Definition

Stuxnet

Contributor(s): Robert Richardson

The Stuxnet worm is a rootkit exploit that targets supervisory control and data acquisition (SCADA) systems. SCADA systems are used widely for industrial control systems, such as power, water and sewage plants, as well as in telecommunications and oil and gas refining. 

Discovery of Stuxnet

The first public awareness of Stuxnet dates to 2010, when Sergey Ulasen, then head of antivirus kernel development for VirusBlokAda Ltd., an antivirus company based in Belarus, discovered and described the malware (Ulasen went to work for Kaspersky Lab in 2011). Initially, the malware's purpose wasn't fully understood, but it was clear its design was complex, and it probably could not have been written without a team of expert programmers working over a period of several months. There are three separate code elements to Stuxnet; in fact, the first piece had already been noticed and remarked on. VirusBlokAda had found two malware samples in the wild that used a previously unknown flaw that enabled a fully patched Windows 7 computer to be compromised.

There was more to this attack than VirusBlokAda had initially seen, however.

Stuxnet contains code that can identify software used in the process of creating and deploying instructions for programmable logic controllers (PLCs) made by German manufacturer Siemens AG. Though malware that attacked PLCs had been seen before, this was the first instance of a rootkit that ran on a PLC.

Purpose of Stuxnet

Logic controllers automate the most critical parts of an industrial facility's processes, such as temperature, pressure, and the flow of water, chemicals and gasses. In the case of Stuxnet, malicious control of Siemens' PLCs was used to cause high-speed centrifuges to shake violently enough to cause physical damage.

Researchers who have closely examined the components and techniques used in Stuxnet believe work on developing the attack probably began around 2006. The primary attack on the Iran Natanz facility did not take place until the middle of 2009.

Stuxnet used a multistep attack sequence, beginning by exploiting Windows Autorun LNK files and spreading through removable storage devices, such as USB flash drives. It used four previously unknown Microsoft zero-day flaws to gain access to laptops and other machines, with the goal of gaining access to the network. In response, Microsoft issued two patches, and experts in SCADA security created a list of formal recommendations for facilities that use SCADA systems. 

Like the Zeus banking Trojan, Stuxnet code included stolen digital certificates, so the malware appeared legitimate and could avoid detection by traditional intrusion detection systems (IDS). After Stuxnet surfaced, researchers quickly began to reverse-engineer the malware. It is generally believed that Stuxnet was not designed for espionage, but rather to cause failures in the centrifuge infrastructure used for enriching uranium to weapons-grade at Iran's Natanz facility. Subsequent reports have estimated that about one-fifth of the centrifuges used at Natanz were brought offline by the malware.

Countries affected by Stuxnet

Because the target of the Stuxnet attack was Iran's nuclear facility at Natanz, it's not surprising the highest number of infected computers was found in Iran, according to statistics from an initial Symantec report. This degree of geographical targeting is unusual in malware design, however.

Country

Share of infected computers

 Iran

58.85%

 Indonesia

18.22%

 India

8.31%

 Azerbaijan

2.57%

 United States

1.56%

 Pakistan

1.28%

 Other countries

9.2%

Stuxnet and the Equation Group

In 2015, Kaspersky Lab reported that a hacker organization dubbed Equation Group had deployed two of the same zero-day attacks used in Stuxnet and had done so prior to the likely date of Stuxnet's release. This led Kaspersky to conclude that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together."

Media coverage and movies based on Stuxnet

Reports in the New York Times published in July 2012 confirmed suspicions that the malware was jointly developed by the U.S. and Israel as part of a project code-named Olympic Games. Agents planted the Stuxnet malware initially in four engineering firms associated with Natanz, counting on careless use of USB thumb drives to transport the attack within the top-secret facility.

More comprehensive subsequent coverage includes the book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, by David Sanger, the reporter who covered U.S. involvement in Stuxnet development in the New York Times; Kim Zetter's 2014 book, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon; and the 2016 documentary by director Alex Gibney, Zero Days.

A scene from ZERO DAYS, a Magnolia Pictures release.
A scene from ZERO DAYS, a Magnolia Pictures release.
This was last updated in December 2017

Continue Reading About Stuxnet

Dig Deeper on Cyberespionage and nation-state cyberattacks

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think state-sponsored cyberattacks will eventually trigger a traditional, kinetic military conflict?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close