What the news says it was ??
– Iranian centrifuge destroyer
- It’s one goal was to destroy the Iranian nuclear program
– Developed by the United States and Israel
– ‘Mission: Impossible’-like virus
– It will kill your unborn children
- Assuming they are born in a hospital using PLC (Programmable Logic Controllers
What it really was ??
– Malware that spread on networks to infect systems running WinCC
and PCS 7 SCADA
– Took advantage of the fact that PLCs are usually unsecured
– Once inside, had the ability to reprogram PLC controlling
- Gave the possibility of altering how machinery being controlled will run
– Self-replicates through removable drives exploiting a vulnerability allowing auto-
execution. Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution
– Spreads in a LAN through a vulnerability in the Windows Print Spooler. Microsoft
Windows Print Spooler Service Remote Code Execution Vulnerability
– Spreads through SMB by exploiting the Microsoft Windows Server Service RPC
Handling Remote Code Execution Vulnerability
– Copies and executes itself on remote computers through network shares.
– Copies and executes itself on remote computers running a WinCC database
– Copies itself into Step 7 projects in such a way that it automatically executes
when the Step 7 project is loaded.
– Updates itself through a peer-to-peer mechanism within a LAN.
– Exploits a total of four unpatched Microsoft vulnerabilities, two of which are
previously mentioned vulnerabilities for self-replication and the other two are
escalation of privilege vulnerabilities
– Contacts a command and control server that allows the hacker to
download and execute code, including updated versions.
– Contains a Windows rootkit that hide its binaries.
– Attempts to bypass security products.
– Fingerprints a specific industrial control system and modifies code on the
Siemens PLCs to potentially sabotage the system.
– Hides modified code on PLCs, essentially a rootkit for PLCs
Targeted Attack !!
The goal is not to blow up the centrifuge!
It will induce problems slowly, making sure that all sites get affected
before problems surface.
It holds the aggressive DEADFOOT condition only for short periods, and
then resumes undisturbed operation for periods of many days.
Results of the Stuxnet attack
In late 2009 or early 2010, Stuxnet destroyed
about 1,000 IR-1 centrifuges out of about 9,000
deployed at Natanz FEP
It rattled the Iranians, who were unlikely to know
what caused the breakage
It delayed the expected expansion of the plant
It consumed a limited supply of centrifuges to
replace those destroyed.