When, in June 2010, a small group of engineers from a Belarusian antivirus company discovered the existence of the computer worm called Stuxnet, they were astounded by the sophistication of this software. To begin to understand the sophistication of this worm, let us start with its size. It is only 500 kilobytes (500kb) in size, yet it performs astonishingly complex functions as we will see later. To put it into context, the average size of a single digital photograph is 2000kb; Stuxnet which is a quarter of the size of a digital photo has managed to bring chaos to 14 industrial sites!
Stuxnet works in three phases. First it targets Microsoft Windows computers and networks, repeatedly replicating itself. Then it searches for an industrial software developed by Siemens called Step 7, which is used to program industrial control systems that operate equipment such as the centrifuges used in uranium enrichment. Third, it interferes with the equipment controllers and takes over the control function without the human operators of the machines realising what is going on. It is believed that, through this process, Stuxnet has succeeded in destroying some centrifuges by causing the fast spinning centrifuges to tear themselves apart. Iran has not confirmed or denied that some centrifuges have been damaged due to Stuxnet.
In each stage of the operation summarised above, Stuxnet shows remarkable capabilities, starting from the first stage of finding its way into the first Windows computer, probably through a USB stick drive. How does it evade detection by the antivirus software on the computer? Stuxnet achieves this by providing a Windows digital certificate which claims that it comes from a reliable company, thus evading detection by antivirus systems.
Once safely active on the first computer, the worm checks whether the computer is part of the industrial control system made by Siemens. Iran uses such systems to run high-speed centrifuges to enrich uranium. If the system is not a target, the worm does nothing. If it is, it accesses the Internet and downloads the latest version of itself. The worm is now ready to proceed to take control of the target system, exploiting security vulnerabilities as yet not identified by the developers of these systems. Initially the worm monitors the operations of the target system and sends information to its handlers. Then it uses the information gathered and the commands received from its handlers to take control of the centrifuges, making them spin faster and faster until they destroy themselves. The beauty of it is that, whilst all this is going on, the worm provides false information to the human operator of the centrifuges in order to make them think that everything is all right until it is too late.
How was it that a Belarusian company came to discover the existence of Stuxnet? The company was approached by an unidentified client to determine why its industrial machines were restarting over and over again. The investigation led to a piece of ‘malware’ (malicious software) that had a digital certificate. This fact caused alarm in the antivirus detection community, which hitherto had not checked software with a legitimate certificate. Further investigation revealed that this particular malware was designed to attack Siemens control software.
As the antivirus community investigated Stuxnet further and cast a wider net, it became clear that Stuxnet was not a one-off but was likely to be one of a family of malware including Duqu, Flame and Gauss. Duqu is a worm discovered by Budapest University in September 2011, following the notoriety of Stuxnet. Like Stuxnet, it targets Iran’s nuclear programme, aiming to steal information held on computers and communicate it to its handlers. Flame can be described as an electronic spy which records everything going on at a computer (including Skype calls, screenshots, keystrokes, network traffic, etc.) and communicates the information to its handlers. It was discovered in May 2012 by Kaspersky, a Russian antivirus company, Budapest University and Iran’s Computer Emergency Response Team. It has been described as one of the most sophisticated malware ever discovered. It had infected computers in the Middle East, mostly in Iran and some in Saudi Arabia, Lebanon, Egypt and even Israel. Once it was identified, its authors sent out a ‘kill’ command deactivating and erasing the Flame worm. Finally Gauss, found in July 2012, also appears to have had surveillance and information gathering as its main purpose, this time targeting bank accounts in Lebanon, which would provide extremely useful information to a nation-state for obvious reasons.
In Part 3 of this article we will examine the consequences and the future of the 21st Century cyberwar.
© M. Ozdamar (2013)