This report intends to document the theory of a worm attack and show a real world example of what happened with the Stuxnet worm in 2010 at the Natanz Nuclear facility in Iran. In approaching this assignment I chose this attack as it marked a clear turning point in the history of cyber security and in military history where cyber activities spilled over into the real physical world (Langner 2013). I discovered that no matter how advanced technology gets there is still a human element that was involved to carry out the attack and that not all vulnerabilities that are exploited are bugs in the software, some are documented safety features of industrial control systems, and with perhaps not enough thought gone into how these features could be exploited in a cyber attack. (Langner 2013)
My research into this type of attack took the form of investigating both academic and non academic literature on this topic. I started off investigating types of worm attacks and picked the Stuxnet worm due to the impact it had at the time. This report will start with an overview of what a worm attack is, and then how this was applied in the real world. It will then document the outcomes of the attack and the wide ranging impact it had on nation states improving the protection of critical infrastructure (Baezner and Robin 2018).
2. Breakdown Of A Worm Attack
A worm is a self-propagating piece of malicious software that actively seeks out machines to infect, and each infected machine serves as an automated launching pad for more attacks. A worm attack is made up of several steps, they are:
2.1 Propagation Phase
A worm propagates in several different ways, the first method of spreading a worm malware is via email or social media messaging. Worms are also spread via file sharing using USB drives to attack air gapped networks. For targets connected to a network a worm can log onto a remote system as a user and then copy itself from one system to the other.
Figure 1 – The Propagation Phase
2.1 Scanning for Targets
Once the worm has been installed its first function will be to scan for targets (or fingerprinting) on the network it can connect to looking for vulnerabilities it is designed to exploit. A worm can select its targets depending on its purpose, some worms select their targets at random and others select their targets using a hit list, where each infected machine is provided with a portion of the list to scan. The worm can also make use of information contained on an infected victim machine to find more hosts to scan.
Figure 2 – A Hit List Target Selection Phase
2.3 Payload Delivery
In the last stage of a worm attack the payload is delivered to the target system, this allows the malicious actor behind the campaign increases their level of access on the target system. From there they can cause significant damage including data theft, and potentially gain access and control of multiple systems. (Cisco 2021).
Fig 3 – The Payload Delivery Phase
3. A Real World Example (Stuxnet)
3.1 When and where did it happen
In June 2010 an antivirus company VirusBlockAda based in Belarus started investigating reports coming out of Iran that a computer at the Natanz Nuclear facility was continually rebooting itself (Zetter cited in Baezner and Robin 2018). Its name went through several iterations initially called ‘Rootkit Temphider’ by VirusBlockAda until Symantec called it ‘Stuxnet’ which is an abbreviation of some keywords in the software. (Stuxnet 2021)
3.2 Threats and Vulnerabilities Landscape
The first thing to understand is the speed at which threats can occur in the cyber landscape and new systems often mean new vulnerabilities that appear. Zero day exploits are defined by Porche et al (2011) as any malware that exists but has not been detected and thus has no signature. If your network defence relies on signatures to detect an attack, there is a greater chance of going undetected in new systems. These zero day vulnerabilities were exploited by the creators of Stuxnet to ultimately infect the computers that were controlling the centrifuges. Secondly, at the control system level Stuxnet took advantage several flaws in design which are very hard to patch as they are part of the design. As Langner (2013) notes the worst vulnerabilities are not bugs, they are features.
3.3 Technical Overview of Stuxnet
The nuclear facility at Natanz is an air-gapped, closed computer network, meaning that it does not have a connection the internet. So the creators of the Stuxnet worm required a person to deliver the worm via a USB drive. (De Falco cited in Baezner and Robin 2018) This method of propagation is known as file sharing, and shows that a human element was still required to carry out this attack.
3.3.2 Target Selection
The Stuxnet worm is very specific in the targets it attacks, this would be referred to as a hit list target selection. The worm is designed solely to attack Siemans SCADA (Supervisory Control and Data Acquisition) systems PLC’s (Programmable Logic Controllers) that manage the safety and control systems of the nuclear centrifuges. (Matrosov et al 2010)
3.3.3 The Stolen Certificates
When you install software on your computer there is an inherent trust relationship happening. The software will be certified by a trusted third party to say it is legitimate, and you as the installer trust that the certifying authority have taken reasonable steps to prove the developer of the software is in fact who they say they are. In the Stuxnet attack the worm used valid, but stolen driver certificates from RealTek and JMicron to download its rootkit. (Baezner and Robin 2018)
3.3.4 Zero Day Threats
When the worm was discovered it surprised computer experts due to its sophistication and the use of four zero-day exploits, which was unusual for a computer worm and suggests that significant resources were invested in its development. (Zetter cited in Baezner and Robin 2018). This means even Microsoft and Siemans were unaware of the vulnerabilities which could be used to hack their systems.
3.3.5 Payload Delivery
Once the payload had been delivered it used two different attack routines, both attacks aim at damaging the centrifuge rotors, but use different tactics. The first attack attempts to over-pressurise the centrifuges, the second attack tries to overspeed the centrifuge rotors. (Langner 2013)
3.4 Stuxnet Outcome
The actual outcome of the damage that the Stuxnet worm caused is still unclear as there is very little information available, some reports say that around 1000 centrifuges were destroyed and that caused a delay in Iran’s nuclear weapon program. (Mueller and Yadegari 2012)
3.5.1 Social and Political Impacts
At a domestic political level the attack discredited the Iranian government as they were unable to protect their nuclear facilities against the attack, and at the same time did not retaliate as the perpetrators were not known. This inaction made the Iranian government look weak. (Baezner and Robin 2018)
3.5.2 Economic Impacts
The cyber attack had a direct economic impact on Iran, the Iranians not only had to replace the damaged centrifuges, they also had to introduce new security and cyber security measures for nuclear facilities to protect against further attacks. This would have taken a very significant financial investment. (Baezner and Robin 2018)
3.5.3 Cyber Security Policy Impacts
The Stuxnet worm attack had a wide ranging cyber security policy impact in relation to nation states improving cyber security. In response the US government called for bills to provide more cyber security awareness and training and a standardised notification process of breaches that happen in the private sector, and a new cyber security coordinator position in the executive branch of the US government. (Porche et al, 2011) It also promoted a closer co-operation between governments and companies who manage critical infrastructure and made nation states draw up plans on how it should respond to cyber attacks. (Baezner and Robin 2018)
3.6 Security Aims
The Stuxnet attack breached several cyber security aims such as availability and integrity, the attack affected the availability of control systems that managed the centrifuges and slowed down the Iranian nuclear effort in general. The attack also affected the integrity of the control systems that ran the critical infrastructure attached to the centrifuges and the use of stolen digital certificates had a strong impact on the integrity of the whole digital key system.
3.7 Vendor Reaction
Microsoft patched the zero day exploits and Siemens offered patches and a removal tool to customers to remove Stuxnet. Verisign the certifying authority revoked the certificates and introduced stricter rules for driver certificates to prevent a recurrence of malware using stolen certificates. (Baezner and Robin 2018)
The discovery of the Stuxnet worm was a watershed moment in cyber security where nation states realised that such a weapon could exist that could attack nuclear centres that are part of an air gapped network. This event had wide ranging effects from having an economic impact on the Iranians and made the Iranian government look weak by not being able to protect its critical infrastructure. It also led to an overall uplift in cyber security standards and procedures by nation states and the private companies that manage their critical infrastructure.