Stuxnet (cyberwar against Iran)

I don’t know if many of the people got the story about Stuxnet right.
It’s an interesting one.
Last summer a worm was discovered inside different computers that were normally separated from Internet or other public networks.
The first to report a worm for its SCADA software systems was Siemens.
SCADA means Supervisory Control And Data Acquisition and are systems to monitor and control industrial processes.
Normally they are controlled by specialized operators that use dedicated computers not connected to any network. This leads to unsafe systems because they are not updated frequently and left to their own following the logic “if it is not broken don’t fix it”.
Unfortunately these computers were compromised and this led to successful attacks against the SCADA systems.
But how could these computers be compromised if they were not connected to any network?
Stuxnet was spread with the use of infected USB memory devices.
It uses two known Windows vulnerabilities, it escalates privileges by two 0-day exploits, its targets are only Siemens WinCC systems and it uses a Windows rootkit to hide itself.
Then it fingerprints PLC Siemens systems and modifies its code, tries to hide itself by other modification of the PLC code, tries to bypass antivirus and other security softwares and, last but not least, it uses two SSL certificates signed by Verisign.
The worm has a call-back HTTP way of communication that could lead to other kind of commands to be executed on the infected machines.
Well, this is not the everyday normal worm!
Even more if you think that for writing such code it is necessary the full knowledge of these PLC SCADA machines and knowing the industrial infrastructure used and controlled by these SCADA.
The writer could have used and got access to an exact replica of its main targets.
Main targets of Stuxnet are systems in Iran (60%), Indonesia (18%), India (8%) and Azerbaijan (3%).
A lot of hypothesis has been made. The predominant one is that behind this worm there is Israel and this is only a piece of the so hyped cyberwar among different countries.
But what really did inside the SCADA systems this worm?
Stuxnet operates inside the PLC SCADA by modifying the operating frequency of the motors used in the process of uranium enrichment. It changes the output frequencies and thus the speed of the motors for short intervals over periods of months. This has led to a sabotage of the normal operation of the industrial control process that could have set back Iran’s nuclear program by two years.
Cyberwar is here to stay.
When we’ll see new targets like traffic lights or air traffic control systems, change of hospital patient records or total blackouts?

This entry was posted on Monday, January 24th, 2011 at 9:01 PM and is filed under internet, security.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.