3. 3
And these are Natanz’s Centrifuges
The 1-hour Guide to Stuxnet
4. 4
And this is how they’re controlled
Programmable
Logic Controller
. . . . . .
. . . . . .
Communications
Processors (Routers)
Frequency
Converters
Centrifuges
Windows
PC
The 1-hour Guide to Stuxnet
Communications
Processors route
commands from the PLC
to groups of mechanical
devices.
Frequency Converters are
responsible for converting
AC frequencies to either
higher-or lower frequencies
to operate motors.
Centrifuges enrich Uranium
so it can be used to power
nuclear plants or weapons.
The PLC is a specialized
piece of hardware that
orchestrates control of
multiple connected
mechanical devices.
Industrial control systems are
typically controlled by a
standard PC running
industrial control software
like STEP7 from Siemens.
5. 5
And this is how they’re isolated
Programmable
Logic Controller
. . . . . .
. . . . . .
Communications
Processors (Routers)
Frequency
Converters
Centrifuges
Windows
PC
Research Network
The 1-hour Guide to Stuxnet
6. 6
And this is (probably)
an Israeli Mossad Programmer
Who wants
to introduce
onto this
computer
right here
The 1-hour Guide to Stuxnet
7. 7
So how exactly
does this:
Get onto an
“air-gapped”
network to
disrupt these:
It’s got to spread on its own…
All while evading detection.
Until it discovers the proper computers…
Where it can disrupt the centrifuges…
The 1-hour Guide to Stuxnet
8. It’s got to spread on its own…
Stuxnet uses seven distinct mechanisms to spread to new computers.
Six of these attacks targeted flaws (back doors) that were
unknown to the security industry and software vendors!
It copies itself to
open file-shares.
It attacks a hole
in Windows’ print
spooler.
It attacks a hole
in Windows RPC.
It password-cracks
SIEMENS DB software.
It infects SIEMENS
PLC data files.
Peers update other
peers directly.
Stuxnet uses thumb
drives to bridge the gap!
Usually we’re surprised
when we see a threat
targeting one flaw...
But if the centrifuges are
air-gapped from the ‘net,
how can Stuxnet jump to
the enrichment network?
USB drives!
The 1-hour Guide to Stuxnet 8
9. Spreading – A Sidebar
The 1-hour Guide to Stuxnet 9
Task #1:
Job: Delete temp files
Run as: Root user
Run at: 10pm
Windows Tasks
Task #2:
Job: Clean registry
Run as: Jim (non-root)
Run at: 6pm
Task #3:
Job: Print receipts
Run as: Ted (non-root)
Run at: 2am
Windows has a built-in task scheduler system.
Each user can add new tasks to be run at a certain
time and with a certain permission level.
(Regular users can’t add “root” level jobs)
To prevent tampering, windows computes
a CRC32 hash for each task record and stores this in
a protected area of the computer.
Task1 hash: 9B7CC653
Task2 hash: 11090343
Task3 hash: 40910276
(the tasks themselves
are stored as globally
readable/writable XML files)
10. The 1-hour Guide to Stuxnet 10
When it arrives on a machine, Stuxnet starts
running with non-administrator privileges.
But to do its mischief, Stuxnet needs to
run with “root” privileges.
Task #1:
Job: Delete temp files
Run as: Root user
Run at: 10pm
Windows Tasks
Task #2:
Job: Clean registry
Run as: Jim (non-root)
Run at: 6pm
Task #3:
Job: Print receipts
Run as: Ted (non-root)
Run at: 2am
So first, Stuxnet creates a new task,
using the permissions of the current user.
Task #4:
Job: Run stuxnet.dll
Run as: Ted (non-root)
Run at: 2pm
Task1 hash: 9B7CC653
Task2 hash: 11090343
Task3 hash: 40910276
And of course, once Windows verifies that the job is
legitimate (the user hasn’t tried to create a root-
level job), it calculates the job’s hash and adds it to
the security store.
Task4 hash: DE9DBA76
Spreading – A Sidebar
11. The 1-hour Guide to Stuxnet 11
Task #1:
Job: Delete temp files
Run as: Root user
Run at: 10pm
Windows Tasks
Task #2:
Job: Clean registry
Run as: Jim (non-root)
Run at: 6pm
Task #3:
Job: Print receipts
Run as: Ted (non-root)
Run at: 2am
Task1 hash: 9B7CC653
Task2 hash: 11090343
Task3 hash: 40910276
Task4 hash: DE9DBA76
Task #4:
Job: Run stuxnet.dll
Run as: Ted (non-root)
Run at: 2pm
Next Stuxnet modifies the XML job file it just
added, changing its permission to “root”!
(Remember, the XML files are writable)
Ted (non-root)
Root user
But wait! The updated job
file hash no longer matches
the protected hash stored by
Windows!
If Windows were to process
the updated job file, it would
detect this and reject it!
New hash: 66C35150
Ah, but Stuxnet is more clever than that.
Stuxnet knows how to forge a CRC - it computes a set
of values which, if appended to the file, will result in
its CRC matching the original! And then it appends
these bytes to the file!
XQ
New hash: DE9DBA76
And Windows will happily run the updated job,
giving Stuxnet root-level privileges!
Spreading – A Sidebar
12. Until it discovers the proper computers…
Stuxnet is extremely picky and only activates
its payload when it’s found an exact match.
The targeted computer must be running
STEP7 software from Siemens.
The targeted computer must be directly connected to
an S7-315 Programmable Logic Controller from Siemens.
The PLC must further be connected to at least six
CP-342-5 Network Modules from Siemens.
Each Network Module must be connected to ~31
Fararo Paya or Vacon NX frequency converters.
…
It’s got to spread on its own…
The 1-hour Guide to Stuxnet 12
13. Until it discovers the proper computers…
Stuxnet is extremely picky and only activates
its payload when it’s found an exact match.
…
Now if you do the math….
Stuxnet verifies that the discovered
Programmable Logic Controller…
Is controlling at least
155 total frequency converters…
And recently we learned that Iran’s
Uranium enrichment “cascade” just happens
to use exactly 160 centrifuges.
What a coincidence!
The creators of
Stuxnet must have
guessed all of these
details.
The 1-hour Guide to Stuxnet 13
14. Now Stuxnet gets down to business…
Stuxnet starts by downloading
malicious logic onto the PLC hardware.
What you (probably) didn’t
realize is that the PLC uses a
totally different microchip &
computer language than
Windows PCs.
Stuxnet is the first known
threat to target an industrial
control microchip!
The 1-hour Guide to Stuxnet
Until it discovers the proper computers…
14
15. Next, Stuxnet measures the operating speed of
the frequency converters during their normal
operation for 13 days!
And makes sure the motors are running between 807Hz and 1210Hz.
(This is coincidentally
the frequency range
required to run
centrifuges.)
Now Stuxnet gets down to business…
(After all, whoever wrote
Stuxnet wouldn’t want it
to take out a roller
coaster or something.)
The 1-hour Guide to Stuxnet 15
16. Once it’s sure, the malicious PLC logic begins its mischief!
Then sleeps for 27 days.
Then slows the spin rate
to 2Hz for 50 mins.
Then sleeps for 27 days.
Stuxnet repeats this
process over and over.
0Hz 1500Hz
Stuxnet raises the spin rate
to 1410Hz for 15 mins.
Now Stuxnet gets down to business…
The 1-hour Guide to Stuxnet 16
17. Why push the motors up to 1410Hz?
0Hz 1500Hz
Well, ~1380Hz is a resonance frequency.
It is believed that operation at this frequency for even a
few seconds will result in disintegration of the enrichment tubes!
Why reduce the motors to 2Hz?
At such a low rotation rate, the vertical enrichment tubes
will begin wobbling like a top (also causing damage).
Now Stuxnet gets down to business…
17
The 1-hour Guide to Stuxnet
18. What about Iranian failsafe systems?
The 1-hour Guide to Stuxnet 18
(Surely by now you’re thinking that alarm
bells should have been blaring at the
enrichment plant, right?)
Now Stuxnet gets down to business…
Maybe Stuxnet pulled a mission impossible?!?
19.
20. And in fact, that’s exactly what Stuxnet did!
Well, in fact, these
facilities typically do
have fail-safe controls.
They trigger a shutdown
if the frequency goes out
of the acceptable range.
But worry not…
Stuxnet takes care of
this too.
Stuxnet records telemetry
readings while the
centrifuges are operating
normally.
0Hz 1500Hz
And when it launches its
attack, it sends this
recorded data to fool the
fail-safe systems!
And Stuxnet disables
the emergency kill switch
on the PLC as well…
Just in case someone tries
to be a hero.
Now Stuxnet gets down to business…
The 1-hour Guide to Stuxnet 20
21. All while evading detection…
Stuxnet uses five distinct mechanisms to conceal itself.
#5
Stuxnet hides its own files on infected thumb drives using 2 “rootkits.”
The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business…
21
22. Stuxnet uses five distinct mechanisms to conceal itself.
#4
Stuxnet inhibits different behaviors in the presence of different
security products to avoid detection.
Launch Attack A
Launch Attack B
Launch Attack C
Launch Attack D
Launch Attack A
Launch Attack B
Launch Attack C
Launch Attack D
Launch Attack A
Launch Attack B
Launch Attack C
Launch Attack D
All while evading detection.
The 1-hour Guide to Stuxnet 22
23. Stuxnet uses five distinct mechanisms to conceal itself.
#3
Stuxnet completely deletes itself from USB keys after it has
spread to exactly three new machines.
All while evading detection.
The 1-hour Guide to Stuxnet 23
24. Stuxnet uses five distinct mechanisms to conceal itself.
#2
Stuxnet’s authors “digitally signed” it with stolen digital certificates
to make it look like it was created by well-known companies.
Realtek
The two certificates
were stolen from
RealTek and Jmicron…
All while evading detection.
…as it turns out, both
companies are located
less than 1km apart in
the same Taiwanese
business park.
The 1-hour Guide to Stuxnet 24
25. Stuxnet uses five distinct mechanisms to conceal itself.
#1
Stuxnet conceals its malicious “code” changes to the PLC
from operational personnel (It hides its injected logic)!
Instructions to the Centrifuges
During normal operation:
Spin at 1410hz
In case of emergency:
IGNORE OPERATOR COMMANDS
PLC
(To centrifuges)
All while evading detection.
The 1-hour Guide to Stuxnet 25
27. Did It Succeed?
Well, based on some clever
Symantec engineering, we’ve
got some interesting data.
Fact: As Stuxnet spreads between
computers, it keeps an internal log
of every computer it’s visited.
Fact: Stuxnet contacts two
command-and-control servers
every time it runs to report its
status and check for commands.
www.mypremierfutbol.com
www.todaysfutbol.com
Working with registrars,
Symantec took control of these
domains, forwarding all traffic
to our Symantec data centers.
The 1-hour Guide to Stuxnet 27
28. Stuxnet Bookkeeping
The 1-hour Guide to Stuxnet 28
151.21.32.19 151.21.32.21
27.42.97.152
93.154.11.42 93.154.12.78
151.21.32.19
151.21.32.21
151.21.32.19
151.21.32.21
151.21.32.19
151.21.32.21
27.42.97.152
93.154.11.42
93.154.12.78
151.21.32.19
151.21.32.19
151.21.32.21
151.21.32.19
151.21.32.21
93.154.11.42
Stuxnet embeds its “visited list” inside its own body as it
spreads, enabling detailed forensics!
30. Here’s What We Found
The 1-hour Guide to Stuxnet
(These graphs show how the discovered samples spread)
30
31. 31
Here’s What We Found
Data at time of discovery (July, 2010)
The 1-hour Guide to Stuxnet
32. Here’s What We Found
67.60
8.10 4.98 2.18 2.18 1.56 1.25
12.15
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
80.00
IRAN
SOUTH
KOREA
USA
GREAT
BRITAIN
INDONESIA
TAIWAN
INDIA
OTHERS
Distribution of InfectedSystemswith SiemensSoftware
Data at time of discovery (July, 2010)
The 1-hour Guide to Stuxnet 32
33. Did It Succeed?
Indications are that it did!
The Institute for Science and International Security writes:
“It is increasingly accepted that, in late 2009 or early 2010,
Stuxnet destroyed about 1,000 IR-1 centrifuges out of about
9,000 deployed at the site.”
Symantec telemetry indicates that rather than directly
trying to infiltrate Natanz…
These companies (likely) then unknowingly ferried the infection
into Natanz’s research and enrichment networks.
The attackers infected five industrial companies with
potential subcontracting relationships with the plant.
33
The 1-hour Guide to Stuxnet
34. Whodunit?
The 1-hour Guide to Stuxnet 34
19790509
According to Wikipedia, On May 9th, 1979 “Habib
Elghanian was executed by a firing squad in Tehran
sending shock waves through the closely knit Iranian
Jewish community. He was the first Jew and one of the
first civilians to be executed by the new Islamic
government. This prompted the mass exodus of the
once 100,000 member strong Jewish community of
Iran which continues to this day.”
June 22, 2009 4:31:47pm GMT
June 22, 2009 6:31:47pm Local
GMT + 2
35. To Conclude
Stuxnet proves cyber-warfare against
physical infrastructure is feasible.
Unfortunately, the same techniques can be used to
attack other physical and virtual systems.
Stuxnet has signaled a fundamental
shift in the malware space.
The 1-hour Guide to Stuxnet 35
One WinCC (MS SQL) system per N Step7 systems. It holds telemetry data that comes back from the PLCs. Could jump from that machine to developer’s machine via network shares.
Print servers may have been connected between the airgap?
And it auto-spreads over thumb drives!
Stuxnet uses thumb drives to bridge the gap!
Threat reads the PLC from the windows box to determine how many routers are connected to the PLC. The number of routers/network modules must be six (CP-342-5) – (found by querying the PLC), and the frequency converters must be of the two types from Iran or wherever.
In Iran, there are 160 centrifuges in a cascade, we know this, and so with 31 motors per network module, this would cover up to 6*31 possible frequency converters. 5 router would be too little.
ProfibusIDs like a UPC code for each frequency converter; this PID is stored in the PLC’s configuration data.
PLC model itself 315-2 must be correct.
Has to monitor for 13 days of operation between 800hz and 1200hz
Washing machine analogy – off-balance due to load, danger of domino effect
Threat reads the PLC from the windows box to determine how many routers are connected to the PLC. The number of routers/network modules must be six (CP-342-5) – (found by querying the PLC), and the frequency converters must be of the two types from Iran or wherever.
In Iran, there are 160 centrifuges in a cascade, we know this, and so with 31 motors per network module, this would cover up to 6*31 possible frequency converters. 5 router would be too little.
Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz)
Waits 27 days (must be operating between 807Hz and 1210Hz)
Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes)
Waits 27 days (must be operating between 807Hz and 1210Hz)
Repeat at 2 (1410Hz for 15 minutes)
Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz)
Waits 27 days (must be operating between 807Hz and 1210Hz)
Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes)
Waits 27 days (must be operating between 807Hz and 1210Hz)
Repeat at 2 (1410Hz for 15 minutes)
What about fail-safe systems? Well, Stuxnet hid itself from these. The threat actively recorded normal operation of the centrifuges and played this back while it was accelerating these centrifuges to dangerous speeds – just like the picture on the wall here hides the fact that the person is falling down the stairs.
<click>
So, none of the fail-safe systems noticed that anything was wrong, just like this security guard doesn’t notice anything unusual on his screen.
So, if Stuxnet can do all of this, imagine what a targeted attack launched by a state-sponsored competitor could do to Qualcomm...
Stuxnet also uses another trick hide itself on removable drives. It adds a second Open menu option to the right-click menu. One of these Open commands is the legitimate one and one is the command added by Stuxnet. If a user chooses to open the drive via this menu, Stuxnet will execute first. Stuxnet then opens the drive to hide that anything suspicious has occurred.