Stuxnet – stranger than fiction

The world of computer hacking throws up some great stories. This article picks up on some interesting aspects of Stuxnet, the name given to a particular piece of malicious software (shortened to “malware”) first revealed publicly in 2010. It’s something of an old story now but I’ve chosen to write about it for three reasons. First, it made people sit up and take notice of what a digital weapon could achieve. Second, enough time has passed for conjecture and rumour to be replaced with statements supported by evidence. Even if that evidence is circumstantial – hell, even if it leads to the wrong conclusion (perhaps by deliberate false trails) – it still makes for a great story, which is the third reason.

Bullseye

While Stuxnet eventually crept out to the world at large, a significant majority of the infections were in Iran. This was due to the way that Stuxnet spread – it wasn’t looking to jump around wildly. It had a specific target in mind: the uranium enrichment facility at Natanz, Iran. The malware was written with the set-up at Natanz in mind. To do this required inside information, doubtless gained through earlier intelligence gathering, whether human or cyber, or both. Having said that, the work on Stuxnet that revealed Natanz as the probable target used official photos of President Ahmadinejad’s visit to Natanz in 2008 as well as video aired on Iranian television, so it’s surprising what you can find out there in the open!

ahmadinejadPicture of Ahmadinejad visit – from Langner [*]

Stuxnet modified the program running on the specialist computers used to control the centrifuges at Natanz. Centrifuges are used to enrich natural uranium to a grade that makes it more useful for – well, that’s the thing: enriched uranium can power reactors. Or nuclear weapons, the idea of which clearly made the authors of Stuxnet a bit twitchy. What Stuxnet did was to briefly spin up and slow down the centrifuges outside of their normal operating range, causing damage in a way that was difficult to trace. Stuxnet also used some clever techniques to hide itself from the ordinary view of the Natanz engineers so they could not see it running.

Good ol’ fashioned spying?

One tactic that was key to the success of Stuxnet was the way it could install itself without raising any suspicion. To do the sorts of tricks that allowed it to remain hidden, Stuxnet had to embed itself deep within Microsoft Windows. To do this silently required some of the Stuxnet code to be digitally signed by a trusted source. Just as we sign a document in writing to assert that it’s really us who wrote it, in this context a digital signature is an assertion that some bit of code originates from a particular vendor. Stuxnet had been digitally signed by a genuine manufacturing company, Realtek Semiconductor Corp.

This alone was interesting. But when word got out that this signature wasn’t genuine and shouldn’t be trusted, a new variant of Stuxnet was released that was signed by a different company, JMicron Technology Corp. This too wasn’t genuine. The thing about this kind of forged digital signature is that it looks absolutely real – it’s only because the signatories said that they didn’t sign the code that anyone knows any different. A digital signature uses – what it supposed to be – a secret key. In two cases, then, the keys had got loose somehow. So what happened? It’s not public knowledge, but what’s interesting is that both companies have their headquarters in the same science park in Taiwan:

stuxnet-Hsinchu
Approximate locations, Hsinchu Science Park, Taiwan; based on maps from Hsinchu and Google (the route in blue is about 750m)

How did Stuxnet get in?

To get to the machines of interest – that is, the ones that could be used to control the centrifuges – was no mean feat. For a start, they weren’t directly connected to the internet. Stuxnet used a number of tricks to move around computers, including exploiting software bugs that vendors such as Microsoft weren’t even aware of (so called “zero days”). One of the ways it spread was through USB sticks. Stuxnet would copy itself on to a USB stick and then try to infect any subsequent computer into which that USB stick was inserted. And so on, and so on. The infection of the Natanz facility could have been an accident or a deliberate act. It’s thought that a contractor was the likely route in.

Version 2 – or was it 1?

In 2013 another variant of Stuxnet was found, which appeared to pre-date the version found first, in that it was discovered to be active back in 2007. It too attacked the computers that controlled centrifuges but it sabotaged them in a different way. Comparing the two variants, it appeared that a decision had been made to sacrifice stealth for a better chance of success. Stuxnet could have been programmed to cause immediate catastrophic damage but, taking the long-term view, it was designed to be a chronic irritant, which not only made Natanz less efficient but wasted the resources of its engineers trying to understand why. Arguably it also achieved something else: it showed that its creators had a digital arsenal. As Langner, the author of the first paper in the references below, points out: “unlike military hardware, one cannot display USB sticks at a military parade”.

It took several years for Stuxnet to be torn apart, and some of the jigsaw is still incomplete. Little did the people who first looked at it know that they had a thriller on their hands.

References
* http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
https://www.thawte.com/code-signing/whitepaper/best-practices-for-code-signing-certificates.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf
http://spectrum.ieee.org/podcast/computing/embedded-systems/stuxnet-leaks-or-lies