How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History
By Kim Zetter, Wired
07.11.11
Satellite
image of the Natanz nuclear enrichment plant in Iran taken in 2002 when
it was still under construction. The image shows two cascade halls, in
the upper right corner, as they were being built deep underground. The
hall on the left, Hall A, is the only one currently operational and is
the building where centrifuges believed to have been damaged by Stuxnet
in 2009 were installed. (Photo: DigitalGlobe and Institute for Science and International Security)
It was January 2010, and investigators
with the International Atomic Energy Agency had just completed an
inspection at the uranium enrichment plant outside Natanz in central
Iran, when they realized that something was off within the cascade rooms
where thousands of centrifuges were enriching uranium.
Natanz technicians in white lab coats, gloves and blue booties were
scurrying in and out of the “clean” cascade rooms, hauling out unwieldy
centrifuges one by one, each sheathed in shiny silver cylindrical
casings.
Any time workers at the plant decommissioned damaged or otherwise
unusable centrifuges, they were required to line them up for IAEA
inspection to verify that no radioactive material was being smuggled out
in the devices before they were removed. The technicians had been doing
so now for more than a month.
“We were not immune to the fact that there was a bigger
geopolitical picture going on. We were definitely thinking … do I really
want my name to be put on this?” – Eric Chien
Normally Iran replaced up to 10 percent of its centrifuges a year,
due to material defects and other issues. With about 8,700 centrifuges
installed at Natanz at the time, it would have been normal to
decommission about 800 over the course of the year.
But when the IAEA later reviewed footage from surveillance cameras
installed outside the cascade rooms to monitor Iran’s enrichment
program, they were stunned as they counted the numbers. The workers had
been replacing the units at an incredible rate — later estimates would
indicate between 1,000 and 2,000 centrifuges were swapped out over a few
months.
The question was, why?
Iran wasn’t required to disclose the reason for replacing the
centrifuges and, officially, the inspectors had no right to ask. Their
mandate was to monitor what happened to nuclear material at the plant,
not keep track of equipment failures. But it was clear that something
had damaged the centrifuges.
What the inspectors didn’t know was that the answer they were seeking
was hidden all around them, buried in the disk space and memory of
Natanz’s computers. Months earlier, in June 2009, someone had silently
unleashed a sophisticated and destructive digital worm that had been
slithering its way through computers in Iran with just one aim — to
sabotage the country’s uranium enrichment program and prevent President
Mahmoud Ahmadinejad from building a nuclear weapon.
But it would be nearly a year before the inspectors would learn of
this. The answer would come only after dozens of computer security
researchers around the world would spend months deconstructing what
would come to be known as the most complex malware ever written — a
piece of software that would ultimately make history as the world’s
first real cyberweapon.
Iranian
President Mahmoud Ahmadinejad observes computer monitors at the Natanz
uranium enrichment plant in central Iran, where Stuxnet was believed to
have infected PCs and damaged centrifuges. (Photo: Office of the Presidency of the Islamic Republic of Iran)
On June 17, 2010, Sergey Ulasen was in his
office in Belarus sifting through e-mail when a report caught his eye. A
computer belonging to a customer in Iran was caught in a reboot loop —
shutting down and restarting repeatedly despite efforts by operators to
take control of it. It appeared the machine was infected with a virus.
Ulasen heads an antivirus division of a small computer security firm
in Minsk called VirusBlokAda. Once a specialized offshoot of computer
science, computer security has grown into a multibillion-dollar industry
over the last decade keeping pace with an explosion in sophisticated
hack attacks and evolving viruses, Trojan horses and spyware programs.
The best security specialists, like Bruce Schneier, Dan Kaminsky and
Charlie Miller are considered rock stars among their peers, and top
companies like Symantec, McAfee and Kaspersky have become household
names, protecting everything from grandmothers’ laptops to sensitive
military networks.
VirusBlokAda, however, was no rock star nor a household name. It was
an obscure company that even few in the security industry had heard of.
But that would shortly change.
“If I turn up dead and I committed suicide on Monday, I just want to tell you guys, I’m not suicidal.” – Liam O Murchu
Ulasen’s research team got hold of the virus infecting their client’s
computer and realized it was using a “zero-day” exploit to spread.
Zero-days are the hacking world’s most potent weapons: They exploit
vulnerabilities in software that are yet unknown to the software maker
or antivirus vendors. They’re also exceedingly rare; it takes
considerable skill and persistence to find such vulnerabilities and
exploit them. Out of more than 12 million pieces of malware that
antivirus researchers discover each year, fewer than a dozen use a
zero-day exploit.
In this case, the exploit allowed the virus to cleverly spread from
one computer to another via infected USB sticks. The vulnerability was
in the LNK file of Windows Explorer, a fundamental component of
Microsoft Windows. When an infected USB stick was inserted into a
computer, as Explorer automatically scanned the contents of the stick,
the exploit code awakened and surreptitiously dropped a large, partially
encrypted file onto the computer, like a military transport plane
dropping camouflaged soldiers into target territory.
It was an ingenious exploit that seemed obvious in retrospect, since
it attacked such a ubiquitous function. It was also one, researchers
would soon learn to their surprise, that had been used before.
VirusBlokAda contacted Microsoft to report the vulnerability, and on
July 12, as the software giant was preparing a patch, VirusBlokAda went
public with the discovery in a post to a security forum. Three days
later, security blogger Brian Krebs picked up the story, and antivirus
companies around the world scrambled to grab samples of the malware —
dubbed Stuxnet by Microsoft from a combination of file names (.stub and
MrxNet.sys) found in the code.
As the computer security industry rumbled into action, decrypting and deconstructing Stuxnet, more assessments filtered out.
It turned out the code had been launched into the wild as early as a
year before, in June 2009, and its mysterious creator had updated and
refined it over time, releasing three different versions. Notably, one
of the virus’s driver files used a valid signed certificate stolen from
RealTek Semiconductor, a hardware maker in Taiwan, in order to fool
systems into thinking the malware was a trusted program from RealTek.
Internet authorities quickly revoked the certificate. But another
Stuxnet driver was found using a second certificate, this one stolen
from JMicron Technology, a circuit maker in Taiwan that was —
coincidentally or not – headquartered in the same business park as
RealTek. Had the attackers physically broken into the companies to steal
the certificates? Or had they remotely hacked them to swipe the
company’s digital certificate-signing keys? No one knew.
“We rarely see such professional operations,” wrote ESET, a security
firm that found one of the certificates, on its blog. “This shows [the
attackers] have significant resources.”
In other ways, though, Stuxnet seemed routine and unambitious in its
aims. Experts determined that the virus was designed to target Simatic
WinCC Step7 software, an industrial control system made by the German
conglomerate Siemens that was used to program controllers that drive
motors, valves and switches in everything from food factories and
automobile assembly lines to gas pipelines and water treatment plants.
Although this was new in itself — control systems aren’t a
traditional hacker target, because there’s no obvious financial gain in
hacking them — what Stuxnet did to the Simatic systems wasn’t new. It
appeared to be simply stealing configuration and design data from the
systems, presumably to allow a competitor to duplicate a factory’s
production layout. Stuxnet looked like just another case of industrial
espionage.
Antivirus companies added signatures for various versions of the
malware to their detection engines, and then for the most part moved on
to other things.
The story of Stuxnet might have ended there. But a few researchers weren’t quite ready to let it go.