While Stuxnet is gone, the world now knows what can be accomplished through cyber-kinetic attacks.
As we approach the 10th anniversary of when Stuxnet was (likely) deployed, it is worthwhile to examine the effect it still has on our world. As the world’s first-ever cyberweapon, it opened Pandora’s box. It was the first true cyber-kinetic weapon – and it changed military history and is changing world history, as well. Its impact on the future cannot be overstated.
Stuxnet is believed to have been conceived jointly by the U.S. and Israel in 2005 or 2006 to cripple Iran’s nuclear weapon development without Iran even realizing that it had been attacked. An early version appears to have been deployed in 2007, but it didn’t reach its target. Perhaps that version’s goal was merely to gather intelligence. Its sophisticated platform was readily adaptable to espionage purposes and several related pieces of malware were primarily designed for that purpose.
The intelligence that its developers eventually obtained about Iranian operations enabled them to get Stuxnet inside Iran’s air-gapped (not connected to the internet) Natanz facility in 2009. They did this by infecting five Iranian companies that installed equipment in Natanz. When technicians at these companies connected their laptops to Natanz equipment, they unwittingly caused Stuxnet to download and spread throughout the facility. Through this indirect connection, Stuxnet’s developers were able to upload and command the malware through 2010, even though they did not have a direct connection with it.
How it worked
Stuxnet is considered the largest and most expensive malware development effort in history, a project too big for anyone but a nation-state to produce. It was also far too precisely targeted to damage anything other than equipment used only in Iranian uranium enrichment facilities.
Stuxnet contained valid security certificates, stolen from legitimate software companies, and multiple zero-day exploits to infect the technicians’ PCs. This combination enabled Stuxnet to easily compromise the PCs once the infected thumb drives were plugged into USB ports.
These three approaches, however, underscore the extraordinary resources Stuxnet’s developers had. Valid security certificates are well protected. Zero-day exploits (vulnerabilities that are unknown to the software manufacturer whose software is exploited) are very difficult to find. A single zero-day exploit is rare to find in malware. Dedicating multiple ones to a single piece of malware was unheard of at the time. Finally, by having the attack depend on getting a physical thumb drive into the possession of technicians protected by tight security requires extraordinary skill.
Once on the Natanz network, Stuxnet looked for Siemens PLCs that possessed two specific blocks of code used to control Iranian uranium enrichment centrifuges. Stuxnet also used rootkit functions that made it hard to discover or remove.
The attack damaged centrifuge rotors through two different routines. The first involved dramatically, but briefly, speeding centrifuges above their maximum safe speed, then briefly slowing them dramatically below their minimum safe speed. The malware would then wait weeks before repeating the cycle, to reduce the chances of detection. The second, more complex routine involved over-pressurizing centrifuges to increase rotor stress over time.
Thus, Stuxnet exerted years of wear on the centrifuges in mere months, causing them to fail faster than the Iranians could replace them. Experts believe that Stuxnet disabled one-fifth of Natanz centrifuges in a year.