Fig. 1: Example of a Siemens Programmable Logic Controller (PLC) unit. Source: Wikimedia Commons. |
In the Fall of 2010, a computer worm dubbed "Stuxnet" became headline news, primarily because of its suspected purpose of infecting and inhibiting Iranian nuclear facilities. [1] Numerous theories about the origin and target of Stuxnet flooded the media, including bizarre suggestions that one of the malware's files was named MYRTUS in reference to a biblical story describing how Jews thwarted Persian plans to destroy them, thereby implicating Israel as the mastermind behind the cyber attack. [2]
In addition to the sensational story of a mysterious Western nation waging cyber warfare against nuclear powers in the Middle-East, the Stuxnet software itself gained notoriety for its sheer complexity. The major computer security company Symantec has spent months breaking down "one of the most complex threats" it has ever analyzed. [3] Security experts continue to try to understand more aspects of Stuxnet, although it is unlikely that a complete understanding of its intended function is possible without precise knowledge of the intended target environment.
The most comprehensive, publicly available report analyzing the Stuxnet malware is published by Symantec, and is the basis for this outline. [3] The vast majority of information available online regarding Stuxnet software is found in this Symantec report. It meticulously attempts to understand the computer worm's mode of propagation and its intended infection purpose, but is largely removed from any overtly speculative or political claims regarding the original creator or specific Iranian targets.
The first variant of Stuxnet was released as early as June 2009, although the most prolific version was initially spread in March 2010. The last new infection occurred one month later. Symantec was able to track this detailed history of the worm through records stored along with Stuxnet itself, showing that over 12,000 recorded infections were all traceable back to 10 independent initial infection events. All 10 initial infections occurred within the computer networks of 5 different organizations, where it is assumed that Stuxnet was manually and intentionally seeded by the creators. It is noted that all 5 organizations that were originally seeded have offices in Iran. Symantec also collected data by monitoring traffic to Stuxnet command servers, allowing further analysis of the propagation history. Of 100,000 recorded communications, over 60% originated in Iran, again strongly suggesting that the virus was originally seeded there.
A number of advanced features allowed for this rapid propagation of the worm. Stuxnet is able to copy itself to and from removable drives, such as common USB sticks, thereby giving the ability to jump between two non-networked computers. Once inside a given computer network, Stuxnet is also able to copy itself to other computers within the network.
In addition to propagation capabilities, many other advanced features are found:
Using its many features, Stuxnet ultimately targets Programmable Logic Controllers (PLCs) by way of infecting Windows computers and "Step 7" processes being run on those computers. PLCs are dedicated computing units used for automated control of industrial equipment (see Figure 1). Operators typically download command routines to PLCs by connecting a computer equipped with the appropriate software. Stuxnet targets specific Siemens brand PLCs, which are controlled by the Step 7 software.
Once it finds the correct model PLC, Stuxnet further looks for specific models of variable frequency drive modules, one manufactured in Finland and one in Iran. These driver modules are used to set motor speeds for industrial equipment. Upon finding the correct module, Stuxnet implements its own control routines, which check that normal drive operations are between 807 Hz and 1210 Hz. Stuxnet then forces the motor drive to cycle between states of 1410 Hz, 2 Hz, and 1064 Hz, each state for times on order of one month.
The most commonly reported theories in headline news have implicated Israel or the United States as the mastermind behind Stuxnet, and named the primary target to be the Natanz nuclear facilities in Iran. The Natanz facility houses gas centrifuges that are designed to enrich natural Uranium. Some recent reports confidently speak of Israel and U.S. involvement, and Stuxnet's devastation to enrichment centrifuges at Natanz. [4] It does seem clear that during the Stuxnet timeframe, a higher than average number of centrifuges at Natanz were removed and replaced, and Iran has acknowledged finding malware in their computers. [5] However, the actual effect of this on the facility's production is questionable, with one report showing increased enrichment during 2010. [6]
The most reliable and telling indicator of Stuxnet's target is from the worm's code itself: the frequency values that it looks for and consequently forces affected motors to drive at. Motor frequencies on order of 1000 Hz fall into the range that is monitored by the U.S. Nuclear Regulatory Commission (600 Hz to 2000 Hz) as potentially useful for gas centrifuge construction. [7] The long term (on order of one month) state changes to the motor frequencies caused by Stuxnet would be appropriate to disrupting the long term isotope separation operation of gas centrifuges. Only industrial processes with similarly long time scales and unusually high motor speeds could have been a target.
Regarding the creators of Stuxnet, the worm was clearly not an amateur job, nor did it have indiscriminate destructive intent. The intricacy of the software, namely the novelty of many of its approaches to infection, suggests a well-organized and experienced team of programmers. The extreme specificity of Stuxnet to specific industrial components shows that the creators had very good knowledge of the target, and may have required samples of the target components for testing. While one strange aspect of such a seemingly specific target intent is the huge amount of outspread and collateral infection, Stuxnet refrained from any malicious operations on non-target computers other than to keep spreading. In addition to programmers, it is possible that field operatives were used first to steal the two security certificates, and second to repeatedly and reliably seed the worm at the target organizations' computer networks. All these factors point to a well-organized, well-funded operation with access to detailed information on its target. It is fair to assume that the project was backed by either a nation or a very wealthy organization. The hints that the worm also intended to inhibit gas centrifuges adds the condition of anti-proliferation intent to the creators profile. However, any naming of specific nations as the creator of Stuxnet is largely political speculation. It may be difficult to ever know the true author given the information currently available.
As far as the intended target of Stuxnet, there are some very strong clues that gas centrifuges in Iran were an objective. The motor frequencies that Stuxnet dealt with and the time scales of its modification to those frequencies fits well with a sabotage of centrifuge isotope separation. The detailed information provided by Stuxnet itself regarding its propagation history clearly identifies Iran as the original seed location, therefore also naming Iran as the target's location. The extension of these two factors to the suggestion that the Natanz facility was the intended target is a speculative jump, but not a huge one. The assertion that Natanz is at least a very similar facility to the originally intended target is better supported than any specific naming of the Stuxnet creator.
© James Grayson. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.
[1] M. J. Gross, "A Declaration of Cyber-War," Vanity Fair, April 2011.
[2] J. Markoff and D. E. Sanger, "In a Computer Worm, a Possible Biblical Clue," New York Times, 29 Sep 10.
[3] N. Falliere, L. O. Murchu and E. Chien, "W32.Stuxnet Dossier, Version 1.4, Symantec Security Response, February 2011.
[4] W. J. Broad, J. Markoff and D. E Sanger, "Israeli Test on Worm Called Crucial in Iran Nuclear Delay," New York Times, 15 Jan 11.
[5] D. Albright, P. Brannan and C. Walrond, "Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report," Institute for Science and International Security, 15 Feb 2011.
[6] I. Barzashka, "Using Enrichment Capacity to Estimate Iran's Breakout Potential," Federation of the American Scientists Issue Brief, 21 Jan 11.
[7] Illustrative List of Gas Centrifuge Enrichment Plant Components, Appendix B to Part 110, NRC Regulations Title 10, Code of Federal Regulations, U.S. Nuclear Regulatory Commission (2009).