Guide To Stuxnet

The42minuteGuidetoStuxnet
CareyNachenberg, Nachenberg VP, VP SymantecFellow

SymantecCorporation
The42MinuteGuidetoStuxnet
ThisisNatanz,Iran
AndtheseareNatanzs Centrifuges
Industrialcontrolsystemsare typicallycontrolledbya standardPC running industrialcontrolsoftware likeSTEP7 from Siemens. Windows Programmable
Andthisishowtheyrecontrolled
PC LogicController Communications Processors(Routers)
FrequencyConvertersare responsibleforconverting isaspecialized Communications ThePLC q topiece either hardwarethat Processors route ACfrequencies of higherorlowerfrequencies controlcommands orchestrates of fromthePLC tooperatemotors. multipleconnectedto groupsofmechanical mechanicaldevices. devices. Centrifuges enrichUranium ... ..canbeusedtopower Frequency so. it Converters nuclearplantsorweapons. ... ...
Centrifuges
Andthisishowtheyreisolated
Windows Programmable PC LogicController Communications Processors(Routers)
ResearchNetwork
Frequency Converters
... ...
... ...
Centrifuges
AndWho thisis (probably) wants anIsraeli Mossad Programmer to introduce
o tot onto this s computer righthere

Sohowexactly d this: does h
Getontoan airgapped gapped air networkto di disrupt tthese: th
Itsgottospread onitsown own Untilitdiscovers thepropercomputers computers Whereitcandisrupt p thecentrifuges g Allwhileevading detection.
7
Itsgottospread onitsown
S Stuxnet usessevendistinct di i mechanisms h i tospread dtonewcomputers. Six oftheseattackstargetedflaws(backdoors)thatwere unknown tothesecurityindustryandsoftwarevendors!
It attacks attacks a hole Peers update other Stuxnet uses It a hole It password cracks It copies itself thumb to infects SIEMENS in peers Windows Wi d RPC. RPC di directly. DB d drives i to b bridge id lthe h gap! ! files. print in Windows f SIEMENS software. open fd file shares. PLC data spooler.
Butifthecentrifugesare airgappedfromthenet, Usually weresurprised how canStuxnet jumpto when wesee threat the enrichment a network? t USB targeting ti drives! oneflaw... fl
UntilitIts discovers theproper computers gottospread onits own

Stuxnet St t is i extremely t l picky i k and donly l activates ti t itspayloadwhenitsfoundanexactmatch. Thetargetedcomputermustberunning STEP7softwarefromSiemens. Thetargetedcomputermustbedirectlyconnectedto anS7315ProgrammableLogicControllerfromSiemens. ThePLCmustfurtherbeconnectedtoatleastsix CP3425NetworkModulesfromSiemens. EachNetworkModulemustbeconnectedto~31 Fararo Paya orVacon NXfrequencyconverters converters.
Untilitdiscovers thepropercomputers
St t is i extremely t l picky i k and donly l activates ti t Stuxnet its payload whenitsfoundanexactmatch. What Wh acoincidence! i id ! Nowifyoudothemath. Thecreatorsof St net must Stuxnet m sthave ha e guessed all of these Stuxnet verifies that the discovered details. ProgrammableLogic Controller Iscontrollingatleast 155totalfrequencyconverters AndrecentlywelearnedthatIrans justhappens pp Uraniumenrichmentcascadej touseexactly160centrifuges.
Until itStuxnet discovers the proper Now gets down tocomputers business
Stuxnet startsbydownloading maliciouslogicontothePLChardware. hardware

Whatyou(probably)didnt realizeisthatthePLCusesa totallydifferentmicrochip& computerlanguagethan WindowsPCs. Stuxnet isthefirstknown threattotargetanindustrial controlmicrochip!
NowStuxnet getsdowntobusiness
Andmakessurethemotorsarerunningbetween807Hzand1210Hz.
(Thisiscoincidentally thefrequencyrange requiredtorun centrifuges.)
( (After all, ,whoeverwrote Stuxnet wouldntwantit totakeoutaroller coasterorsomething.)
Next,Stuxnet measurestheoperatingspeedof thefrequencyconvertersduringtheirnormal operationfor13days!

Onceitssure,themaliciousPLClogicbeginsitsmischief!
St Stuxnet t raises i th thespin i rate t to1410Hz for15mins. Thensleepsfor27days. Thenslowsthespinrate to2Hzfor50mins. Th sleeps Then l for f 27d days. Stuxnet repeatsthis processoverandover.
0Hz The42MinuteGuidetoStuxnet
1500Hz
Whypushthemotorsupto1410Hz? Well, ,~1380Hzisaresonancefrequency. q y Itisbelievedthatoperationatthisfrequencyforevena fewsecondswillresultindisintegrationoftheenrichmenttubes! Spewingaluminumshrapnelinalldirections. Whyreducethemotorsto2Hz? Atsuchalowrotationrate,theverticalenrichmenttubes willbeginwobblinglikeatop(alsocausingdamage).
1500Hz
Whataboutbuiltinfailsafesystems?
Stuxnet Well,records infact,telemetry these readings whilethe facilities typically do centrifuges arecontrols. operating havefailsafe normally. They trigger shutdown Andwhen ita launches its ifthe frequency goes out attack, itsends this fth t bl of theacceptable recorded data tofool frange. the failsafe systems! But worry not Stuxnet takesdisables careof AndStuxnet thistoo. tookillswitch theemergency onthePLCaswell Justincasesomeonetries tobe b ahero. h
1500Hz
whileevading detection NowAll Stuxnet getsdown tobusiness

Stuxnet usesfivedistinctmechanismstoconcealitself.
#5
Stuxnet hidesitsownfilesoninfectedthumbdrivesusingarootkit.
Allwhileevading detection.
#4
Stuxnet inhibitsdifferentbehaviorsinthepresenceofdifferent securityproductstoavoiddetection. detection
Launch L hAtt Attack kA LaunchAttackB LaunchAttackC LaunchAttackD

#3
Stuxnet completelydeletesitselffromUSBkeysafterithas spreadtoexactlythreenewmachines. machines
#2
Stuxnets authorsdigitallysigneditwithstolendigitalcertificates tomakeitlooklikeitwascreatedbywellknowncompanies companies. Thetwocertificates werestolenfrom RealTek andJmicron
Realtek
asitturnsout,both companies i arelocated l t d lessthan1kmapartin thesameTaiwanese b i business park. k
#1
Stuxnet concealsitsmaliciouscodechangestothePLC fromoperationalpersonnel(Ithidesitsinjectedlogic)! InstructionstotheCentrifuges
PLC
Duringnormaloperation: Spinat1410hz Incaseofemergency: IGNOREOPERATORCOMMANDS
(Tocentrifuges)
Didevading ItSucceed? Allwhile detection.

Well, W ll based b donsomeclever l Symantecengineering,weve gotsomeinterestingdata. WorkingwithISPs,Symantec tookcontrolofthesedomains, forwardingalltraffictoour Symantecdatacenters. Fact:AsStuxnet spreadsbetween computers,itkeepsaninternallog ofeverycomputeritsvisited. Fact:Stuxnet contactstwo commandandcontrolservers everytimeitrunstoreportits statusandcheckforcommands.
www.todaysfutbol.com www.mypremierfutbol.com
EnablingSymantectotrack everyInternetconnected copyofStuxnet.

DidItSucceed?
I di ti arethat Indications th titdid! Symantec telemetryindicatesthatratherthandirectly tryingtoinfiltrateNatanz Natanz Theattackersinfectedfiveindustrialcompanieswith potentialsubcontracting p grelationships p withtheplant. p Thesecompanies(likely)thenunknowinglyferriedtheinfection intoNatanzs researchandenrichmentnetworks. TheInstituteforScienceandInternationalSecuritywrites: Itisincreasinglyacceptedthat,inlate2009orearly2010, Stuxnet destroyed about1,000IR1centrifugesoutofabout 9 000deployedatthesite. 9,000 site
HeresWhatWeFound
(Thesegraphsshowhowthediscoveredsamplesspread)
HeresWhatWeFound
Dataattimeofdiscovery(July, (July 2010)

24
HeresWhatWeFound
DistributionofInfectedSystemswithSiemensSoftware
80.00 70.00 60.00 50.00 40 00 40.00 30.00 20.00 10 00 10.00 0.00
IRAN TA AIWAN GREATB BRITAIN SOUTHKOREA INDO ONESIA OTHERS O USA INDIA
67.60
8.10
12.15 4.98 2 18 2.18 2 18 2.18 1 56 1.56 1 25 1.25
Dataattimeofdiscovery(July, (July 2010)

ToConclude
Stuxnet hassignaledafundamental shiftinthemalwarespace.
Stuxnet provescyberwarfareagainst physicalinfrastructureisfeasible.
Unfortunately,thesametechniquescanbeusedto attackotherphysicalandvirtualsystems.
Thankyou!
Copyright2010SymantecCorporation.Allrightsreserved. SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesin theU.S.andothercountries. Othernamesmaybetrademarksoftheirrespectiveowners. Thisdocumentisprovidedforinformationalpurposesonlyandisnotintendedasadvertising. Allwarrantiesrelatingtotheinformationinthisdocument,eitherexpressorimplied, aredisclaimedtothemaximumextentallowedbylaw. Theinformationinthisdocumentissubjecttochangewithoutnotice.
27

Guide To Stuxnet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guide To Stuxnet

Uploaded by

Copyright:

Available Formats

The42minuteGuidetoStuxnet

CareyNachenberg, Nachenberg VP, VP SymantecFellow

AndWho thisis (probably) wants anIsraeli Mossad Programmer to introduce

o tot onto this s computer righthere

Sohowexactly d this: does h

Getontoan airgapped gapped air networkto di disrupt tthese: th

UntilitIts discovers theproper computers gottospread onits own

Stuxnet startsbydownloading maliciouslogicontothePLChardware. hardware

Whatyou(probably)didnt realizeisthatthePLCusesa totallydifferentmicrochip& computerlanguagethan WindowsPCs. Stuxnet isthefirstknown threattotargetanindustrial controlmicrochip!

( (After all, ,whoeverwrote Stuxnet wouldntwantit totakeoutaroller coasterorsomething.)

Next,Stuxnet measurestheoperatingspeedof thefrequencyconvertersduringtheirnormal operationfor13days!

whileevading detection NowAll Stuxnet getsdown tobusiness

Launch L hAtt Attack kA LaunchAttackB LaunchAttackC LaunchAttackD

Launch L hAtt Attack kA LaunchAttackB LaunchAttackC LaunchAttackD

Launch L hAtt Attack kA LaunchAttackB LaunchAttackC LaunchAttackD

asitturnsout,both companies i arelocated l t d lessthan1kmapartin thesameTaiwanese b i business park. k

Duringnormaloperation: Spinat1410hz Incaseofemergency: IGNOREOPERATORCOMMANDS

Didevading ItSucceed? Allwhile detection.

EnablingSymantectotrack everyInternetconnected copyofStuxnet.

Dataattimeofdiscovery(July, (July 2010)

12.15 4.98 2 18 2.18 2 18 2.18 1 56 1.56 1 25 1.25

Dataattimeofdiscovery(July, (July 2010)

Stuxnet provescyberwarfareagainst physicalinfrastructureisfeasible.

You might also like