranio con un virus“.
According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.
The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.
Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.
The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 around the time the nuclear incident WikiLeaks mentioned would have occurred.
Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.
The worm was publicly exposed after VirusBlokAda, an obscure Belarusian security company, found it on computers belonging to a customer in Iran — the country where the majority of the infections occurred.
German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.
The new information released by Symantec last week supports this speculation.
As Symantec points out in its paper, frequency-converter drives are used to control the speed of another device -– for example, a motor at a manufacturing facility or power plant. Increase the frequency, and the motor increases in speed. In the case of Stuxnet, the malware is searching for a process module made by Profibus and Profinet International that is communicating with at least 33 frequency-converter drives made by either the Iranian firm or the Finnish firm.
Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.
Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.
“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”
“That’s another indicator that the amount of applications where this would be applicable are very limited,” O Murchu says. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”
O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.
“It wanted to lie there and wait and continuously change how a process worked over a long period of time to change the end results,” O Murchu said.
Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands. Or at least they wouldn’t have seen this, if information about Stuxnet hadn’t been released last July.
The conclusion is that the sophistication of Stuxnet is such that only a few hackers could be capable of producing this kind of weapon suggesting that resources required to develop such a malware could only have been provided by highly specialized cyber warfare-capable organizations, as the US Cyber Command or the Mossad (that’s why Paolo Passeri began talking about Stuxnet when I recalled of the Israeli Air Force F-15Ds and F-16Ds deployed to Decimomannu…….).