The Complete Guide to StuxNet ! History and Work of StuxNet
What Is StuxNet?
The Stuxnet virus is a worm that is capable of slowing down and stopping the operation of the centrifuges in Iran’s nuclear program. It was detected in September 2010 by a group of researchers from the University of Pennsylvania and Lawrence Livermore National Laboratory.
The worm was hidden inside a large number of small files, which were spread across the internet and eventually infected multiple computers. Once it infected a computer, it started running on it as a background process so that it could hide from detection by antivirus software.
History of StuxNet?
Stuxnet, a sophisticated computer worm that can destroy industrial systems, is believed to have been jointly developed by the US and Israel. It is the first publicly known cyberweapon that can be classified as a weapon of mass destruction.
The worm was first discovered in June 2010, when it infected Iranian nuclear facilities and destroyed about a fifth of Iran’s nuclear centrifuges, setting back its nuclear program. The worm was designed to target only a specific Siemens industrial programmable logic controller (PLC), which is a specialized computer used to control and monitor industrial equipment such as gas centrifuges. While the worm was designed to target Siemens PLCs, it only infected the Windows operating system and infected files with .scr, .pif, .sct, and .dll extensions.
The Stuxnet worm contains two modules- one to collect intelligence and the other to attack the core of the nuclear facility. It was so advanced that it could even change the frequency of the centrifuges used in the nuclear facility. The worm went on to wreak havoc in several nuclear facilities across the world. All of this was done without the knowledge of the people working in the facility.
Is Stuxnet a virus?
Many people call the malware “Stuxnet virus” even though it’s not a computer virus, it’s a computer worm. Although both viruses and worms are types of malware that can corrupt files, a computer worm can be far more sophisticated. For starters, unlike a virus, a worm doesn’t require human interaction to activate. Instead, it self-propagates, sometimes prolifically after it enters a system. Besides deleting data, a computer worm can overload networks, consume bandwidth, open a backdoor, diminish hard drive space, and drop other dangerous malware like rootkits, spyware, and ransomware. The reason why a worm is usually used to refer to malicious software that spreads within a network without human interaction is because a “worm” can spread without the help of any entity who would be aware of its presence.
How does the StuxNet work:
The Stuxnet worm was a cyber attack that spread across the globe in 2010. It infected and damaged computers in Iran, Russia, and other countries. The attack was launched by the US-based United States of America National Security Agency (NSA).
The Stuxnet worm is a piece of malware that infects a computer and then quickly spreads to other computers by exploiting vulnerabilities, such as those in Microsoft Windows operating systems. It has been used to shut down industrial control systems at factories and power plants around the world.
StuxNet is believed to be the first state-sponsored cyberwarfare weapon. StuxNet is a “worm” that targets the software that runs industrial computers, including those used to control power grids, oil pipelines, water processing plants and other critical infrastructure. Stuxnet was designed to gain access to a computer network and reprogram the system’s controllers. These controllers then instruct valves, turbines, generators and other industrial control components to perform their functions in an abnormal manner. This abnormal behavior can result in physical damage to the industrial equipment. Stuxnet was first reported in June 2010 by VirusBlokAda, a security firm in Belarus. The worm was later identified as a highly sophisticated cyber weapon allegedly built to target a specific type of industrial control system used to manage industrial processes.
How to prevent Stuxnet :
It’s unlikely Stuxnet could have been entirely averted given the skill and motivation of the parties responsible. Still, there are some lessons to be learned from the Stuxnet scenario. ICS/OT defenders today can glean prescriptive insights on what didn’t work including:
- Traditional anti-virus would not have found this type of malware.
- Updated host OS may have helped with some of the exploits, but again, unlikely given the attackers’ skill level.
- Application whitelisting and host integrity checking probably would have detected the replaced STEP7 DLLs and altered project files.
- Strict removable media policies and enforcement (potentially even hot glue) could have prevented an initial infection or, at least, made it much harder.
- Sufficient host hardening to include disabling unnecessary services like the Windows printer spooling service would have made lateral movement more difficult.
- Sufficient network segmentation might have stopped the attackers from pivoting across the environment while better monitoring might have alerted defenders to anomalous traffic.
- Diligent application of security policy could have isolated and contained the malware as it beaconed across network zones and layers where it did not belong.
- Most importantly, better-trained resources and appropriate out-of-band (OOB) monitoring for anomalies within the centrifuge halls could have contained the damage early on in the attack.