How Symantec Hacked Stuxnet

The story behind the back of Stuxnet, a worm targeting Iranian nuclear power plants, has been described more than once ( including on Habré) since last spring, the Symantec development team released this document - a dossier dedicated to this unprecedentedly complex creation something hands. But to see is to believe. And I had the chance to attend a special briefing at Symantec headquarters located in Mountain View - California, where Patrick Gardner, the director of their security group, showed how it all happened. It was great.

Stuxnet was a very complex program, containing about 10,000 lines of code, which took man-years to write. Symantec discovered the first versions of the worm about a year before the real attack, which took place a year ago in June and did not have the slightest idea what it was until the events began to develop at the nuclear facility. They split the code with a team of three people working full-time for several months.

This software is very specific, and affected a separate programmable logic controller from Siemens, conducting a series of 9,000 different centrifuges used to separate uranium. The worm completely destroyed about 1,000 of them, causing serious damage and throwing Iran’s entire atomic program a year, or even more, back.
')
The computer network of a nuclear power plant has a so-called. The “air hole” between computers used to work with Siemens controllers and ordinary computers of a business branch connected to the Internet. This means that the computers connected to the equipment from Siemens did not have access to the external network, which is standard and good practice in network security of this level. How, then, were they infected with a worm? It turned out as a result of the human factor.

The authors of the worm knew about five potential subcontractors of the nuclear power plant, being sure that an employee of at least one of them would enter the closed area with a working laptop and use flash media in order to download software updates to the computers that control the controllers. After that, the worm made an attack on the vulnerability of the “zero day” (as we know, previously unknown) in such a way that the icon of the windows-file displayed by Explorer was changed and for the actual infection it was enough just to view this file.

As soon as this happened, Stuxnet set to work. Ironically, his first task was to sit quietly and simply read the controller's traffic, and the responses to the commands to him, for two weeks, doing absolutely nothing to destroy controllers or operations inside the station. As soon as the data was collected, he began to infect the controllers. In addition, because the worm itself was written, it was not possible to detect it using standard debugging procedures in order to understand what code was added by the Stuxnet authors to the controllers control code - they looked identical. This is very ingenious programming.

At a Symantec briefing, they showed us a real Siemens controller in order to explain firsthand what would really happen. It was a small box, about the size of a loaf of bread. An air compressor was connected to it, according to the type of the one you are transporting in the trunk of your car in order to inflate the punched tire. At the first stage, we were shown “normal” operations, when the compressor was running for three seconds to inflate the ball (no, we were not shown any nuclear materials - that would be too much). After that, Stuxnet was launched, which changed the controller's work in such a way that the compressor began to work without stopping, and the ball, in turn, exploded.



The authors of Stuxnet (although no one can say specifically who they are, you can imagine a group of developers with experience, most likely funded by some state) had access to the specific plans of the station in Iran, where the controllers were located. This means that the plans were either stolen or somehow transferred into the hands of the authors of the worm, in order to program the virus to know where the specific compressors, motors and other equipment are located at the station, as well as how it connects to each other. a friend. The worm was designed for this unique architectural plan. Stuxnet could not harm another nuclear power plant using the same Siemens equipment.

“Definitely, there was some kind of exfiltration of data, not to mention the programming skills needed for this kind of work,” says Gardner. As for skills, the authors of Stuxnet were not just at their best. The worm contained 15 different modules and 5 self-hiding mechanisms, two rootkits: one for the PC and one for the Siemens controller, which in turn uses a special embedded OS called Step7. The worm authors also stole (or bought) two digital certificates (digital signatures) belonging to companies physically located in the same business park in Taiwan: Realtec and JMicron. Why two? The first was detected and expired before the virus began to work. In total, 6 previously unknown infections were programmed into the virus. In order to understand the scale of what is happening, it is worth mentioning that Symantec detected all 14 zero-day attacks every day in 2010.

When the worm set to work, he changed the frequency of centrifuges so that they inflicted significant damage. While he was doing this, the traffic that Stuxnet collected during the first two weeks was sent to the station operators so that they even had a suspicion that “something was not right” until the cars literally scatter into pieces. Finally, the most beautiful part of this whole procedure was that the virus deactivated the so-called. “Kill swiches” are emergency switches, so it was not possible even to physically disable controllers from work.

The thought that went through my mind throughout this presentation was something like: “What will happen next?” The team that developed Stuxnet definitely will not stop at this, fortunately, attempt. Their next creation may be much more merciless.