Stuxnet: The Father Of Cyberkinetic Weapons

As we approach the 10th anniversary of when Stuxnet was likely deployed, it is worthwhile to examine the effect it still has on our world. As the world’s first-ever cyber-weapon, it opened Pandora’s box. 
 
It was the first true cyberkinetic weapon, and it changed military history and is changing world history, as well. Its impact on the future cannot be overstated.
 
Stuxnet’s beginnings
Stuxnet is believed to have been conceived jointly by the US and Israel in 2005 or 2006 to cripple Iran’s nuclear weapon development without Iran even realizing that it had been attacked. An early version appears to have been deployed in 2007, but it didn’t reach its target. Perhaps that version’s goal was merely to gather intelligence.
 
Its sophisticated platform was readily adaptable to espionage purposes and several related pieces of malware were primarily designed for that purpose.
 
The intelligence that its developers eventually obtained about Iranian operations enabled them to get Stuxnet inside Iran’s air-gapped (not connected to the internet) Natanz facility in 2009. They did this by infecting five Iranian companies that installed equipment in Natanz. When technicians at these companies connected their laptops to Natanz equipment, they unwittingly caused Stuxnet to download and spread throughout the facility. Through this indirect connection, Stuxnet’s developers were able to upload and command the malware through 2010, even though they did not have a direct connection with it.
 
How it worked
Stuxnet is considered the largest and most expensive malware development effort in history, a project too big for anyone but a nation-state to produce. It was also far too precisely targeted to damage anything other than equipment used only in Iranian uranium enrichment facilities. Stuxnet contained valid security certificates, stolen from legitimate software companies, and multiple zero-day exploits to infect the technicians’ PCs. This combination enabled Stuxnet to easily compromise the PCs once the infected thumb drives were plugged into USB ports.
 
These three approaches, however, underscore the extraordinary resources Stuxnet’s developers had. Valid security certificates are well protected. Zero-day exploits (vulnerabilities that are unknown to the software manufacturer whose software is exploited) are very difficult to find. A single zero-day exploit is rare to find in malware. Dedicating multiple ones to a single piece of malware was unheard of at the time. 
 
Finally, by having the attack depend on getting a physical thumb drive into the possession of technicians protected by tight security requires extraordinary skill.
 
Once on the Natanz network, Stuxnet looked for Siemens PLCs that possessed two specific blocks of code used to control Iranian uranium enrichment centrifuges. Stuxnet also used rootkit functions that made it hard to discover or remove.
The attack damaged centrifuge rotors through two different routines.
 
The first involved dramatically, but briefly, speeding centrifuges above their maximum safe speed, then briefly slowing them dramatically below their minimum safe speed. The malware would then wait weeks before repeating the cycle, to reduce the chances of detection.
 
The second, more complex routine involved over-pressurizing centrifuges to increase rotor stress over time. Thus, Stuxnet exerted years of wear on the centrifuges in mere months, causing them to fail faster than the Iranians could replace them. Experts believe that Stuxnet disabled one-fifth of Natanz centrifuges in a year.
 
A chilling discovery
When Stuxnet was discovered in the wild, security experts were baffled with this complex malware that contained both IT and Industrial Control System (ICS) components. Experts in each discipline had little experience in the other. Working together, they unraveled Stuxnet’s purpose: It was the world’s first true cyber-weapon, designed to cause physical damage through infected computer systems.
 
Natanz ultimately was identified as the target, because of an unexpectedly high replacement rate of centrifuges that international inspectors had noticed there. It fulfilled cybersecurity experts’ warnings of the threat of such cyberattacks as IT and industrial control systems converged.
 
Stuxnet successfully targeted each of the three layers of a cyber-physical system. 
 
1) It used the cyber layer to distribute the malware and identify its targets. 
2) It used the control system layer (in this case, PLCs) to control physical processes. 
3) Finally, it affected the physical layer, causing physical damage. 
 
Stuxnet thus was 1) a cyberattack 2) that created kinetic impacts 3) that resulted in physical destruction. Moreover, it demonstrated how it is possible to:
 
• Infect an air-gapped system
• Target precise cyber-physical systems for infection
• Introduce subtle, almost undetectable flaws into physical processes that could be just as damaging, if not more, than crashing a system, while much harder to detect.
 
Consider the implications of such a subtle attack. Defects built into cars or airplanes could cause the finished product to malfunction only after they are being used. In the same way, weaknesses could be built into power grids, making them prone to failure when the original attacker triggers a condition under which the grid was designed to fail. 
 
What about food or water processing? What if toxic additions were made in which the danger is not in a single dose, but cumulatively, over time? All such scenarios could inflict devastating damage without the target even realizing it was under attack.
 
A continuing threat
Stuxnet itself is gone. Experts believe it stopped functioning in 2012. But what it did continues to affect us.
Despite developer efforts to keep Stuxnet confined to the Natanz facility, it reached the wild and was discovered there. The innovative techniques that cost millions of dollars and thousands of hours of time to create now are available to other malware developers to adapt to new cyber-weapons.
 
By revealing the vulnerability of cyber-physical systems, Stuxnet made them an inviting target. Although lack of knowledge of each other’s fields that kept antivirus experts and CPS security experts from unravelling Stuxnet independently is not as extreme as it was then, defending against cyber-kinetic attacks still requires skill in both.
 
When Stuxnet’s developers launched this cyber-kinetic attack on their enemies, it legitimized cyber-weapons. Just as use of nuclear weapons on Japan in World War II spurred a nuclear arms race, today’s nations are believed to be pursuing a similar cyber-weapons race.
 
North Korea’s alleged connection to the 2017 WannaCry ransomware attacks is a prime example. While those attacks affected information systems more than cyber-physical ones, physical hospital equipment was compromised in some locations, forcing delays or cancellations of medical procedures. In addition, five Iranian nationals have been charged with cyberattacks against US targets, including failed cyber-kinetic attacks against the Bowman Avenue Dam in Rye Brook, New York.
 
Takeaways 
While Stuxnet is gone, it forever changed our world. It showed how to inflict damage by targeting cyber-physical systems. It made advanced techniques for breaching secure systems available to cybercriminals and terrorists, and opened the doors to the threat of cyberwarfare.
 
The world now knows what can be accomplished through cyberkinetic attacks. Developing Stuxnet required deep pockets and the talents of some of the world’s best minds. Dare we put anything less toward securing the cyber-physical systems that Stuxnet exposed?
 
CSO Online
 
You Might Also Read:
 
Stuxnet, Secrecy & The New Era of Cyber War:
 
Son Of Stuxnet: Irongate Malware:
 
Cyberwar: The Smart Person's Guide:
 
 
« Army Chief Urges UK To Increase Cyber Defence & Attack Capabilities
What Is Fog Computing? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO CCDCOE's mission is to enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Decision Group

Decision Group

Decision Group are a Total Solution Supplier offering Network Forensics and Lawful Interception tools.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

National Cybersecurity Society (NCSS)

National Cybersecurity Society (NCSS)

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.

Red Piranha

Red Piranha

Red Piranha's Crystal Eye Unified Threat Management Platform is designed for Managed Service Providers and corporations that need extreme security that is both easy to use and affordable.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

TRU Staffing Partners

TRU Staffing Partners

TRU Staffing Partners is an award-winning contract staffing and executive search firm for cybersecurity, eDiscovery and privacy companies and professionals.

Veratad Technologies

Veratad Technologies

Veratad Technologies, LLC is a world class provider of online/real-time Identity Verification, Age Verification, Fraud Prevention and Compliance Solutions.

Persistent Systems

Persistent Systems

Persistent Systems are a trusted Digital Engineering and Enterprise Modernization partner, combining deep technical expertise and industry experience to help our clients.

Cyber Law Consulting

Cyber Law Consulting

Cyber Law Consulting is a Dynamic full service legal firm which offers complete services for Cyber Law, cyberlaw, Internet Law, Data Protection Act, Cyber Security, IPR, Drafting.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

TrustMe

TrustMe

TrustMe’s integrated platform for business trust and resilience keeps organizations safe, secure, and trustworthy.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.

Mother Technologies

Mother Technologies

From Datacentre to Desktop, Mother Technologies has been delivering IT Support, Telecoms, Cybersecurity and Connectivity services to businesses across Scotland and beyond since 2002.