stuxnet cyberweapon
A computer worm, that took down a nuclear program in Iran,
discovered in 2009 by security researchers. Not like normal malware, Stuxnet was a sophisticated weapon specifically designed to target a single, target: Iran's nuclear program.
Stuxnet didn't steal secrets or data or disrupt websites with excess traffic. Instead, it infiltrated the industrial control systems (ICS) managing Iran's uranium enrichment facilities. These facilities use centrifuges to spin uranium at incredibly high speeds, which is pretty much crucial for nuclear fuel production. Stuxnet, through a series of exploits, manipulated these centrifuges.
why?
The motivations behind the US and Israel's desire to take down Iran's nuclear program are complex.
The US and Israel have long been at odds with Iran's government, which they view as a sponsor of terrorism and a threat in the Middle East. A nuclear program was seen as further increasing to Iran's regional influence.
as well, the US and Israel are concerned about Iran's support for Hezbollah and Hamas, militant groups viewed as threats to their security. A nuclear program could increase the influence and power of these groups.
The US and Israel feared Iran's nuclear program could lead to the development of nuclear weapons. A nuclear-armed Iran was seen as a significant threat to regional stability.
how does stuxnet work?
(image from Stuxnet - CyberHoot Cyber Library)
Stuxnet is believed to have snuck into Iranian systems through various methods, possibly via infected USB drives inserted into control system computers.
Once inside, Stuxnet could move laterally across the network, infecting other vulnerable Windows machines like a digital disease. It also used rootkit techniques to hide its presence and avoid detection. the techniques it could’ve used include; altering directory structures or file attributes to hide malicious files from standard system tools used for browsing directories or identifying file types.
Stuxnet didn't target Iranian computers directly. Instead, it zeroed in on Programmable Logic Controllers (PLCs) through Siemens software. if no PLCs were found it would remain dormant. the industrial control system (ICS) brains managing uranium enrichment facilities. PLCs automate critical tasks, like controlling centrifuge speeds. The PLC’s would inform the controller that nothing was out of ordinary. Meaning nothing would be picked up on until it was too late.
Stuxnet was designed to be delivered via USB drive. The Natanz facility was air-gapped (not connected to the internet). A crucial component is the rootkit which hides malicious activity on a system. to install the rootkit, It employed digitally signed device drivers. These drivers are like software extensions that allow the operating system to communicate with hardware devices. The "digital signature" acts like a seal of authenticity, telling the system that the driver comes from a trusted source.
Stuxnet used private key certificates stolen from two Taiwanese device manufacturers. With these stolen certificates, Stuxnet could forge the digital signatures on its own malicious drivers, making them appear legitimate to the system.
Once the system accepted the forged signatures, Stuxnet could install its kernel-mode rootkit driver, giving it privileged access to the core of the system so it could manipulate the PLCs. Stuxnet exploited four zero-day bugs. that is a lot of zero-day exploits. Also, Stuxnet's target wasn't a typical computer. It needed to penetrate multiple layers of security to reach the PLCs. At least one was a Siemens vulnerability, and the rest were windows.
Typically, hackers keep zero-day exploits secret to use them again in future attacks. Stuxnet's creators seemingly disregarded this convention, sacrificing future potential for immediate success in this specific operation
Nuclear facilities
if you’re unsure how nuclear facilities work. a centrifuge is a cylindrical machine that spins at very high speeds. Inside the centrifuge, uranium hexafluoride (UF6), a gas form of uranium, is fed into the machine.
As the centrifuge spins , the heavier U-238 atoms are forced slightly outward due to centrifugal force, this is the force that pushes outwards due to rotation. The lighter U-235 atoms are less affected and tend to concentrate more towards the centre.
The slightly enriched uranium gas from the centrifuge is then fed to another centrifuge for further enrichment. This process is repeated in a series of linked centrifuges, called a cascade, which will increase the concentration of uranium resulting in U-235. which is required for an explosion.
so we know by controlling the speed of the centrifuges, the output of uranium can be controlled.
centrifuge speed won’t directly effect the weapon. The weapon design relies on the fissile properties of the enriched uranium, not the speed at which it was enriched. Once you have the enriched uranium, the speed at which it was created in the centrifuge is irrelevant to the weapon's function.
why target the nuclear facility directly?
it could’ve been sent as a message to Iran about the consequences of pursuing a nuclear weapons program.
A crippled nuclear program could have strengthened the US and Israel's hand in negotiations with Iran. This could have pressured Iran to accept limitations on its enrichment activities or abandon the program altogether.
discovery and aftermath
The first sign came from international inspectors. The International Atomic Energy Agency (IAEA) routinely visits Iran's Natanz facility to ensure peaceful use of nuclear materials. During a visit, inspectors noticed an alarming trend: a surge in damaged centrifuges.
Normally, wear and tear takes around 800 centrifuges out of commission per year at a facility like Natanz. But in 2010, the IAEA found nearly 2,000 malfunctioning machines – a massive, unexplained jump. One analyst estimated it set the program back two years.
Eventually, Stuxnet was discovered because it escaped the nuclear facility. An office in Iran was experiencing reboots and weird blue screens, even after new OS installs. The security expert at the office contacted Sergey Ulasen, who worked for an anti-virus vendor. After isolating the malware, he realised how many zero-days it was exploiting.
These bugs have since been patched and it is unlikely for your operating system to be vulnerable to Stuxnet. Developers release patches when they release software updates.
Stuxnet was the first piece of intrusive computer code to be widely recognised, especially as part of politcal conflict. bringing us foward into a world, where cyber warfare becomes more important.