Stuxnet and Beyond:

The Age of Cyberwarfare

Kim Zetter

“Netwars are not real wars, traditionally

defined. But netwar might be developed

into an instrument for trying, early on, to

prevent a real war from arising.”

“As an innovation in

warfare, we

anticipate that

cyberwar may be to

the 21st century

what blitzkrieg was

to the 20th century.”

1993 RAND article

Air Force - 1st Cyber Division

August 21, 1995

• Low cost of entry to conduct campaigns

• Flexible base of deployment - didn’t have to be in range of target

• Diverse and ever-expanding set of targets

1997

Build roadmap of technologies on shelves

Anticipate future technologies

Develop attack capabilities

Stockpile/catalogue hacking tools

- viruses, worms, logic bombs, backdoors

Natanz

Located about 200 miles south of Tehran

Centrifuge Halls in Process of Being Buried - Sept. 2002

Buried Halls Invisible from Air

Timeline 2002: Aug 2002 Natanz exposed; Iran claims

secret enrichment program harmless; nuclear energy is its basic right

2003-2004: Western attempts to halt program result in suspension agreement

Sept. 2005: Iran announces withdrawal from suspension agreement

Feb 2006: Iran begins enriching uranium in pilot plant; Israel seeks U.S. backing for airstrike

Feb 2006: 50 centrifuges at pilot plant explode

Feb 2007: First centrifuges installed in underground hall; by June, 1,400 installed/enriching gas

April 2008 - 3,000 centrifuges installed; Israel fear Iran will master enrichment and by 2010 will have enough LEU to produce bomb

Nov. 2009: ~ 8,700 Centrifuges Installed

Dec. 2009 - Jan. 2010 IAEA notices 1,000-2,000 centrifuges replaced

Photo: IAEA

June 2010 - VirusBlokAda office (Belarus)

Sergey Ulasen - VirusBlokAda

Liam O’Murchu - Symantec

Eric Chien - Symantec

Nico Falliere - Symantec (Paris)

Two Parts - Missile and Payload

Missile - Guidance and Delivery System

7 Ways to Spread

Four Zero-Day Exploits (actually five)

- .LNK exploit

- Print-spooler (computers w/shared printer)

- Task scheduler (privilege escalation)

- Windows keyboard (privilege escalation)

Network shares

Step 7 Project Files

Hardcoded Siemens database password

Plus: Stolen digital certificate

Peer-to-peer for updating

Payload - Explosives

Stuxnet Seeks: Siemens Step 7/ WinCC Control Software

Siemens S7-315 and S7-417 PLCs

PLC - Programmable Logic Controller

Warhead - Two Payloads

Stuxnet 0.5 - discovered in late 2012 One payload

• S7-417 PLC (fully enabled)

Stuxnet 1.0 - discovered in July 2010 Two payloads

• S7-315 PLC

• S7-417 PLC (mysteriously disabled)

Stuxnet 0.5 - Launched 2007-2008

Targets S7-417 PLC Controlling Valves

Stuxnet 0.5

30 days recording normal activity

Closes exit valves - gas goes in, but not out

Waits 2 hrs or until pressure increases 5x

Feeds false data to operators; disables safety

Rinse/Repeat

• When pressure increases 5x

normal level gas

condenses/solidifies

• Solid gas catches in spinning

rotors causing imbalance - rotor

strikes centrifuge wall

• Wobbles, teeters off balance

•Whirling/unmoored centrifuge

at high speed = destruction

• Wasted gas

Consequences

First centrifuges installed Feb 2007 - Iran plans to install 3,000 by May

By August only 1,900 installed; takes until Nov to install rest

124 kg of enriched

uranium expected;

got only 75 kg

Evidence of Effects

Jan 2009 - Bush briefs Obama; Obama re-authorizes and accelerates attack

June 2009 - Stuxnet 1.0 launched

March/April 2010 - at least two more rounds of Stuxnet 1.0 launched

2009 - 2010

Stuxnet 1.0: Targets S7-315 Controlling Frequency Converters

Stuxnet 1.0 - Launched 2009-2010

13 days records normal operations

Increases frequency to 1,410 Hz for 15 min. (close to max speed)

Reduces frequency to 1,064 Hz

After 26 days, reduces frequency to 2 Hz for 50 minutes

Reduces to 1,064 Hz

Feeds operators false data; disables safety system

After 26 days - Rinse/Repeat

June 2009 - 12 cascades in Module A26 enriching gas; 6 under vacuum but not enriching

Aug. 2009 - 10 cascades enriching; 8 now under vacuum not enriching

Nov. 2009 - 6 cascades enriching; 12 under vacuum not enriching

Dec. 2009 - Jan. 2010 - IAEA inspectors notice workers replacing centrifuges at unusual rate

Estimated 1,000 - 2,000 centrifuges replaced

Effects Evident

Timeline

2003 - 2005: Attempts to halt Iran’s

nuclear program; suspension agreement

2004 - Centrifuges seized from Libya

2005 - Domain for Stuxnet 0.5 C&C

server registered

Feb 2006: Iran withdraws from

suspension agreement; begins enriching

uranium in pilot plant

2006 - Bush advisors propose digital

weapon

2006 - 2007 - Centrifuges tested at Oak

Ridge; code written

Feb 2007: First centrifuges installed underground hall; by June, 1,400 centrifuges

installed/enriching gas

Nov. 2007 - Stuxnet 0.5 in the wild; targets valves

April 2008 - 3,000 centrifuges installed; US/Israel fear Iran will master enrichment by year

end; by 2010 will have enough LEU to produce bomb

July 2008 Fanny worm compiled (uses .LNK exploit)

June 2009 - Stuxnet 1.0 unleashed W. .LNK exploit; targets frequency converters

Sept. 2009 - Obama announces discovery of 2nd secret uranium enrichment plant at

Fordow

March - April 2010 - Stuxnet 1.01 unleashed; targets frequency converters

June 2010 - Stuxnet discovered

Iranians Didn’t Know Cause

How Did Stuxnet Get Caught?

Stuxnet 1.0 - Three Waves of Attack June 2009; March and April 2010

Five - Patient Zeroes

Domain A: Foolad Technic

Domain B: Behpajooh

Domain C: Neda Industrial Group

Domain D: CGJ (Control Gostar Jahed?)

Domain E: Kala Electric (Kalaye)

March 2010 Attack

Spread to 100k+ Machines Around World

Did Stuxnet Succeed?

Enriched Uranium Didn’t Decline Substantially

Mistakes

Got caught

In 500kb of code just one bug - printer spooler error

Compatibility issue causing BSoD

Zero-Days

Failure to Kill Code

Pros of Digital Weapons

Save lives/prevent war?

If done right - no collateral damage

Plausible deniability

Cons

Difficult to control

Easily duplicated for blowback

Lowers bar for entry - teenager can build digital weapon

Legitimized their use for resolving political disputes

Opens door for similar attacks

U.S. lost moral high ground

Could attacker in Russia, China or North Korea make something in U.S. blow up simply by sending malicious commands

via computer?

“Somebody crossed the Rubicon” - Gen. Michael Hayden

Email: kzetter@wired.com

Twitter: @KimZetter