#78: Stuxnet: computer virus that you can admire
Stuxnet was probably one of the most sophisticated pieces of software ever built. I can easily imagine a Hollywood movie about it. A computer program that could change the course of history. Ironically, Stuxnet was a computer virus. A virus that infected 200 thousand machines. But activated and damaged only on a fraction of that.
First things first. Stuxnet started spreading around 2007 and was discovered 3 years later. 3 years. That alone is suspicious. How did it manage to infect hundreds of thousands of computers without being noticed? Oh, and by the way, 60% of the computers were in Iran. More on that later. Anyway, Stuxnet was planting itself on Windows machines via a device driver. A driver that was digitally signed and looked legitimate. The private keys to sign the malware were stolen. But that’s just the beginning.
In order to infect the operating system, Stuxnet was using four different zero-days. Four! A zero-day is a vulnerability that wasn’t yet discovered by affected vendor. Zero-days are quite expensive on the black market. Once discovered, they are quickly patched and almost worthless. Using four of them in a single virus is an overkill. Unless you are desperate and really rich.
OK, so Stuxnet infected your machine. Most likely via USB stick. Then it does nothing. Unless it reaches an industrial SCADA software by Siemens. Industrial what? Well, it’s a piece of software used to monitor and control power plants, sewege facilities, factories, etc.
However, Stuxnet is more selective. It activates only when SCADA system is connected to a specialized type of motor. And only if it’s configured to make around 1000 revolutions per second. Supersonic. And only if this motor runs in Iran…
What is going on here? This is not your typical ransomware, for sure… Long story short, Stuxnet was only waking up when infecting uraniun enrichment facilities. Large gas centrifuges separating uraiun isotopes. You know, for building nuclear bombs. Something that Iran was not suppose to do under international sanctions. But it gets better.
Stuxnet could shutdown or cause centrifuges to explode. But that would’ve been too obvious. Instead, Stuxnet was changing the frequency of random centrifuges ever so slightly. It was causing the hardware to degrade faster. But nothing too suspicious.
Moreover, and this is my favourite part, it was effectively hiding itself. Some centrifuges running with different frequency would trigger alarms. Of course, assuming someone would notice. But what about intercepting the sensors and sending seemingly correct data? You get it? The feedback from hardware was tampered. It’s a man-in-the-middle attack. Operators never noticed anything unusual. Of course, until centrifuge failed to operate or produced too little enriched uraniun.
As you can probably guess, Stuxnet wasn’t built by some home-grown hacker in the basement. After a few years it became obvious that it must have been a state actor. Most likely United States and Israel worked together to build this malware. It’s an example of international sabbotage done purely using software.
That’s it, thanks for listening, bye!
More materials
- EP 29: Stuxnet on Darknet Diaries
- Stuxnet on Wikipedia
- Gas centrifuge on Wikipedia
- The Virus That Saved The World From Nuclear Iran? STUXNET
- Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon