The Stuxnet
Outbreak
TABLE OF CONTENTS
01
02
03
Stuxnet? Is it a sci fi movie?
•
•
What are we talking about?
What is a computer worm?
The incredible journey of a “not so” little worm.
•
•
From Windows vulnerabilities to Iranian targets
Was the attack successful?
What did we learn from this attack?
•
•
Who were the super villains?
What can we do against cyber-attacks?
TABLE OF CONTENTS
01
02
03
Stuxnet? Is it a sci fi movie?
•
•
What are we talking about?
What is a computer worm?
The incredible journey of a “not so” little worm.
•
•
From Windows vulnerabilities to Iranian targets
Was the attack successful?
What did we learn from this attack?
•
•
Who were the super villains?
What can we do against cyber-attacks?
Stuxnet? Is it a sci fi movie?
What are we talking about?
• Stuxnet is a malicious computer worm
• It targets supervisory control and data acquisition (SCADA) systems, and
more specifically programmable logic controllers (PLCs)
• Responsible for causing substantial damage to the nuclear program of Iran,
as it ruined almost one-fifth of Iran's nuclear centrifuges
• Cyberweapon built jointly by the United States and Israel in a collaborative
effort known as Operation Olympic Games
Stuxnet? Is it a sci fi movie?
What is a computer worm?
• Standalone malware computer program that replicates itself in order to
spread to other computers
• Often uses a computer network to spread itself, relying on security failures
on the target computer to access it
• Uses this machine as a host to scan and infect other computers, to spread
as widely as possible
• Uses recursive methods to copy themselves without host programs and
distribute themselves to infect more and more computers in a short time
TABLE OF CONTENTS
01
02
03
Stuxnet? Is it a sci fi movie?
•
•
What are we talking about?
What is a computer worm?
The incredible journey of a “not so” little worm.
•
•
From Windows vulnerabilities to Iranian targets
Was the attack successful?
What did we learn from this attack?
•
•
Who were the super villains?
What can we do against cyber-attacks?
The incredible journey of a “not so” little worm
From Windows vulnerabilities to Iranian targets
• Stuxnet does little harm to computers and networks that do not meet
requirements, it’s a marksman's job
 Very unusual precision
• Makes itself inert if targeted software is not found on infected computers and
contains safeguards to prevent too fast spreading
 Very unusual behavior
• Contains code for a man-in-the-middle attack that fakes industrial process
control sensor signals, so an infected system does not shut down due to
detected abnormal behavior
 Very unusual complexity
The incredible journey of a “not so” little worm
From Windows vulnerabilities to Iranian targets
Stuxnet consists of a layered attack against three different
systems :
 The Windows operating system
 Siemens PCS 7, WinCC and STEP7 industrial
software applications that run on Windows
(SCADA systems = software)
 One or more Siemens S7 PLCs (programmable
logic controller = hardware)
The incredible journey of a “not so” little worm
From Windows vulnerabilities to Iranian targets
The Windows infection
• Unprecedented four zero-day attacks (plus 2 vulnerabilities)
 Very unusual as zero-day are highly valued (60k – 2,5M $)
• Use of infected removable drives such as USB flash drives which contain Windows shortcut
files to initiate executable code
 To penetrate private networks
• Has both user mode and kernel mode rootkit ability under Windows and its device drivers
have been digitally signed with the private keys of two public key certificates that were stolen
 Drivers successfully installed without users being notified
• Two websites in Denmark and Malaysia were configured as C2 servers for the malware,
allowing it to be updated and to upload information
 To perform industrial espionage
The incredible journey of a “not so” little worm
From Windows vulnerabilities to Iranian targets
The Step 7 software infection
• Stuxnet infects project files belonging to Siemens' WinCC/PCS 7 SCADA control software
(Step 7), and subverts a key communication library of WinCC (s7otbxdx.dll)
• Intercepts communications between the WinCC software and the Siemens PLC devices when
the two are connected via a data cable
• Installs itself on PLC devices unnoticed and masks its presence from WinCC if the control
software attempts to read an infected block of memory from the PLC system
 zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded
database password (plain text password in source code)
The incredible journey of a “not so” little worm
From Windows vulnerabilities to Iranian targets
The Siemens S7 PLC infection
• Stuxnet attacks PLC systems with variable-frequency drives from two specific vendors :
Vacon (Finland) and Fararo (Iran)
• Monitors the frequency of the attached motors, and only attacks systems that spin between
807 Hz and 1,210 Hz (typical frequency of gas centrifuges)
• Installs malware into a memory block (DB890) of the PLC and periodically modifies the
frequency to 1,410 Hz and then to 2 Hz and then to 1,064 Hz, changing their rotational speed
• Installs a rootkit that hides the malware on the system and masks the changes in rotational
speed from monitoring systems
The incredible journey of a “not so” little worm
The incredible journey of a “not so” little worm
Was the attack successful?
Natanz nuclear facilities
• First identified in mid-June 2010 by security company VirusBlokAda and first press blog
about the worm in July 2010 by journalist Brian Krebs
• In September 2010, experts and specialists are convinced that Stuxnet was meant to
sabotage the uranium enrichment facility at Natanz
• In November 2010 it was announced that uranium enrichment at Natanz had ceased several
times because of a series of major technical problems
• In December 2010, a major report says that Stuxnet may have destroyed up to 1,000
centrifuges (10 percent) between November 2009 and late January 2010
 it may be harder to destroy centrifuges by use of cyber attacks than believed
The incredible journey of a “not so” little worm
Was the attack successful?
Iranian reaction
• Iranian officials declared in September 2010 that Western intelligence agencies had been
attempting to sabotage the Iranian nuclear program for some time
• "An electronic war has been launched against Iran... This computer worm is designed to
transfer data about production lines from our industrial plants to locations outside Iran.“
• Iranian engineers were successful in neutralizing and purging Stuxnet from their country's
nuclear machinery by December 2010
 Given the growth in Iranian enrichment ability in 2010, the country may have
intentionally put out misinformation to cause Stuxnet's creators to believe that the
worm was more successful than it was
TABLE OF CONTENTS
01
02
03
Stuxnet? Is it a sci fi movie?
•
•
What are we talking about?
What is a computer worm?
The incredible journey of a “not so” little worm.
•
•
From Windows vulnerabilities to Iranian targets
Was the attack successful?
What did we learn from this attack?
•
•
Who were the super villains?
What can we do against cyber-attacks?
What did we learn from this attack?
Who were the super villains?
• Experts believe that Stuxnet required the largest and costliest development effort in
malware history
• Team of highly capable programmers, in-depth knowledge of industrial processes, and
an interest in attacking industrial infrastructure
• The complexity of the code indicates that only a nation-state would have the abilities to
produce it
• Ralph Langner, who identified Stuxnet infected PLCs, said in 2011: “The Mossad is
involved, but the leading force is not Israel. The leading force behind Stuxnet is the
cyber superpower – there is only one; and that's the United States."
What did we learn from this attack?
Who were the super villains?
• Israel has not publicly commented on the Stuxnet attack, but in 2010 confirmed that
cyberwarfare was now among the pillars of its defense doctrine
• When questioned whether Israel was behind the virus in the fall of 2010, some Israeli
officials broke into "wide smiles“, fueling speculation
• Gabi Ashkenazi, retiring Israel Defense Forces (IDF) Chief of Staff, showed videos including
references to Stuxnet at his retirement party to celebrate his operational successes
What did we learn from this attack?
Who were the super villains?
• The United States, under one of its most secret programs, initiated by the Bush
administration and accelerated by the Obama administration, has sought to destroy Iran's
nuclear program by novel methods such as undermining Iranian computer systems
• A diplomatic cable obtained by WikiLeaks showed how the United States was advised to
target Iran's nuclear abilities through covert sabotage
• John Bumgarner, a former intelligence officer and member of the United States CyberConsequences Unit (US-CCU), published an article prior to Stuxnet being discovered, that
cyber attacks are permissible against nation states which are operating uranium enrichment
programs that violate international treaties
• Bumgarner pointed out that the centrifuges used to process fuel for nuclear weapons are a
key target for cyber operations and that they can be made to destroy themselves by
manipulating their rotational speeds
What did we learn from this attack?
What can we do against cyber-attacks?
Industrial Control System (ICS) Cybersecurity (SCADA security)
• International standards for cybersecurity in industrial automation (IEC 62443, NERC, NIST)
along with best practice guidelines published by major organizations
 Definition of standard processes, techniques and requirements
 Providing direction and guidance for control system end-users
• Prevention requires a multi-layered approach, often termed defense in depth
 Personnel (Policies and procedures, Awareness and training)
 Infrastructure (Access control measures, physical security measures)
 Network management (Network segmentation, system hardening, patch management)
 Network monitoring (System monitoring, anti-virus and intrusion prevention system)
• Starting with cyber security audit for companies
 Risk analysis and a control system security assessment
What did we learn from this attack?
What can we do against cyber-attacks?
The French national digital security strategy
• Led by ANSSI, this strategy is designed to support the digital transition of French society
and carries risks for the State, economic stakeholders and citizens
 Cybercrime, espionage, propaganda, sabotage and excessive exploitation of
personal data
• Collective and coordinated response based on five strategic priorities :
 Fundamental interests (State information systems and critical infrastructures,
essential operators to the economy and society)
 Citizen rights (Digital trust, privacy, personal data)
 Education (Awareness raising, initial training, continuing education)
 Economy (Environment of digital technology businesses, industrial policy, export
and internationalization)
 Sovereignty (Europe, digital strategic autonomy, cyberspace stability)
TABLE OF CONTENTS
01
02
03
Stuxnet? Is it a sci fi movie?
•
•
What are we talking about?
What is a computer worm?
The incredible journey of a “not so” little worm.
•
•
From Windows vulnerabilities to Iranian targets
Was the attack successful?
What did we learn from this attack?
•
•
Who were the super villains?
What can we do against cyber-attacks?
It’s time to conclude
The Stuxnet Outbreak
• Malicious computer worm that targets SCADA systems and caused substantial damage to
the nuclear program of Iran
• It may have been the most sophisticated piece of malware ever written, and surely required
the largest and costliest development effort in malware history
• It was a truly offensive cyber weapon, and a significant escalation in the capability to
conduct complex operations in a cyber warfare environment
• Probably built jointly by the United States and Israel in a collaborative effort known as
Operation Olympic Games
Thank you for your attention
Do you have any questions?