Malware targets frequency converter drives from two specific vendors
by John Leyden / November 15th 2010

Security researchers have found an important missing piece in the Stuxnet jigsaw that provides evidence that the malware was targeted at the types of control systems more commonly found in nuclear plants and other specialised operations than in mainstream factory controls.

It was already known that the highly sophisticated Stuxnet worm targets industrial plant control (SCADA) systems from Siemens, spreading using either unpatched Windows vulnerabilities or from infected USB sticks. The malware only uses infected PCs as a conduit onto connected industrial control systems. The malware is capable of reprogramming or even sabotaging targeted systems while hiding its presence using rootkit-style functionality. New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz.

The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose. Low-harmonic frequency converter drives that operate at over 600 Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment. They may have other applications but would certainly not be needed to run a conveyor belt at a factory, for example.

Symantec – which has an informative write-up piece here – describes the new research as a “critical piece of the puzzle”. Eric Chien, a senior researcher at Symantec, writes. “With this discovery, we now understand the purpose of all of Stuxnet’s code”. Although we know what Stuxnet does, we still can’t be sure who created it or its exact purpose, although we can make an educated guess. Stuxnet infections first surfaced in Malaysia in June, but the appearance of the malware in Iran has long been the major point of interest in the story. Plant officials at the controversial Bushehr nuclear plant in Iran admitted the malware had infected its network in September. This had nothing to do with a recently announced two-month delay in bringing the reactor online, government ministers subsequently claimed.

One theory is that Russian contractors at the site of Bushehr power plant introduced the malware, either accidentally or (more likely) deliberately. Stuxnet used four Windows zero-day vulnerabilities to spread and must have been developed by a team with expertise in and access to industrial control systems over several weeks, at a minimum. Altogether an expensive and tricky project with no obvious financial return, factors suggest the malware was developed with either the direct involvement of support of intelligence agencies or nation-states and designed for sabotage.

The appearance of the malware has provoked talk of cyberwar in some quarters and certainly done a great deal to raise the profile of potential attacks on power grid and utility systems in the minds of politicians. This is regardless of the potential likelihood of such an attack actually being successful, which remains unclear even after the arrival of Stuxnet.

Stuxnet malware is ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant?
by Mark Clayton / September 21, 2010

Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant. The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something. At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required. “Until a few days ago, people did not believe a directed attack like this was possible,” Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. “What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern.”

A gradual dawning of Stuxnet’s purpose
It is a realization that has emerged only gradually. Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves? By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown. “Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”

A guided cyber missile
On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor. “His technical analysis is good,” says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. “We’re also tearing [Stuxnet] apart and are seeing some of the same things.”

Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner’s analysis. “What we’re seeing with Stuxnet is the first view of something new that doesn’t need outside guidance by a human – but can still take control of your infrastructure,” says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy’s Idaho National Laboratory. “This is the first direct example of weaponized software, highly customized and designed to find a particular target.” “I’d agree with the classification of this as a weapon,” Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.

One researcher’s findings
Langner’s research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls “fingerprinting,” qualifies Stuxnet as a targeted weapon, he says. Langner zeroes in on Stuxnet’s ability to “fingerprint” the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet’s ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world. “Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open,” Langner says in an interview. “The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process.”

So far, Stuxnet has infected at least 45,000 computers worldwide, Microsoft reported last month. Only a few are industrial control systems. Siemens this month reported 14 affected control systems, mostly in processing plants and none in critical infrastructure. Some victims in North America have experienced some serious computer problems, Eric Byres, an expert in Canada, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Langner’s analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows. “After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon,” Langner writes in his analysis. “Something big.”

For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid. “The implications of Stuxnet are very large, a lot larger than some thought at first,” says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. “Stuxnet is a directed attack. It’s the type of threat we’ve been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly.”

Has Stuxnet already hit its target?
It might be too late for Stuxnet’s target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after. A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet’s target be Iran’s Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat? Langner is quick to note that his views on Stuxnet’s target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr’s expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered. “This will all eventually come out and Stuxnet’s target will be known,” Langner says. “If Bushehr wasn’t the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that.”


Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it’s obvious. In the case of Stuxnet, there’s a great story.

As the story goes, the Stuxnet worm was designed and released by a government–the U.S. and Israel are the most common suspects–specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that’s a pariah to much of the world. The only problem with the story is that it’s almost entirely speculation.

Here’s what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four “zero-day exploits”: vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

Stuxnet doesn’t actually do anything on those infected Windows computers, because they’re not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines–and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.

If it doesn’t find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It’s impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location–and that Stuxnet’s authors knew exactly what they were targeting.

It’s already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don’t know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India’s INSAT-4B satellite in July. We believe that it did infect the Bushehr plant.

All the anti-virus programs detect and remove Stuxnet from Windows systems.

Stuxnet was first discovered in late June, although there’s speculation that it was released a year earlier. As worms go, it’s very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17.

Over time the attackers swapped out modules that didn’t work and replaced them with new ones–perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March.

Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself.

We don’t know who wrote Stuxnet. We don’t know why. We don’t know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government.

Stuxnet doesn’t act like a criminal worm. It doesn’t spread indiscriminately. It doesn’t steal credit card information or account login credentials. It doesn’t herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn’t threaten sabotage, like a criminal organization intent on extortion might.

Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There’s also the lab setup–surely any organization that goes to all this trouble would test the thing before releasing it–and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They’re hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.

None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Once a theory takes hold, though, it’s easy to find more evidence. The word “myrtus” appears in the worm: an artifact that the compiler left, possibly by accident. That’s the myrtle plant. Of course, that doesn’t mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. “Hadassah” means “myrtle” in Hebrew.

Stuxnet also sets a registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. It’s rather obviously a date, but instead of looking at the gazillion things–large and small–that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

Sure, these markers could point to Israel as the author. On the other hand, Stuxnet’s authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it’s impossible to know when to stop.

Another number found in Stuxnet is 0xDEADF007. Perhaps that means “Dead Fool” or “Dead Foot,” a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation.

If that’s the case, why is Stuxnet so sloppily targeted? Why doesn’t Stuxnet erase itself when it realizes it’s not in the targeted network? When it infects a network via USB stick, it’s supposed to only spread to three additional computers and to erase itself after 21 days–but it doesn’t do that. A mistake in programming, or a feature in the code not enabled? Maybe we’re not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet’s authors didn’t care.

My guess is that Stuxnet’s authors, and its target, will forever remain a mystery.

This essay originally appeared on

My alternate explanations for Stuxnet were cut from the essay. Here they are:

  • A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team.
  • A criminal worm designed to demonstrate a capability. Sure, that’s possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not.
  • A message. It’s hard to speculate any further, because we don’t know who the message is for, or its context. Presumably the intended recipient would know. Maybe it’s a “look what we can do” message. Or an “if you don’t listen to us, we’ll do worse next time” message. Again, it’s a very expensive message, but maybe one of the pieces of the message is “we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it.” If that message were for me, I’d be impressed.
  • A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life.

Note that some of these alternate explanations overlap.

EDITED TO ADD (10/7): Symantec published a very detailed analysis. It seems like one of the zero-day vulnerabilities wasn’t a zero-day after all. Good CNet articleMore speculation, without any evidence. Decent debunking. Alternate theory, that the target was the uranium centrifuges in Natanz, Iran.

Targeting the iranian enrichment centrifuges in Natanz? / 22.9.2010

I did a writeup of the stuxnet story so far for the large german newspaper Frankfurter Allgemeine Zeitung (FAZ), out in print today (now also online here ). Unfortunatelly the page-one teaser image chosen by the frontpage editor is outright silly, and the picture chosen by the FAZ for the main piece is the reactor in Bushehr, as the facility in Natanz is optically less attractive. But, hey, the story is what counts. I want to comment on some of the more detailed aspects here, that were not fit for the more general audience of the FAZ, and also outline my reasoning, why I think stuxnet might have been targeted at the uranium centrifuges in Natanz, instead of Bushehr as guessed by others.

stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossile Windows 2000 to the most modern and supposedly secure Windows 7.

The stuxnet software is exceptionally well written, it makes very very sure that nothing crashes, no outward signs of the infection can be seen and, above all, it makes pretty sure that its final payload, which manipulates parameters and code in the SPS computer is only executed if it is very certain to be on the right system. In other words: it is extremly targeted and constructed and build to be as side-effect free as humanly possible. Words used by reverse engineers working on the the thing are “After 10 years of reverse-engineering malware daily, I have never ever seen anything that comes even close to this”, and from another “This is what nation states build, if their only other option would be to go to war”.

Industrial control systems, also called SCADA, are very specific for each factory. They consist of many little nodes, measuring temperature, pressure, flow of fluids or gas, they control valves, motors, whatever is needed to keep the often dangerous industrial processes within their safety and effectiveness limits. So both the hardware module configuration and the software are custom made for each factory. For stuxnet they look like an fingerprint. Only if the right configuration is identified, it does more then just spreading itself. This tells us one crucial thing: the attacker knew very precisely the target configuration. He must have had insider support or otherwise access to the software and configuration of the targeted facility.

I will not dive very much into who may be the author of stuxnet. It is clear that it has been a team effort, that a very well trained and financed team with lots of experience was needed, and that the ressources needed to be alocated to buy or find the vulnerabilities and develop them into the kind of exceptional zero-days used in the exploit. This is a game for nation state-sized entities, only two handful of governments and maybe as many very large corporate entities could manage and sustain such an effort to the achievment level needed to build stuxnet. As to whom of the capable candidates if could be: this is a trip into the Wilderness of Mirrors. False hints are most likely placed all over the place, so it does not make much sense to put much time into this exercise for me.

Regarding the target, things are more interesting. There is currently a lot of speculation that the Iranian reactor at Bushehr may have been the target. I seriouly doubt that, as the reactor will for political reasons only go on-line when Russia wants it to go on-line, which they drag on for many years now, to the frustration of Iran. The political calculations behind this game are complex and involve many things like the situation in Iraq, the US withdrawal plans and Russias unwillingness to let the US actually have free military and political bandwith to cause them trouble in their near abroad.

But there is another theory that fits the available date much better: stuxnet may have been targeted at the centrifuges at the uranium enrichment plant in Natanz. The chain of published indications supporting the theory starts with stuxnet itself. According to people working on the stuxnet-analysis, it was meant to stop spreading in January 2009. Given the multi-stage nature of stuxnet, the attacker must have assumed that it has reached its target by then, ready to strike.

On July 17, 2009 WikiLeaks posted a cryptic notice:

Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.

According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially .

On 07. July 2009 the israeli news-site posted a lengthy piece on possibly cyberwar against the Iran nuclear programm. Intriguingly, even contaminated USB-Sticks were mentioned. In retrospect, the piece sounds like an indirect announcement of a covert victory to allies and enemies.

That there are serious anti-proliferation efforts by all available means undertaken by western intelligence is not in doubt. .

There is further indication in the way stuxnet is actually working on the SPS-level. The current state of analysis seems to support the assumption, that the attack was meant to work synchronized and spread over many identical nodes. In a nuclear power plant, there are not many identical SPS-nodes, as there is a wide variety of subsystems of different kind. Compared to this, an enrichment centrifuge plant consists of thousands of identical units, arranged in serial patterns called cascades. Each of them is by necessity the same, as enrichment centrifuges are massively scaled by numbers. stuxnet would have infected each and every one, then triggering subtle of massive failures, depending on the choice of the attacker. To get an impression how the Natanz facility looks from the inside, Iranian President Ahamadinendjad has visited the place in April 2008.

So in summary, my guess is that stuxnet has been targeted at Natanz and that it achieved sucess in reducing the operational enrichment capability sucessfully. We will probably never be able to find out what really happened for sure, unless Iran comes forward with a post-mortem. Stuxnet will go down in history as the first example of a news class of malware, that has been engineered to weapons-grade performance with nearly no side-effects and pinpoint accuracy in delivering its sabotage payload.

Centrifuges acquired by Libya via the AQ Khan network

Dragons, Tigers, Pearls, and Yellowcake: 4 Stuxnet Targeting Scenarios
by Jeffrey Carr / Nov. 22 2010

In all of the thousands of words that have been printed about Stuxnet, and the many interviews given, there’s been almost no discussion of alternative targeting scenarios for the Stuxnet worm. In fact, apart from my own work in this area, there’s been essentially two options discussed: 1 – the target was Natanz and/or Bushehr, or 2 – there’s no way to tell who the target was. That fact has greatly diminished the value of the discussion because by limiting it to one scenario, you cannot adequately engage in risk management – anticipating and defending against the threats yet to come – which is supposed to be your job if you’re in any type of security business.

To that end I’ve written a white paper ”Dragons, Tigers, Pearls, and Yellowcake: 4 Stuxnet Targeting Scenarios“, in which I describe four possible Stuxnet scenarios by examining the relationships that connect the “victim” states – a kind of cyber victomology. The title comes, in part, from the traditional animal symbolism of China and India – the dragon and the tiger.

The four scenarios are:
Rare-Earth Metals Producing States
Uranium-Producing States
Corporate Sabotage To Discredit Siemens AG
Protecting The Malacca Straits (the String of Pearls)

Due to the space and content limitations of this blog, I’m not able to reproduce the entire white paper here so what follows is a condensed version of the second scenario – an attack against uranium-producing states.

Attack Scenario #2: Uranium Producing States (Asia)

The list of states in Asia who are engaged in mining Uranium as well Uranium enrichment and fuel fabrication closely aligns with the list of states reporting Stuxnet infections.

Iran’s Natanz nuclear reactor has been mentioned in the press as a potential target however according to the IAEA, 2008 was the year that the Fuel Enrichment Plant at Natanz suffered a significant drop in performance. The cause for that drop is not known but there is a lot of speculation ranging from incompetence to sabotage. Whatever the reason, it happened before the earliest Stuxnet sample was discovered (June, 2009).

Stuxnet has frequently been classified as a state or state-sponsored attack however starting in 2009 there’s been a marked increase of anti-nuclear power protests in Germany, Russia, Finland, and France by activist organizations like Ecodefense, ECOperestroika, Greenpeace, the Green League, and Ydinverkosto, a movement in northern Finland which opposes uranium mining and nuclear power. Finland is of particular interest since one of the two frequency convertor drives that Stuxnet issues commands to is made by a Finnish company, Vacon PLC. Some of the above-mentioned groups self-identify as anarchists and are on various law enforcement watchlists for engaging in acts of ecoterorism

Whether members of these groups have the requisite technical skill or the funds to create Stuxnet or similar malware is a matter for the respective state agencies to investigate.

Opportunity: Greenpeace is well-funded and has frequently conducted actions against nuclear facilities of the type that Stuxnet may be targeting. It is not known whether any members of Ydinverkosto are employed by Vacon or have contacts there.

Motive: Nuclear power plants, uranium mines, and Fuel Enrichment facilities are popular targets for environmental activists as well as eco-terrorists. The use of a virus like Stuxnet provides these groups with the ability to disrupt operations at targeted facilities with little to no risk to their members.

Means: Whether any of these groups have the resources or skill sets to develop, test, and launch this level of malware is unknown to the author at this time however Greenpeace France has been the victim of a cyber attack allegedly sponsored by French energy company EDF (see Attack Scenario #3 in the full report).

Assessment: More information is needed about the financial assets and technical capabilities of these environmental action groups before an accurate assessment can be made however these actors may pose a credible threat to this sector in the next few years.

Brits declare war on Stuxnet. Americans say: Use it on North Korea / November 25, 2010

The Stuxnet virus which has crippled Iran’s nuclear program has suddenly become the object of a British MI6 Secret Service campaign to convince the British and American public that it is the enemy of the West and sold on the black market to terrorists, DEBKAfile’s intelligence sources report. Thursday morning, Nov. 25, Sky TV news led with a story claiming Stuxnet could attack any physical target dependent on computers. An unnamed Information Technology expert was quoted as saying enigmatically: “We have hard evidence that the virus is in the hands of bad guys – we can’t say any more than that but these people are highly motivated and highly skilled with a lot of money behind them.”

No one in the broadcast identified the “bad guys,” disclosed where they operated or when they sold the virus to terrorists. Neither were their targets specified, even by a row of computer and cyber-terrorism experts who appeared later on British television, all emphasizing how dangerous the virus was.

Our intelligence sources note that none of the British reporters and experts found it necessary to mention that wherever Stuxnet was discovered outside Iran, such as India, China and Indonesia, it was dormant. Computer experts in those countries recommended leaving it in place as it was harmless for computer programs and did not interfere with their operations. The fact is that the only place Stuxnet is alive and harmful is Iran – a fact ignored in the British reports.

Indeed, for the first time in the six months since Stuxnet partially disabled Iran’s nuclear reactor at Bushehr, Iran has found its first Western sympathizer, one who is willing to help defeat the malignant virus.

DEBKAfile’s sources note that the British campaign against Stuxnet was launched two days after Yukiya Amano, Director of the International Atomic Energy Agency, the IAEA, reported that Iran had briefly shut down its uranium enrichment plant in Natanz, apparently because of a Stuxnet assault on thousands of centrifuges. According to our Iranian sources, the plant had to be closed for six days, from November 16-22.

Our sources also reported that the virus raided Iranian military computer systems, forcing the cancellation of parts of its large-scale air defense drill in the second week of November. Some of the systems used in the exercise started emitting wildly inaccurate data.

The Hate Stuxnet campaign London launched Thursday carried three messages to Tehran:
1. We were not complicit in the malworm’s invasion of your systems.
2. We share your view that Stuxnet is very dangerous and must be fought and are prepared to cooperate in a joint program to destroy it.
3. Britain will not line up behind the United States’ position in the nuclear talks to be resumed on Dec. 5 between Iran and the Six Powers (the five Permanent UN Security Council members + Germany). It will take a different position.
In the United States, meanwhile, DEBKAfile’s Washington sources report that Stuxnet’s reappearance against Iran’s nuclear program is hailed. A number of American IT experts and journals specializing in cyber war have maintained of late that if the malworm is so successful against Iran, why not use it to disable North Korea’s nuclear program, especially the 2,000 centrifuges revealed on Nov. 20 to be operating at a new enrichment facility?

The popular American publication WIRED carried a headline on Monday, November 22, asking, “Could Stuxnet Mess With North Korea’s New Uranium Plant?” The article noted that some of the equipment North Korea was using for uranium enrichment was identical to Iranian apparatus and therefore perfect targets for the use of Stuxnet by American cyber experts.

Could Stuxnet Mess With North Korea’s New Uranium Plant?
Kim Zetter and Spencer Ackerman / November 22, 2010

The Stuxnet worm may have a new target. While security analysts try to figure out whether the now-infamous malware was built to sabotage Iran’s nuclear program, North Korea has unveiled a new uranium enrichment plant that appears to share components with Iran’s facilities. Could Pyongyang’s centrifuges be vulnerable to Stuxnet?

While U.S. officials are trying to figure out how to respond to North Korea’s unveiling of a new uranium enrichment plant, there are clues that a piece of malware believed to have hit Iran’s nuclear efforts could also target the centrifuges Pyongyang’s preparing to spin.

Some of the equipment used by the North Koreans to control their centrifuges — necessary for turning uranium into nuclear-bomb-ready fuel — appear to have come from the same firms that outfitted the Iranian nuclear program, according to David Albright, the president of the Institute for Science and International Security and a long-time watcher of both nuclear programs. “The computer-control equipment North Korea got was the same Iran got,” Albright told Danger Room.

Nearly two months before the Yongbyon revelation, Albright published a study covering the little that’s publicly known about the North’s longstanding and seemingly stalled efforts at enriching its own uranium. (.pdf) Citing unnamed European intelligence officials, Albright wrote that the North Korean control system “is dual use, also used by the petrochemical industry, but was the same as those acquired by Iran to run its centrifuges.”

Albright doesn’t know for sure that the North Koreans’ control system is exactly like the one the Iranians use. Siegfried Hecker, the U.S. nuclear scientist invited by Pyongyang to view the Yongbyon facility,wasn’t allowed to check out the control room thoroughly, and his report about what he saw merely says that the control room is “ultra-modern,” decked out with flat-screen computer panels.

Nor is Albright to specify which company manufactured the control system — something that determines whether Stuxnet would have any potency. “But that’s really what the Stuxnet virus is taking over,” Albright says, “the control equipment, giving directions to the frequency converters.”

That suggests the vulnerabilities to Stuxnet suspected within Iran’s centrifuge-command systems might be contained within North Korea’s new uranium facility. Even if they’re not identical computer systems, Stuxnet demonstrated that the type of command systems employed in centrifuge-based enrichment is vulnerable to malware attack.

That’s not to say that Stuxnet is making its way inside the North Korean facility: Someone would have to infiltrate the Hermit Kingdom’s most sensitive sites and introduce the worm into the command systems, a hard bargain to say the least. In other words, don’t go thinking the United States or an ally could magically infect North Korea with Stuxnet. But if more information emerges about the North’s command systems, that might provide fodder for a copycat worm — provided someone could introduce it into Yongbyon.

Stuxnet was discovered last June by a Belorussian security firm, which found it on the computers of one of its unnamed clients in Iran. The sophisticated code is the first known malware designed to effectively target industrial control systems, also known as Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems control various parts — such as automated assembly lines, pressure valves — at a wide variety of facilities, such as manufacturing plants, utilities and nuclear-enrichment plants.

Stuxnet targeted only a specific system made by Siemens — Simatic WinCC SCADA system — and only a specific configuration of the system. According to the latest findings uncovered by security firm Symantec, Stuxnet first looks for Simatic systems that are controlling two particular types of frequency converter drives made by Fararo Paya in Teheran, Iran, or by Vacon, which is based in Finland.

Frequency converter drives are power supplies that control things such as the speed of a motor. Stuxnet only initiates its malicious activity, however, if there are at least 33 of these converter drives in place at the facility and if they are operating at a high speed between 807 Hz and 1210 Hz.

Such high speeds are used only for select applications, such as might be found at nuclear facilities. Speculation on Stuxnet’s likely target has focused on Iran’s nuclear facilities at Bushehr or Natanz. Symantec has been careful not to say definitively that Stuxnet was targeting a nuclear facility, but has noted that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

But according to a Department of Homeland Security official who spoke on background, frequency converter drives operate at this and similar high speeds in many facilities, not just nuclear plants.

“[They] are used anywhere you try to control a very precise process,” he says. They’re used extensively in the petro-chemical industry and in balancing machines that are used to build fan blades for jet engines. They’re also used for mining and metal manufacturing and in environments that require precise heating, cooling and ventilation. And they’re used in food processing for big mixers, conveyors and high-speed bottling lines.

As for the export limitation on high-speed drives that run above 600 Hz, the DHS official said this isn’t the only restriction on frequency converters. He notes that the Finnish manufacturer whose drives are targeted by Stuxnet requires buyers to have a special license to operate at frequencies exceeding 320 Hz — not out of concern that they would be used in a nuclear enrichment facility, but out of concern that they’re used properly.

“Because a lot of times you use them in very complex processes to develop exotic materials,” he says. “If you’re blending chemicals to create rocket fuel, you want to have this type of equipment be controlled so you need to have a license to purchase them, like you need a license to purchase bulk volumes of nitroglycerin.”

Albright was quick to add that the fact that “we don’t know much at all” about North Korea’s uranium enrichment means that “we can’t make judgments” about how vulnerable Pyongyang is to Stuxnet. It’s also possible that different command systems exist in facilities the United States doesn’t know about. “This could be a Potemkin centrifuge plant,” he says. “It’s so weird to put it at Yongbyon,” the center of North Korea’s plutonium production. “They obviously want to show it off,” Albright continues, perhaps “to distract us from their real centrifuge program.”

Stuxnet: Fact vs. Theory
by Elinor Mills / October 5, 2010

The Stuxnet worm has taken the computer security world by storm, inspiring talk of a top secret, government-sponsored cyberwar, and of a software program laden with obscure biblical references that call to mind not computer code, but “The Da Vinci Code.” Stuxnet, which first made headlines in July, (CNET FAQ here) is believed to be the first known malware that targets the controls at industrial facilities such as power plants. At the time of its discovery, the assumption was that espionage lay behind the effort, but subsequent analysis by Symantec uncovered the ability of the malware to control plant operations outright, as CNET first reported back in mid-August.

What’s the real story on Stuxnet?
A German security researcher specializing in industrial-control systems suggested in mid-September that Stuxnet may have been created to sabotage a nuclear power plant in Iran. The hype and speculation have only grown from there. Here’s a breakdown of fact versus theory regarding this intriguing worm.

Theory: The malware was distributed by Israel or the United States in an attempt to interfere with Iran’s nuclear program.
Fact: There’s no hard evidence as to who is behind the malware or even what country or operation was the intended target, though it’s clear most of the infections have been in Iran (about 60 percent, followed by Indonesia at about 18 percent and India at close to 10 percent, according to Symantec). Rather than establishing the target for Stuxnet, that statistic could merely indicate that Iran was less diligent about using security software to protect its systems, said Eric Chien, technical director of Symantec Security Response.

German researcher Ralph Langner speculates that the Bushehr nuclear plant in Iran could be a target because it is believed to run the Siemens software Stuxnet was written to target. Others suspect the target was actually the uranium centrifuges in Natanz, a theory that seems more plausible to Gary McGraw, chief technology officer of Cigital. “Everyone seems to agree that Iran is the target, and data regarding the geography of the infection lends credence to that notion,” he writes.

In July 2009, Wikileaks posted a notice (formerly here, but unavailable at publication time) that said:

Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

On his blog, Frank Rieger, chief technology officer at security firm GSMK in Berlin, confirmed the resignation through official sources. He also noted that the number of operating centrifuges in Natanz shrank significantly around the time the accident mentioned by Wikileaks purportedly happened, based on data from Iran’s Atom Energy Agency.

An Iranian intelligence official said this weekend that authorities had detained several “spies” connected to cyberattacks against its nuclear program. Iranian officials have said that 30,000 computers were affected in the country as part of “electronic warfare against Iran,” according to The New York Times. Iran’s Mehr news agency quoted a top official in the Ministry of Communications and Information Technology as saying that the effect of “this spy worm in government systems is not serious” and had been “more or less” halted, the Times report said. The project manager at the Bushehr nuclear plant said workers there were trying to remove the malware from several affected computers, though it “has not caused any damage to major systems of the plant,” according to an Associated Press report. Officials at Iran’s Atomic Energy Organization said the Bushehr plant opening was delayed because of a “small leak” that had nothing to do with Stuxnet. Meanwhile, Iran’s Intelligence Minister, commenting on the situation over the weekend, said a number of “nuclear spies” had been arrested, though he declined to provide further details, according to the Tehran Times.

Specialists have hypothesized that it would take the resources of a nation state to create the software. It uses two forged digital signatures to sneak software onto computers and exploits five different Windows vulnerabilities, four of which are zero-day (two have been patched by Microsoft). Stuxnet also hides code in a rootkit on the infected system and exploits knowledge of a database server password hardcoded into the Siemens software. And it propagates in a number of ways, including through the four Windows holes, peer-to-peer communications, network shares, and USB drives. Stuxnet involves inside knowledge of Siemens WinCC/Step 7 software as it fingerprints a specific industrial control system, uploads an encrypted program, and modifies the code on the Siemens programmable logic controllers (PLCs) that control the automation of industrial processes like pressure valves, water pumps, turbines, and nuclear centrifuges, according to various researchers.

Symantec has reverse engineered the Stuxnet code and uncovered some references that could bolster the argument that Israel was behind the malware, all presented in this report (PDF). But it’s just as likely that the references are red herrings designed to divert attention away from the actual source. Stuxnet, for instance, will not infect a computer if “19790509” is in a registry key. Symantec noted that that could stand for the May 9, 1979 date of a famous execution of a prominent Iranian Jew in Tehran. But it’s also the day a Northwestern University graduate student was injured by a bomb made by the Unabomber. The numbers could also represent a birthday, some other event, or be completely random. There are also references to two file directory names in the code that Symantec said could be Jewish biblical references: “guavas” and “myrtus.” “Myrtus” is the Latin word for “Myrtle,” which was another name for Esther, the Jewish queen who saved her people from death in Persia. But “myrtus” could also stand for “my remote terminal units,” referring to a chip-controlled device that interfaces real-world objects to a distributed control system such as those used in critical infrastructure. “Symantec cautions readers on drawing any attribution conclusions,” the Symantec report says. “Attackers would have the natural desire to implicate another party.”

Theory: Stuxnet is designed to sabotage a plant, or blow something up.
Fact:Through its analysis of the code, Symantec has figured out the intricacies of files and instructions that Stuxnet injects into the programmable logic controller commands, but Symantec doesn’t have the context involving what the software is intended to do, because the outcome depends on the operation and equipment infected. “We know that it says to set this address to this value, but we don’t know what that translates to in the real world,” Chien said. To map what the code does in different environments, Symantec is looking to work with experts who have experience in multiple critical infrastructure industries.

Symantec’s report found the use of “0xDEADF007” to indicate when a process has reached its final state. The report suggests that it may refer to Dead Fool or Dead Foot, which refers to engine failure in an airplane. Even with those hints, it’s unclear whether the suggested intention would be to blow a system up or merely halt its operation.

In a demonstration at the Virus Bulletin Conference in Vancouver late last week, Symantec researcher Liam O’Murchu showed the potential real world effects of Stuxnet. He used an S7-300 PLC device connected to an air pump to program the pump to run for three seconds. He then showed how a Stuxnet-infected PLC could change the operation so the pump ran for 140 seconds instead, which burst an attached balloon in a dramatic climax, according to Threat Post.

Theory: The malware has already done its damage.
Fact: That actually could be the case and whomever was targeted has simply not disclosed it publicly, experts said. But, again, there’s no evidence of this. The software has definitely been around long enough for lots of things to have happened. Microsoft learned of the Stuxnet vulnerability in early July, but its research indicates that the worm was under development at least a year prior to that, said Jerry Bryant, group manager for Microsoft Response Communications. “However, according to an article that appeared last week in Hacking IT Security Magazine, the Windows Print Spooler vulnerability (MS10-061) was first made public in early 2009,” he said. “This vulnerability was independently rediscovered during the investigation of the Stuxnet malware by Kaspersky Labs and reported to Microsoft in late July of 2010.” “They’ve been doing this for almost a year,” Chien said. “It’s possible they hit their target again and again.”

Theory: The code will stop spreading on June 24, 2012.
Fact: There is a “kill date” encoded into the malware, and it is designed to stop spreading on June 24, 2012. However, infected computers will still be able to communicate via peer-to-peer connections, and machines that are configured with the wrong date and time will continue to spread the malware after that date, according to Chien.

Theory: Stuxnet caused or contributed to the Gulf of Mexico oil spill at Deepwater Horizon.
Fact: Unlikely, though Deepwater Horizon did have some Siemens PLC systems on it, according to F-Secure.

Theory: Stuxnet infects only critical infrastructure systems.
Fact: Stuxnet has infected hundreds of thousands of computers, mostly home or office PCs not connected to industrial control systems, and only about 14 such systems, a Siemens representative told IDG News Service.

And more theories and predictions abound. F-Secure’s blog discusses some theoretical possibilities for Stuxnet. “It could adjust motors, conveyor belts, pumps. It could stop a factory. With [the] right modifications, it could cause things to explode,” in theory, the blog post says. Siemens, the F-Secure post continues, announced last year that the code that Stuxnet infects “can now also control alarm systems, access controls, and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and ‘Mission Impossible.'”

Symantec’s Murchu outlines a possible attack scenario on CNET sister site ZDNet. And Rodney Joffe, senior technologist at Neustar, calls Stuxnet a “precision guided cybermunition” and predicts that criminals will try to use Stuxnet to infect ATMs run by PLCs to steal money from the machines. “If you ever needed real world evidence that malware could spread that ultimately could have life or death ramifications in ways people just don’t accept, this is your example,” said Joffe.

Leave a Reply