Stuxnet: A deep dive into one of the most advanced malware in the history
- The malware is believed to have been created by US and Israeli intelligence agencies.
- Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in the types of industrial control systems (ICS).
The Stuxnet malware has made a powerful comeback after a hiatus of almost eight years, with a new variant, impacting Iranian networks. The malware first made headlines for its devastating attack on the Iranian uranium enrichment centrifuges.
The sophisticated worm was first identified by the infosec community in 2010, although it was in the development stages since at least 2005. The malware is believed to have been created by US and Israeli intelligence agencies.
Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in the types of industrial control systems (ICS). The PLCs are commonly used in facilities such as power plants, water treatment facilities, gas pipelines etc. The worm mainly relies on multiple previously known zero-day exploits to infect computers.
The malware was found mainly targeting the ICS in Iran, Indonesia and India during 2007. Stuxnet’s effect was felt most strongly in Iran as early as 2007, where over 60% of infections were located. Many experts believe that Stuxnet destroyed 1000 centrifuges in the Iranian nuclear facility at Natanz.
When it infects a computer, Stuxnet checks whether the computer is connected to specific models of PLCs manufactured by Siemens. The malware looks out for Siemen’s STEP 7 software that is used to control PLCs.
Once it locates the machine with STEP 7, Stuxnet begins to inject false information to the PLC, thereby intercepting the actual data generated. Based on the false information injected, PLC reports a false operation states back to STEP 7 in order to show that the machines are operating normally.
The worm is designed to spread through air-gapped networks and it is typically distributed to the targeted environment via an infected USB flash drive or any other external device.
Using Stuxnet, attackers can automate the logic controllers of the most critical processes of an industrial facility. This can be modifying the temperature, pressure, the flow of water, chemicals and gas. The worm includes stolen digital certificates in order to appear legitimate and avoid detection by traditional intrusion detection systems (IDS).
A new variant of the infamous worm, dubbed as Stuxnet 2.0 was found targeting Iranian networks. The new variant is reportedly more advanced and sophisticated. It is still unclear as which industries and companies were hit the malware or which threat actor group was involved in the attack.
Several other malware having capabilities similar to Stuxnet, have been detected in the wild. Duqu and Flame are the two other worms, although their purposes are quite different than Stuxnet.
While the widespread of Stuxnet is limited currently, it is believed that the worm can play a major part in future attack on the infrastructures in the US and other countries. As a part of its reporting on Stuxnet, ESET said it, "was a breakthrough event that should have served as a wake up call for all those involved in security of industrial systems", TechRepublic reported