GCN LAB IMPRESSIONS
Stuxnet: Can an act of digital terrorism be justified?
- By Greg Crowe
- Jul 11, 2011
At the beginning of last year, Iran’s uranium enrichment facility near Nantanz started replacing centrifuges 20 times more frequently than the expected rate. The inspectors with the International Atomic Energy Agency didn’t have any idea why at the time, and weren’t even allowed to ask, according to their report.
What they didn’t know was that the facility was under attack from one of the most pernicious pieces of malware ever to come down the pike. Stuxnet took advantage of a vulnerability in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows, to infect as many machines as it could, like most computer viruses. But there were marked differences between Stuxnet and most other malware.
Stuxnet used zero-day exploits, which is rare among this type of software. A zero-day vulnerability is one that the manufacturer has yet to discover, so when a hacker distributes an exploit, it’s before the first day the manufacturer can take any protective measures. Literally one piece of malware in a million uses such an exploit. Stuxnet used four of them.
Stuxnet targeted 5 Iranian facilities, report states
Stuxnet is not Superworm, researcher says
And Stuxnet was written to specifically target the exact version of a Siemens programmable logic controller (PLC) that was being used primarily in facilities such as the one in Nantanz. If it did not detect the PLC in the computer, Stuxnet would pass itself on and then render itself inert.
Over half of the reported Stuxnet attacks were on computers in Iran. Further, it would monitor the rotational frequency of any motors controlled by the computer, and only messed with their speeds if they were within a certain range that would include nuclear centrifuges.
So, we have a highly sophisticated piece of malware that used an unprecedented number of zero-day exploits to get where it wanted to go, and only damaged certain pieces of hardware once it got there. It seems as if the creators of Stuxnet were using the vast resources available to them solely to slow down the alleged Iranian nuclear weapons program.
Siemens stated that the worm has not caused any damage to its customers, but that the Iranian nuclear program, which uses embargoed Siemens equipment procured clandestinely, was severely damaged.
What Stuxnet did was to spin the centrifuges a lot faster than normal, then rapidly slow them down, then return them to a normal spin, all so quickly that the equipment was placed under serious stress and became unbalanced. This process was repeated in rapid succession until the equipment broke, which happened a lot, to judge from how many centrifuges are being replaced.
Iran is still trying to figure out how to get the rootkit out of its network. It’s safe to say that their nuclear program has been seriously affected.
The accusations are flying now that Iran has figured out what happened. They of course think the United States had something to do with it, and a report by Kaspersky Lab states that it’s unlikely that such a sophisticated attack could have been created and delivered without state support. Common sense would tell you that this is not a high school hack.
There is even the possibility that Siemens itself was involved, since the targeting was so precise against the company’s equipment.
But nobody knows for sure. France and Israel have been named by some as possible suspects. In fact, Iran is even unsure how Stuxnet got into its network. Some suggested it was carried in on key drives belonging to Russian contractors. Another possibility is that the worm replicated into the network from an unsecured educational server.
But let’s say, for the sake of argument, the United States was behind the attack. Stopping the Iranian nuclear weapons program is a goal worth achieving, but at what cost? Is using malware to gain access to a victim’s computer always wrong, no matter what the objective or outcome? Even if you consider the relatively few computers in other countries (that were running other kinds of motors for other purposes) acceptable losses, is this a weapon that we should stoop to deploy?
As the prospects of cyber conflicts grow, these are questions worth considering.