Posted by Taylor Armerding on January 17, 2019
Whatever happened to Stuxnet? Since it destroyed hundreds of centrifuges at a nuclear enrichment facility in Iran in 2010, the worm’s been quiet—but not idle.
Compared to many of its malware colleagues, the Stuxnet worm has had a lot more than the proverbial 15 minutes of fame.
With good reason. It was precedent-setting. It was one of the most sophisticated pieces of malware ever created at the time. Kaspersky Lab estimated that it took a team of 10 coders two to three years to create it.
It also crossed a line. Instead of being used “merely” to hack computers and steal the data on them, it was used to cause physical destruction.
By the time it first became public in 2010, Stuxnet had enabled the destruction of nearly a thousand, or about a fifth, of the centrifuges at Iran’s Natanz nuclear enrichment facility, setting back that nation’s nuclear program by 18 months or more. Obviously, that became international news that lasted not just months but years.
After tiptoeing around the attribution issue for a while, most reports settled on saying it was “widely accepted” that Stuxnet was a cyber weapon created by Israeli and U.S. intelligence agencies. There have been books written about it, numerous seminars conducted about it, and, of course, accusations and threats among the nation-states involved.
Stuxnet was also significant because the attackers got the worm into the Natanz computers even though the systems were “air-gapped”—not connected to the internet. They gained access by using USB thumb drives to plant the malware on the systems of third-party companies that had a connection to the Iranian nuclear program.
Stuxnet was highly targeted, designed to scan only for Siemens STEP 7 software on computers controlling a PLC (programmable logic controller). If either was missing, Stuxnet would go dormant inside the computer. But if both were present, it would modify the codes and give malicious commands to the PLC while returning feedback that made it look like everything was normal.
Those commands caused the centrifuges to spin out of control and destroy themselves before anyone monitoring the system knew something was wrong.
Reportedly, Stuxnet was never intended to spread beyond Natanz. However, the malware did end up on internet-connected computers and began to spread in the wild, thanks to an extremely sophisticated and aggressive design.
After the Natanz attack, Stuxnet faded from regular headlines within a couple of years, but it returned briefly in 2016, when a Microsoft Security Intelligence Report identified it among exploit-related malware families detected in the second half of 2015.
It faded again until this past November, when Reuters, followed by numerous other outlets, reported a claim by Iran’s civil defense chief that the nation’s government had detected and stopped an Israeli effort to infect computer systems with what he described as a new version of Stuxnet.
Gholamreza Jalali, chief of the National Passive Defense Organization (NPDO), told Iran’s IRNA news service, “Recently, we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems.”
Mohammad-Javad Azari Jahromi, Iran’s telecommunications minister, accused Israel of being behind the attack, saying the malware was intended to “harm Iran’s communication infrastructures.” But he said the country’s “vigilant technical teams” had blocked the attack, and that Israel had “returned empty-handed.”
The Times of Israel reported at the time that Iran officials had admitted they were facing an attack from “a more violent, more advanced and more sophisticated [Stuxnet] virus than before, that has hit infrastructure and strategic networks.”
What is the status of Stuxnet now? While it has been in the wild for years, that doesn’t mean just anybody can use it to do the same kind of damage.
Symantec’s Liam O’Murchu, director of the Security Technology and Response group, told CSO magazine in 2017 that it was the most complex code the team had reviewed and was “in a completely different league from anything we’d ever seen before.”
He also said not to believe websites that claimed to have the Stuxnet code available to download, since the source code for the worm hadn’t been released or leaked and can’t be extracted from the binaries that are available in the wild.
While the code for one driver—a very small part of the overall package—had been reconstructed via reverse engineering, that’s not the same as having the original code.
Still, O’Murchu said that researchers could understand a lot about the code by examining the binary in action and reverse engineering it. For example, “it was pretty obvious from the first time we analyzed this app that it was looking for some Siemens equipment,” he said.
And after three to six months of reverse engineering, “we were able to determine, I would say, 99 percent of everything that happens in the code.”
But the November announcement from Iran confirms what’s happening to Stuxnet. It’s evolving, like most malware families do. It’s not so much that it’s back. It’s that it never went away—and it will almost certainly be in the headlines again.
Get the latest Software Integrity news, thought leadership, and more.