Stuxnet Worm

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Fri Mar 15, 2013 6:42 pm

Stuxnet 0.5: Disrupting Uranium Processing at Natanz

When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally. It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.

Figure 1. Summary of the Stuxnet 0.5 attack strategy

Image

Given Stuxnet 0.5 is an earlier version of Stuxnet, the 417 attack strategy was the original strategy, and likely abandoned in favor of modifying the centrifuge speeds instead—a technique used in Stuxnet 1.x versions.

Stuxnet 1.x contained missing pieces of code, which are present in Stuxnet 0.5. These pieces of code perform the necessary fingerprinting of the target system before deploying the 417 attack strategy and build a critical PLC data block (DB8061). Therefore, we can now fully describe the intended 417 attack strategy.

Fingerprinting target system configuration

This version of Stuxnet extensively fingerprints the target system to determine whether it is in the right location before it will activate the payload. To make this determination, Stuxnet checks if the infected system is running Step 7 software and parses the symbol table of the target system. The symbol table holds identification labels for each physical device in the target system. For example, each valve, pump, and sensor will have a unique identifier. The symbol labels loosely follow the ANSI/ISA-5.1 Instrumentation Symbols and Identification standard, which is used in piping and instrumentation diagrams (P&ID).

Figure 2. An example of a P&ID diagram from a uranium enrichment facility in Iran (Source: PressTV)

Image

The following table summarizes what devices and labels Stuxnet looks for within the symbol table.

Table 1. Device types and labels targeted by Stuxnet

Image

The labels for each of these devices follow the following specific format:

For example, for a valve in module A21, in cascade eight, associated with centrifuge 160, the label would be PV-A21-8-160.

The logic used to parse these strings yields additional interesting clues. For example, the cascade module must be between A21 and A28; this matches the known configuration of cascade modules at Natanz, Iran. Stuxnet expects a maximum of 18 cascades per module, 164 centrifuges grouped into 15 stages per cascade, which again matches the published configuration at Natanz, Iran.

Furthermore, the number of centrifuges is expected to be distributed within stages, as shown in the following table.

Table 2. Configuration of process stages and centrifuges

Image

Within each stage, centrifuges can be further grouped into sub-clusters of four.

During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration. Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information into data block DB8061.


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Fri Mar 15, 2013 6:44 pm

Stuxnet 0.5: Disrupting Uranium Processing at Natanz

Attack process

Similar to version 1.x of Stuxnet, the 417 PLC device attack code consists of a state machine with eight possible states. The states conduct an attack by closing valves within six of the possible 18 cascades.

Figure 3. 417 PLC device attack code state flow diagram

Image

State 0 – Wait: Perform system identification and wait for the enrichment process to reach steady-state before attacking (approximately 30 days).
State 1 – Record: Take peripheral snapshots and build fake input blocks for replaying later.
State 2 – Attack centrifuge valves: Begin replaying fake input signals. Close valves on most centrifuges with the exception of the initial feed stage valves.
State 3 – Secondary pressure reading: Open valves in the final stage of a single cascade to obtain a low pressure reading.
State 4 – Wait for pressure change: Wait for desired pressure change or time limit. This can take up to two hours.
State 5 – Attack auxiliary valves: Open all auxiliary valves except valves believed to be near the first feed stage (stage 10). Waits for three minutes in this state.
State 6 – Wait for attack completion: Waits for six minutes whilst preventing any state changes.
State 7 – Finish: Reset and return to state zero.

By closing almost all valves except the initial feed stage valves, UF6 will continue to flow into the system. This act alone may cause damage to the centrifuges themselves. However, the attack expects the pressure to reach five times the normal operating pressure. At this pressure, significant damage to the uranium enrichment system could occur and the UF6 gas could even revert to a solid.

Whether the attack succeeded in this manner or not remains unclear. Even if the attack did succeed, the attackers decided to switch to a different strategy, of attacking the speed of the centrifuges themselves instead, in Stuxnet 1.x versions.

Symantec would like to thank the Institute for Science and International Security (ISIS) for their continued assistance in understanding centrifugal uranium enrichment systems.


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Fri Mar 15, 2013 6:51 pm

Report: Stuxnet cyberweapon older than believed (Update)

Feb 27, Technology/Internet

The sophisticated cyberweapon which targeted an Iranian nuclear plant is older than previously believed, an anti-virus company said Tuesday, peeling back another layer of mystery on a series of attacks attributed by many to U.S. and Israeli intelligence.

The Stuxnet worm, aimed at the centrifuges in Iran's Natanz plant, transformed the cybersecurity field because it was the first known computer attack specifically designed to cause physical damage. The precise origins of the worm remain unclear, but until now the earliest samples of Stuxnet had been dated to 2009, and The New York Times—in the fullest account of the attack published so far—traced the origins of the top-secret program back to 2006.

In a new report issued late Tuesday, Symantec Corp. pushed that timeline further back, saying it had found a primitive version of Stuxnet circulating online in 2007 and that elements of the program had been in place as far back as 2005.

Independent security experts who examined the report said it showed that the worm's creators were well ahead of their time.

"To me, it's amazing," said Mikko Hypponen, whose Finland-based F-Secure has studied Stuxnet. "We had no idea the U.S.-Israel cyberoperations were so advanced already almost a decade ago."

Hypponen is one of a host of experts who've concluded that Stuxnet was an attempt to sabotage the uranium enrichment centrifuges at Iran's Natanz nuclear plant, a key element in the Islamic republic's disputed atomic energy program. Because the United States and Israel are two of Iran's biggest foes, the shadow of suspicion immediately settled on their tech-savvy intelligence services.

That theory got a boost when the Times reported that President George W. Bush had ordered the deployment of Stuxnet against Iran, laying out in unprecedented detail how the worm had been crafted so as to surreptitiously send Natanz's centrifuge machines spinning out of control.

U.S. and Israeli officials have long declined to comment publicly on Stuxnet or their alleged involvement in creating and deploying the computer worm.

Symantec's report suggests that an intermediate version of the worm—Stuxnet 0.5—was completed in November 2007. That worm lacked some of the sophistication of its descendant, Symantec said, and was designed to interfere with the centrifuges by opening and closing the valves which control the flow of uranium gas, causing a potentially damaging buildup in pressure.

That approach was dropped in later improved versions of the Stuxnet code.

Symantec said the servers used to control the primitive worm were set up in November 2005, suggesting that Stuxnet's trailblazing authors were plotting their attack at a time when many parts of the Internet now taken for granted were not yet in place. Twitter did not exist, Facebook was still largely limited to U.S. college campuses, and YouTube was in its infancy.

Alan Woodward, a professor of computer science at the University of Surrey, said that had troubling implications.

"Clearly these were very forward-thinking, clever people that were doing this," he said. "There's no reason to think that they're less forward-thinking now. What are they up to?"

phys.org

Information at Wiki

Another article at wired

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Tue Oct 25, 2022 1:20 pm


Post Reply