Stuxnet

Executive Summary:
1. Stuxnet is the most advanced instance of computer malware that is publicly known.
2. Stuxnet was designed to attack the Iranian nuclear program.
3. Stuxnet was developed by a nation state as opposed to an individual hacker, and the most likely nation state is Israel.
4. Stuxnet has likely had success in damaging the Iranian nuclear program, but the full extent of the damage is not yet known.

Introduction:
I have wanted to write about stuxnet for some time. It is hard to find any single article that fully describes the situation, since people who write on geopolitics usually are not experts on computer viruses, and experts on computer viruses are not usually experts on nuclear weapons programs. I am a computer professional conversant with geopolitics, but I don't know much about nuclear weapons programs. In this article, I will try to distinguish between what I know, what can be surmised, and what can only be guessed.

Timeline of Events:
1. On May 9, 1979, Habib Elghanian, a Jewish Iranian businessman, was executed by the new Islamic leadership in Iran for spying for Israel. The execution shocked the Iranian Jewish community and led to large scale Jewish emigration from Iran. The date may be significant, since stuxnet uses the code 19790509 on a Windows registry key to indicate its presence on a computer.
2. Stuxnet development probably began in 2007.
3. One instance of stuxnet executable code has a date of January 2009. Microsoft estimates that this may have been when it was first deployed, though other experts from Symantec estimate that the first deployment was in June 2009.
4. In May 2009, Iran has 4756 operating centrifuges enriching uranium at their Natanz nuclear facility. In August, the number of operating centrifuges drops to 4592, then drops further to 3936 in November. These drops take place despite Iran installing an increased number of centrifuges during this time period. Clearly, there was some systemic problem with the centrifuges.
5. In July 2009, wikileaks announces that there has been a serious nuclear incident at Natanz.
6. On June 16, 2010, stuxnet is detected by VirusBlokAda, a virus detection company. On the same day, two web sites in Malaysia and Denmark, www.mypremierfootball.com and www.todaysfutbol.com, shut down. The web sites were acting as mother ships to monitor the progress of stuxnet and to provide periodic updates to it.
7. On July 16 and July 22, 2010, Verisign Corporation revokes two public encryption keys that were stolen and used by stuxnet.
8. On August 22, 2010, well behind schedule, the Bushehr nuclear reactor is commissioned, though it does not go online.
9. On September 26, 2010, Iran's State News Agency announces that its Bushehr nuclear reactor had been infected by stuxnet, though they deny any damage was done. The Bushehr reactor is not yet online as of the date of this writing (December 20, 2010).
10. On November 16, 2010, Iran shut down all its centrifuges at the Natanz nuclear facility, according to the International Atomic Energy Agency. They were restarted several days later.
11. On November 30, 2010, Iranian President Mahmoud Ahmadenejad says that stuxnet had been detected and controlled in Iran.
12. On December 9, 2010, Eric Byres of Tofino Industrial Security says that his site is getting a tremendous number of inquiries from Iran, and indicates his belief that stuxnet is still not under control in Iran.
13. On December 14, 2010, Microsoft releases a fix for the last of the four zero-day security vulnerabilities exploited by stuxnet.
14. On June 24, 2012, stuxnet is designed to automatically shut itself down.

Part 1 - Overview of the Stuxnet Software:
A full understanding of the stuxnet software itself was not possible until November 2010, because stuxnet, as detected, consisted of a large (600 kb) portion of binary executable code. It is painstaking to reverse engineer executable code into source code - a process roughly akin to putting toothpaste back into a tube. For purposes of this discussion, I have chosen to distinguish between the carrier portion of stuxnet and the payload, or weapon, of stuxnet. Both are unprecedented in their scope and complexity.

The carrier portion of stuxnet exploits security vulnerabilities in the Microsoft Windows operating system to spread on Windows computers. In a typical scenario, stuxnet would reside on an infected USB device like a flash drive. When the flash drive is plugged into a computer with the Windows operating system, Stuxnet uses a previously unknown vulnerability to load itself onto the computer without the user's knowledge. It then uses two additional previously unknown vulnerabilities to give itself administrative privileges, allowing it to do anything on the computer that it wants. It installs a windows "rootkit" to hide itself from the user - if you looked for a stuxnet file you wouldn't see it. It then uses a fourth previously unknown vulnerability to copy itself to all other computers connected to the same network printer, if the computer is part of a network.

Before we go further, we should point out that the use of four previously unknown vulnerabilities is unprecedented. Unknown vulnerabilities, also called "zero day" vulnerabilities, are like nuggets of gold to a hacker, since each one can be used for a different virus. No previous computer virus uses four.

Back to stuxnet - if the computer is connected to the internet, stuxnet signals two mother ship web sites in Malaysia and Denmark and reports the computer name, the Windows version, the network group name (if the computer is part of a network), the IP addresses of all computers on the network, and whether industrial control systems software is installed or not. The mother ships can send updates to stuxnet, thereby allowing updated versions to replace older versions. Stuxnet also uses a peer to peer update capability. If two versions of stuxnet meet, they compare and copy such that the most recent version is stored in both places. Four different versions of stuxnet have been found.

Stuxnet also installs two drivers in the Windows operating system. One of the drivers masks the malware while the second drops encrypted blobs of code into memory. Because drivers can be dangerous, the Windows operating system requires that drivers be digitally signed with encryption keys that Windows can recognize. Stuxnet makes use of two stolen encryption keys to do this. One was stolen from JMicron and the other from RealTek, both of which are in the same office park in Taiwan. Encryption keys cannot be stolen by hacking; this requires the breaking and entering type of theft from a high security facility.

Notable is the fact that unlike almost all viruses, stuxnet was designed to carefully limit the way it is spread. Each flash drive has a counter such that it only allows three infections per stick. Stuxnet only attempts to spread across an internal network for 21 days, and most importantly, it does not spread itself across the internet at all. The result is that stuxnet spread outside its target environment very slowly, and was able to exist for more than a year without being detected. Stuxnet is designed to shut down on June 24, 2012. The authors apparently believed that by that date it would be detected and its target disinfected.

Stuxnet was designed to deploy its payload very precisely. If stuxnet did not find itself on a Windows computer connected to a Siemens S7-315-2DP or Siemens S7-417-2DP computer running industrial control software, stuxnet does nothing (except spread as described above). Therefore, almost everyone in the world infected by stuxnet never knew and never experienced any harm. Siemens is a major German engineering company that makes computers for, among other things, controlling industrial equipment. However, stuxnet further narrowed its target to Siemens computers that came from one of two vendors, a vendor in Vacon, Finland, or Fararo Paya, Iran. Finally, the Siemens computer must be running a frequency controller operating at a speed between 807-1210 Hz (something spinning at 60,000 revolutions per minute, which is unusually fast). Only if all of these conditions are met does stuxnet attack.

Stuxnet is the first known instance of computer malware to attack industrial control systems. Stuxnet subverts a software library allowing communication between a Windows PC and a Siemens computer connected to it. The stuxnet payload, or attack module, runs on the Siemens computer. It consists of 15,000 lines of code written in STL (Statement List) code, which is similar to an assembly programming language. The attack module has two "warheads", using two different logic paths, one designed to attack the S7-315 and the second to design the S7-417.

For the S7-315, the attack is done in the following manner. For a frequency controller operating between 807 and 1210 Hz, stuxnet counts events passively for a time period that is a minimum of 12 days. Then, in a process that takes between 15 and 50 minutes, it changes the speed to 1410 hz, then to 2 Hz, then to 1064 Hz, then repeats the process between 23 and 32 times (exact details vary depending on which vendor sold the S7-315). This could have the effect of damaging or destroying whatever equipment is rotating - though not right away. After the 15 minute takeover sequence, stuxnet goes back to a passive counting mode for at least 26 days. The built in delay could throw the troubleshooters of the system off track - hardware that fails after a long time would usually imply a subtle manufacturing defect.

The S7-417 attack takes about seven minutes. It changes the rotation frequency in a manner similar to the S7-315 attack, but it is more complex. The S7-417 attack code assumes that the frequency of rotation will be closely and constantly monitored by a human operator, so before beginning the attack it records data from the computer, then plays it back to the operator during the attack.

Stuxnet was also designed to hide itself on the Siemens computer, and if it is cleansed off the Windows computer, the Siemens computer can reinfect the Windows computer to which it is connected.

Symantec Corporation has monitored computers that try to connect to the stuxnet mother ship web sites, and at the time of this writing, about 100,000 internet-connected computers have been infected, 58% of them in Iran. Siemens reports that 14 factories unrelated to the Iranian nuclear program have been infected, though none have reported any damage. This would seem to indicate that the stuxnet authors were effective in minimizing any collateral damage from the attack. Note that the Iranian nuclear facilities are probably air-gapped, that is, not connected to the internet. Stuxnet would probably only reach those facilities via a USB drive.

For further information on the stuxnet software itself, I recommend reading the w32.stuxnet dossier written by the Symantec engineers who reverse engineered the software, or the blog by Cybersecurity expert Ralph Langner at www.langner.com.

Implications of the Stuxnet Software:
1. Stuxnet was designed to attack two high value industrial targets and to leave all other infected computers unharmed.
2. The stuxnet creators had detailed technical information on their target. For the Iranian nuclear weapons program, this would require spies or some sort of industrial espionage.
3. The stuxnet creators had the aid of agents who could commit brick and mortar type theft, to steal the two encryption keys.
4. The size of the stuxnet effort, 15,000 lines of code just for the payload, would require around 6-10 programmers working for at least a year. A support team of quality assurance, testing, management, etc. would also likely be required. I would estimate it took about 3 million dollars to develop stuxnet, not including the espionage aspects of the program. Microsoft estimated the task at 10,000 man-days, which is a bit higher. If the program was developed by the Israeli Army, as I will surmise later, it may have been less, as soldier salaries do not match those of software professionals. In any event, I believe everyone would agree with Ralph Langner that the total cost of the software did not exceed $10 million.
5. To assist in testing the software, a lab would need to be set up with Siemens and Windows computers and some kind of test hardware.
6. The creators of the program intended to closely monitor its spread, and to supply updates to the program as they saw fit.
7. The creators of the program knew stuxnet would eventually be detected, and took steps (instantly closing the mother ship web sites) to erase their trail.
8. The stuxnet creators had assistance from some party in deploying the virus initially in Iran. The reader can imagine multiple ways this could have been done using USB drives.

Part 2 - The Iranian Nuclear Program:
Stuxnet was apparently designed to target two aspects of the Iranian nuclear weapons program: (1) The uranium enrichment processing at the Natanz nuclear facility, and (2) The Bushehr nuclear power plant. The Natanz nuclear facility is a hardened underground site of 100,000 square meters. It contains multiple buildings and 9000 centrifuges, at last report. Much of the site is deep underground so as to make it difficult to attack by conventional methods. The Bushehr nuclear power plant can be used to produce electricity for the Iranian electrical grid. However, nuclear power plants also produce plutonium as a by-product, and plutonium can be used to make a nuclear weapon.

To describe the nature of the stuxnet attack, we first need to describe certain aspects of a nuclear weapons program.

Uranium ore when it is mined consists primarily of two isotopes, uranium-238 and uranium-235. The concentrations are very uneven, at 99% uranium-238 and 0.7% uranium-235. To be useful for producing electricity, uranium-235 must be 3-5% of the total. To make a weapon, the uranium-235 must make up 80% of the total. To reach these totals, the uranium must be enriched. This is one of the most difficult steps in a nuclear weapons program. A common means of enriching uranium and the means used by Iran is the centrifuge method.

In the centrifuge method, uranium is first dissolved in hydrofluoric acid to produce uranium hexafluoride gas. The gas is injected into a centrifuge that spins at extremely high rates. The slight difference in mass between the isotopes causes the heavier uranium 238 to tend to collect at the sides of the centrifuge and uranium 235 to collect in the middle. The gas in the center is extracted and will be slightly enriched, with an increased percentage of uranium-235. The process is repeated until the desired levels are reached, using a cascade set of connected centrifuges. The fully enriched gas will be added to calcium, which reacts with the fluoride to produce a salt and uranium back in mineral form. The reader may correctly perceive that this is a complex process. Gas diffuses, so if a centrifuge stops spinning, it will all quickly remix and become "unenriched." The process is painstakingly slow. 1500 centrifuges running for months can produce 20 kg of uranium-235, which is enough for one nuclear weapon. The centrifuges are about seven feet in height and a little over a foot in diameter. They must be light, strong and well-balanced, with high speed bearings, usually magnetic, to reduce friction. They must cycle at around 1000 hz, or 1000 times per second. Iran has reported creating initial batches of 20% uranium-235 with their centrifuges at Natanz.

Enter stuxnet. Stuxnet could have been designed to command the centrifuges to cycle at any speed whatsoever, say 100,000 Hz, which would have immediately broken the centrifuge, but instead the attack is more subtle. It increases the speed to 1410 Hz, above the rate at which the centrifuge was designed to operate, but not so fast as to immediately destroy it. I surmise that this might cause the centrifuge to fail more quickly than its expected design life. Stuxnet then slows the centrifuge to 2 hz, a snail's pace. The uranium hexafluoride gas, being a gas, would have little friction with the slow moving centrifuge and would quickly diffuse so that the uranium became unenriched - a month's worth of work on the centrifuge wasted. The end result at Natanz would be that the uranium enrichment process was not working and the centrifuges were breaking down. If I worked at the facility, I would have soon suspected sabotage, but I would have suspected first that someone was corrupting the centrifuge hardware. I don't know what the Iranians thought. The Iranians never did discover the problem - stuxnet, when it was detected, was detected by a computer virus detection company in Belarus.

The Bushehr nuclear power plant, like all power plants, uses a large turbine to generate electricity. The main turbine in the Bushehr plant is 150 feet in length. It is controlled by a Siemens S7-417-2DP controller (although this ought to be secret, it as has been verified by internet search of Russian Cyrillic documents). The turbine is a model K-1000-60/3000-3. Stuxnet will take over the turbine controller for 7 minutes. In order to fool the operators, before taking over, stuxnet records data from the controller and plays that data back to the user while the turbine is being manipulated. Noteworthy is that if stuxnet did attack Bushehr, by attacking the turbine, it attacked a part of the plant that is not intrinsically nuclear.

Part 3 - Identifying the Creator of Stuxnet
Stuxnet was too large, complex and costly a project for an individual hacker or even a small team of amateurs - stuxnet was the product of a nation-state entity that wished to disrupt the Iranian nuclear weapons program. But which nation?

There is no reason to overthink this. Israel is the only country that has ever acted forcefully to prevent nuclear proliferation, and they have done it twice. On June 7, 1981, the Israeli Air Force bombed the Iraqi nuclear reactor at Osirak. On September 6, 2007, The Israeli Air Force bombed a Syrian nuclear reactor. Israeli officials have repeatedly indicated that the prospect of Iran possessing nuclear weapons was unacceptable. However, a conventional attack against Iran's nuclear weapons would be much more dangerous and difficult to accomplish than the attacks on Iraq and Syria. It is most likely that Israel did choose to take action against Iran, just in a way that was not as dangerous and not likely to start a war. The stuxnet registry key code 19790509 certainly points to Israel. Although a different nation could have planted that code, it seems more likely that the Israelis chose to leave a very subtle calling card.

There are other nations that may have been motivated to stop Iran - the U.S., a number of Arab states, and perhaps a few European states. However, most Arab states would have had difficulty pulling it off. The U.S. could have done it, but an effort such as stuxnet would have required approval at the Presidential level, and the U.S. would be filled with reservations about such a hostile action.

Israel, on the other hand, would have no reservations. If they held a cabinet vote on this in Israel, the cabinet would have voted unanimously for massive sabotage of the Iranian nuclear program. Furthermore, if I am wrong and this was not an Israeli operation, I'm sure the Israeli government is now asking "Why didn't WE do this?"

Within the Israeli army there is a large unit of several thousand soldiers called the Signal Intelligence Corps, or Unit 8200. The identity of the Brigadier General in command is secret. Unit 8200 specializes in electronics, computers, and the like. There are unconfirmed reports that Unit 8200 deactivated the Syrian Air Defense radar during the 2007 Israeli attack on the Syrian nuclear facility. I suspect that this unit within the Israeli Army developed stuxnet. Unit 8200 may have been assisted by Mossad, the Israeli spy agency, to obtain design schematics from the Iranian nuclear program, and to plant the virus in Iran.

Part 4 - The Effects of Stuxnet
How successful was stuxnet in harming the Iranian nuclear program? The drop in the number of operational centrifuges at Natanz in 2009, the 2009 wikileaks report of a series nuclear incident there, and the complete shutdown of all centrifuges in November 2010 would seem to indicate that stuxnet hit that target. The Bushehr reactor remains off-line long after it was scheduled to be online. However, delays on major industrial projects are not unusual, and I can't venture an educated guess on what has happened to Bushehr.

In conclusion, stuxnet appears to be a first of its kind computer software weapon. It is possible that the damage done, particularly at Natanz, was more than could have been achieved with a typical bombs and missile attack. Ralph Langner, one of the cybersecurity experts who has reverse engineered the stuxnet code, believes stuxnet was "like the arrival of an F35 into a World War 1 battlefield", and may have set back the Iranian nuclear program by two years.

One more thing - the next version of Stuxnet is likely underway.