Jump to content

Stuxnet

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 85.64.157.194 (talk) at 20:26, 6 October 2010. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems.[1] It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.[2] Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.[3]

It is the first-ever computer worm to include a PLC rootkit.[4] It is also the first known worm to target critical industrial infrastructure.[5] Furthermore, the worm's probable target has been said to have been high value infrastructures in Iran using Siemens control systems.[6][7] According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz[8][9] and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant.[10]Siemens has stated however that the worm has not in fact caused any damage.[11]

European digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60 percent of the infected computers worldwide were in Iran, suggesting its industrial plants were the target.[12] Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyber warfare.[13][14][15]

History

It was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009.[3] The worm contains a component with a build time stamp from 3 February 2010.[16]

Affected countries

A study of the spread of Stuxnet by Symantec showed that the main affected countries as of August 6, 2010 were:[17]

Country Infected Computers
China 6,000,000 (unconfirmed) [18](October 1)
Iran 62,867
Indonesia 13,336
India 6,552
United States 2,913
Australia 2,436
Britain 1,038
Malaysia 1,013
Pakistan 993
Germany 5 [19](September)

Operation

Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software.[3] Siemens, however, advises against changing the default passwords because it "could impact plant operations."[20]

The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure.[1][3] The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm.[6] Stuxnet is unusually large at half a megabyte in size,[21] and written in different programming languages (including C and C++) which is also irregular for malware.[1][3] It is digitally signed with two authentic certificates which were stolen[21] from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time.[22] It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled.[21][23] These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.[21]

A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm.[19] It is suspected that the Stuxnet took India’s INSAT-4B Satellite out of action, making it effectively dead. [24]

Removal

Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing the Microsoft patch for vulnerabilities and disallowing the use of third-party USB sticks.[25]

The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. In addition, it has been speculated that incorrect removal of the worm could cause a significant amount of damage.[26]

Speculations about the target and origin

Alan Bentley of security firm Lumension has said that Stuxnet is "the most refined piece of malware ever discovered ... mischief or financial reward wasn’t its purpose, it was aimed right at the heart of a critical infrastructure". Symantec estimates that the group developing Stuxnet would have been well-funded, consisting of five to ten people, and would have taken six months to prepare.[27]

The Guardian, the BBC and The New York Times all reported that experts studying Stuxnet considered that the complexity of the code indicates that only a nation state would have the capabilities to produce it.[6][27][28] Israel, perhaps through Unit 8200,[29] has been speculated to be the country behind Stuxnet in many of the media reports[27][30][31] and by experts such as Richard Falkenrath, former Senior Director for Policy and Plans within the Office of Homeland Security.[32] This is also due to several clues in the code such as a concealed reference to the word “MYRTUS”, believed to refer to the Myrtle tree, or Hadassah in Hebrew. This was apparently the birth name of the former Jewish queen of Persia, Queen Esther. In the Book of Esther, Jewish forces, after unraveling a Persian attack plan, stage a preemptive and successful assault against their adversaries. [33] [34] Also, the number 19790509 that appears once in the code and might refer to 1979, May 9th, the day Habib Elghanian, a Persian Jew, was executed in Tehran.[35][36][37] According to the New York Times a former member of the United States intelligence community said that the attack had been the work of Unit 8200.[38]

There has also been speculation on the involvement of NATO, the United States and other Western nations.[39]

Symantec claims that the majority of infected systems were in Iran (about 60%),[40], (a claim which is not supported by actual data, which shows China to be the most infected country), which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in Iran[6] including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility.[21] Ralph Langner, a German cyber-security researcher, called the malware "a one-shot weapon" and said that the intended target was probably hit,[41] although he admitted this was speculation.[21]

There are reports that Iran's uranium enrichment facility at the Natanz facility was the target of Stuxnet and the site sustained damage because of it causing a sudden 15% reduction in its production capabilities. There was also a previous report by wikileaks disclosing a "serious nuclear accident" at the said site in 2009.[42][31][43][9][44][45] According to statistics published by the Federation of American Scientists (FAS) the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.[46]

The name is derived from some keywords discovered in the software.[47] Since the whole Stuxnet code has not yet been decrypted, its intent remains unknown. Among its peculiar capabilities is a fingerprinting technology which allows it to precisely identify the systems it infects. It appears to be looking for a particular system to destroy at a specific time and place. Once it has infected a system it performs a check every 5 seconds to determine if its parameters for launching an attack are met. The exact way through which Stuxnet destroys its target is still a mystery but it is thought[by whom?] that it may be programmed to cause a catastrophic physical failure by, for example, overriding turbine RPM limits, shutting down lubrication or cooling systems, or sabotaging the high-speed spinning process of centrifuge arrays at Iran's Natanz nuclear facility.[41][48] Since the complex code of Stuxnet looks for a very particular type of system and controller, it has been theorized that the target is of a high importance for the attacker.[49]

Iranian reaction

The Associated Press reported that the semi-official Iranian Students News Agency released a statement on 24 September 2010 stating that experts from the Atomic Energy Organization of Iran met in the previous week to discuss how Stuxnet could be removed from their systems.[2] Western intelligence agencies have been attempting to sabotage the Iranian nuclear program for some time, according to analysts.[50][51]

The head of the Bushehr Nuclear Power Plant told Reuters that only the personal computers of staff at the plant had been infected by Stuxnet and the state-run newspaper Iran Daily quoted Reza Taghipour, Iran's telecommunications minister, as saying that it had not caused "serious damage to government systems".[28] Director of Information Technology Council at the Iranian Ministry of Industries and Mines, Mahmud Liaii has said that: "An electronic war has been launched against Iran... This computer worm is designed to transfer data about production lines from our industrial plants to locations outside Iran."[52]

It is believed that infection had originated from Russian laptops belonging to Russian contractors at the site of Bushehr power plant and spreading from there with the aim of targeting the power plant control systems.[53][54][55] It has also been reported that the United States, under one of its most secret programs, initiated by the Bush administration and accelerated by the Obama administration, has sought to destroy Iran's nuclear program by novel methods such as undermining Iranian computer systems.[56] In response to the infection, Iran has assembled a team to combat it. With more than 30,000 IP addresses affected in Iran, an official has said that the infection is fast spreading in Iran and the problem has been compounded by the ability of Stuxnet to mutate. Iran has set up its own systems to clean up infections and has advised against using the Siemens SCADA antivirus since it is suspected that the antivirus is actually embedded with codes which update Stuxnet instead of eradicating it.[57][58][59][60]

According to Hamid Alipour, deputy head of Iran's government Information Technology Company, "The attack is still ongoing and new versions of this virus are spreading." He reports that his company had begun the cleanup process at Iran's "sensitive centres and organisations."[58] "We had anticipated that we could root out the virus within one to two months, but the virus is not stable, and since we started the cleanup process three new versions of it have been spreading," he told the Islamic Republic News Agency.[60]

See also

References

  1. ^ a b c Robert McMillan (16 September 2010). "Siemens: Stuxnet worm hit industrial systems". Computerworld. Retrieved 16 September 2010.
  2. ^ a b "Iran's Nuclear Agency Trying to Stop Computer Worm". Tehran: Associated Press. 25 September 2010. Archived from the original on 25 September 2010. Retrieved 25 September 2010.
  3. ^ a b c d e Gregg Keizer (16 September 2010). "Is Stuxnet the 'best' malware ever?". Infoworld. Retrieved 16 September 2010.
  4. ^ "Last-minute paper: An indepth look into Stuxnet". Virus Bulletin.
  5. ^ "Stuxnet worm hits Iran nuclear plant staff computers". BBC News.
  6. ^ a b c d Fildes, Jonathan (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 23 September 2010.
  7. ^ "Stuxnet virus: worm 'could be aimed at high-profile Iranian targets'". The Daily Telegraph. 23 September 2010. Retrieved 28 September 2010.
  8. ^ Ethan Bronner & William J. Broad (29 September 2010). "In a Computer Worm, a Possible Biblical Clue". NYTimes. Retrieved 2 October 2010.
  9. ^ a b "Iran Confirms Stuxnet Damage to Nuclear Facilities". Tikun Olam. 25 September 2010. Retrieved 28 September 2010.
  10. ^ "Software smart bomb fired at Iranian nuclear plant: Experts". Economictimes.indiatimes.com. 24 September 2010. Retrieved 28 September 2010.
  11. ^ ComputerWorld (14 September 2010). "Siemens: Stuxnet worm hit industrial systems". Computerworld. Retrieved 3 October 2010.
  12. ^ http://www.reuters.com/article/idUSLDE68N1OI20100924
  13. ^ http://news.scotsman.com/world/Iran-39first-victim-of-cyberwar39.6550278.jp
  14. ^ http://www.pakalertpress.com/2010/09/26/iran-first-victim-of-cyberwar/
  15. ^ http://www.mymacaddress.com/iran-first-victim-of-cyberwar/
  16. ^ Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho. "Stuxnet under the microscope" (PDF). Retrieved 24 September 2010.{{cite web}}: CS1 maint: multiple names: authors list (link)
  17. ^ "Factbox: What is Stuxnet?". Retrieved 30 September 2010.
  18. ^ John Leyden (1 October 2010). "Stuxnet worm slithers into China, heralds alien invasion". TheRegister. Retrieved 2 October 2010.
  19. ^ a b crve (17 September 2010). "Stuxnet also found at industrial plants in Germany". The H. Retrieved 18 September 2010.
  20. ^ Tom Espiner (20 July 2010). "Siemens warns Stuxnet targets of password risk". cnet. Retrieved 17 September 2010.
  21. ^ a b c d e f Kim Zetter (23 September 2010). "Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target". Wired. Retrieved 24 September 2010.
  22. ^ "Kaspersky Lab provides its insights on Stuxnet worm". Kaspersky Lab. 24 September 2010. Retrieved 27 September 2010.
  23. ^ Liam O Murchu (17 September 2010). "Stuxnet P2P component". Symantec. Retrieved 24 September 2010.
  24. ^ [1]
  25. ^ "SIMATIC WinCC / SIMATIC PCS 7: Information concerning Malware / Virus / Trojan". Siemens. Retrieved 24 September 2010.
  26. ^ "Siemens: Stuxnet Worm Hit Industrial Systems". IDG News.
  27. ^ a b c "Stuxnet worm is the 'work of a national government agency'". The Guardian. 24 September 2010. Retrieved 27 September 2010.
  28. ^ a b Markoff, John (26 September 2010). "A Silent Attack, but Not a Subtle One". New York Times. Retrieved 27 September 2010.
  29. ^ Stuxnet worm heralds new era of global cyberwar, guardian.co.uk, 30 September 2010
  30. ^ Hounshell, Blake (27 September 2010). "6 mysteries about Stuxnet". Foreign Policy. Retrieved 28 September 2010.
  31. ^ a b "The Stuxnet worm: A cyber-missile aimed at Iran?". The Economist. 24 September 2010. Retrieved 28 September 2010.
  32. ^ Falkenrath Says Stuxnet Virus May Have Origin in Israel: Video. Bloomberg Television 2010-09-24 [2]
  33. ^ IRAN/CRITICAL NATIONAL INFRASTRUCTURE: CYBER SECURITY EXPERTS SEE THE HAND OF ISRAEL’S SIGNALS INTELLIGENCE SERVICE IN THE “STUXNET” VIRUS WHICH HAS INFECTED IRANIAN NUCLEAR FACILITIES, 01 SEPTEMBER 2010. [3].
  34. ^ Riddle, Warren (2010-10-1). "Mysterious 'Myrtus' Biblical Reference Spotted in Stuxnet Code". SWITCHED. Retrieved 2010-10-06. {{cite web}}: Check date values in: |date= (help)
  35. ^ "W32.Stuxnet Dossier" (PDF). Symantec Corporation.
  36. ^ "Symantec Puts 'Stuxnet' Malware Under the Knife". PC Magazine.
  37. ^ "New Clues Point to Israel as Author of Blockbuster Worm, Or Not". Wired.
  38. ^ Kevon O'Brien, A Silent Attack, but Not a Subtle One, New York Times online vom 30. September 2010, see also [4]
  39. ^ "Stuxnet Worm a U.S. Cyber-Attack on Iran Nukes?". CBS News.
  40. ^ Robert McMillan (23 July 2010). "Iran was prime target of SCADA worm". Computerworld. Retrieved 17 September 2010.
  41. ^ a b Clayton, Mark (21 September 2010). "Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?". Christian Science Monitor. Retrieved 23 September 2010.
  42. ^ "Serious nuclear accident may lay behind Iranian nuke chief%27s mystery resignation". wikileaks.
  43. ^ Clayton, Mark (25 February 2009). "Stuxnet worm mystery: What's the cyber weapon after?". Yahoo News. Retrieved 28 September 2010.
  44. ^ "6 mysteries about Stuxnet". Blog.foreignpolicy.com. Retrieved 28 September 2010.
  45. ^ Paul Woodward (22 February 1999). "Iran confirms Stuxnet found at Bushehr nuclear power plant". Warincontext.org. Retrieved 28 September 2010.
  46. ^ "German Cyber-Security Expert: Stuxnet's Target, Natanz Reactor". www.richardsilverstein.com. 23 September 2010. Retrieved 2 October 2010.
  47. ^ The Stuxnet Outbreak; A worm in the Centrifuge, The Economist 2 October 2010
  48. ^ Mills, Elinor. "Expert: Stuxnet was built to sabotage Iran nuclear plant". News.cnet.com. Retrieved 28 September 2010.
  49. ^ "Was Stuxnet Built to Attack Iran's Nuclear Program?". Pcworld.com. 21 September 2010. Retrieved 28 September 2010.
  50. ^ "Signs of sabotage in Tehran's nuclear programme". Gulf News. 14 July 2010.
  51. ^ Reuters (7 July 2009). "Wary of naked force, Israel eyes cyberwar on Iran". Retrieved 27 September 2010. {{cite news}}: |author= has generic name (help)
  52. ^ "Under cyber-attack, says Iran". The Hindu.
  53. ^ Peter Beaumont (26 September 2010). "Iran nuclear experts race to stop spread of Stuxnet computer worm". The Guardian. Retrieved 28 September 2010.
  54. ^ "Stuxnet worm hits Iran nuclear plant staff computers". BBC News. 26 September 2010. Retrieved 28 September 2010.
  55. ^ "Computer worm infects Iran's nuclear station". The Daily Telegraph. Retrieved 28 September 2010.
  56. ^ Daivd Sanger (25 September 2010). "Iran Fights Malware Attacking Computers". New York Times. Retrieved 28 September 2010.
  57. ^ "شبکه خبر :: راه های مقابله با ویروس"استاکس نت"" (in Iranian). Irinn.ir. Retrieved 28 September 2010.{{cite web}}: CS1 maint: unrecognized language (link)
  58. ^ a b "Stuxnet worm rampaging through Iran: IT official". AFP. Archived from the original on 28 September 2010.
  59. ^ "IRAN: Speculation on Israeli involvement in malware computer attack". Los Angeles Times. 27 September 2010. Retrieved 28 September 2010.
  60. ^ a b "Iran struggling to contain 'foreign-made' 'Stuxnet' computer virus". Washington Post. 27 September 2010. Retrieved 28 September 2010.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Stuxnet&oldid=389166453"