Stuxnet, first discovered in 2010, was a malicious computer worm that caused substantial damage to Iran’s nuclear program. The worm targeted supervisory control and data acquisition (SCADA) systems. It is widely believed to be a cyberweapon built jointly by American and Israeli intelligence. This historic cyber threat, unlike any seen before, has since become a subject of intense research and discussion in cybersecurity communities.
Threat Actor Profile
Although there has never been an official claim or proof, it is widely believed in the intelligence and cybersecurity communities that Stuxnet was a state-sponsored cyber weapon, jointly developed by the United States and Israel. This conclusion is drawn from the complexity and specificity of the worm, the nature of its targets, and subsequent leaks and reports.
Before the discovery of Stuxnet, there were few, if any, known instances of cyber weapons that caused physical damage. However, following Stuxnet, researchers have discovered other sophisticated malware, including Flame and Duqu, that bear similarities to Stuxnet and are believed to be from the same or related sources.
Stuxnet: A Step by Step Breakdown
- Introduction and Infection Vector: Stuxnet was designed to propagate via removable drives, specifically USB drives. The worm used a zero-day vulnerability (MS10-046, CVE-2010-2568) to exploit Windows’ shortcut files, causing the malware to execute as soon as the drive was opened on a computer.
- Propagation: After infecting the first machine, Stuxnet used multiple methods to spread across the network. This included two more zero-day exploits: MS10-061 (CVE-2010-2729), a print spooler service impersonation vulnerability, and MS10-092 (CVE-2010-3338), a Task Scheduler vulnerability.
- Identifying the Target: After propagating across the network, Stuxnet checked for the presence of Siemens Step7 software, which is used for programming industrial control systems. The worm was specifically looking for frequency converter drives from two manufacturers: Vacon based in Finland and Fararo Paya based in Iran.
- Payload Delivery: If the conditions were met, the payload was activated. Stuxnet replaced the code in the PLCs controlling the speed of the centrifuges, causing them to spin too fast and ultimately fail.
- Sabotage: Simultaneously, Stuxnet reported to the operators that all systems were functioning normally, thereby preventing early detection of the sabotage.
Associated MITRE ATT&CK TTPs
Stuxnet utilized many tactics, techniques, and procedures (TTPs) that align with the MITRE ATT&CK framework, including but not limited to:
- T1065: Uncommonly Used Port – Stuxnet used this technique to communicate over ports that network devices normally don’t use. More info on MITRE ATT&CK.
- T1015: Accessibility Features – Stuxnet took advantage of accessibility features in Windows to maintain persistence. More info on MITRE ATT&CK.
- T1053: Scheduled Task – The malware used the Windows Task Scheduler to execute malicious scripts, aiding in its propagation. More info on MITRE ATT&CK.
- T1105: Remote File Copy – Stuxnet utilized this technique to copy itself across networked drives. More info on MITRE ATT&CK.
- T1010: Application Window Discovery – Stuxnet was observed identifying active software windows, potentially as a method of avoiding detection. More info on MITRE ATT&CK.
- T1036: Masquerading – Stuxnet disguised itself as legitimate software or processes to evade security solutions. More info on MITRE ATT&CK.
- T1146: Clear Command History – To erase traces of its activity, Stuxnet cleared command history on compromised devices. More info on MITRE ATT&CK.
Some of the known Indicators of Compromise (IOCs) for Stuxnet include:
- File Names: s7otbxdx.dll, mrxcls.sys, mrxnet.sys
- Hashes: 6f6d42da668c79670f0ecf1e7014b24d, 947874e078a6f92e46e2a56b3ee7fa5a, 7b63ee7886f45513b16dc9c48bb7d9e8
Stuxnet marked a turning point in cybersecurity history, demonstrating that cyber weapons can cause physical damage and have geopolitical implications. The worm set a precedent for future cyber warfare, leading to an increased emphasis on securing industrial control systems.
The document titled “Stuxnet Under the Microscope” is a comprehensive study of the Stuxnet malware, a sophisticated piece of malicious software that targeted industrial systems, particularly Programmable Logic Controllers (PLCs) used in industrial environments. The document was produced by the NATO Cooperative Cyber Defence Centre of Excellence.
The document begins with an introduction to Stuxnet, comparing its significance to major breakthroughs in other fields such as aviation and biology. It explains that Stuxnet is unique due to its complexity, flexibility, potentiality, combination of features, multi-role performance, and specific targeting. It is described as a new breed of superworms.
The document then delves into the technical aspects of Stuxnet, including its operating mode, replication, data exfiltration, stealth capabilities, encryption and obfuscation, and other considerations. It also provides a comparative analysis with other malwares and discusses the technical development of Stuxnet, including the manpower involved and the mistakes made during its creation.
The document also explores the goals achieved by Stuxnet, its origins, and the geopolitical considerations surrounding its use. It discusses the potential for future developments in cyber warfare, drawing on the lessons learned from the Stuxnet case.
NATO Cooperative Cyber Defence Centre of Excellence. (2012). Stuxnet Under the Microscope. https://ccdcoe.org/uploads/2018/10/Falco2012_StuxnetFactsReport.pdf