Professional Documents
Culture Documents
The42MinuteGuidetoStuxnet
ThisisNatanz,Iran
The42MinuteGuidetoStuxnet
AndtheseareNatanzs Centrifuges
The42MinuteGuidetoStuxnet
Industrialcontrolsystemsare typicallycontrolledbya standardPC running industrialcontrolsoftware likeSTEP7 from Siemens. Windows Programmable
Andthisishowtheyrecontrolled
PC LogicController Communications Processors(Routers)
FrequencyConvertersare responsibleforconverting isaspecialized Communications ThePLC q topiece either hardwarethat Processors route ACfrequencies of higherorlowerfrequencies controlcommands orchestrates of fromthePLC tooperatemotors. multipleconnectedto groupsofmechanical mechanicaldevices. devices. Centrifuges enrichUranium ... ..canbeusedtopower Frequency so. it Converters nuclearplantsorweapons. ... ...
Centrifuges
The42MinuteGuidetoStuxnet
Andthisishowtheyreisolated
Windows Programmable PC LogicController Communications Processors(Routers)
ResearchNetwork
Frequency Converters
... ...
... ...
Centrifuges
The42MinuteGuidetoStuxnet
Itsgottospread onitsown own Untilitdiscovers thepropercomputers computers Whereitcandisrupt p thecentrifuges g Allwhileevading detection.
The42MinuteGuidetoStuxnet
7
Itsgottospread onitsown
S Stuxnet usessevendistinct di i mechanisms h i tospread dtonewcomputers. Six oftheseattackstargetedflaws(backdoors)thatwere unknown tothesecurityindustryandsoftwarevendors!
It attacks attacks a hole Peers update other Stuxnet uses It a hole It password cracks It copies itself thumb to infects SIEMENS in peers Windows Wi d RPC. RPC di directly. DB d drives i to b bridge id lthe h gap! ! files. print in Windows f SIEMENS software. open fd file shares. PLC data spooler.
Butifthecentrifugesare airgappedfromthenet, Usually weresurprised how canStuxnet jumpto when wesee threat the enrichment a network? t USB targeting ti drives! oneflaw... fl
The42MinuteGuidetoStuxnet
Untilitdiscovers thepropercomputers
St t is i extremely t l picky i k and donly l activates ti t Stuxnet its payload whenitsfoundanexactmatch. What Wh acoincidence! i id ! Nowifyoudothemath. Thecreatorsof St net must Stuxnet m sthave ha e guessed all of these Stuxnet verifies that the discovered details. ProgrammableLogic Controller Iscontrollingatleast 155totalfrequencyconverters AndrecentlywelearnedthatIrans justhappens pp Uraniumenrichmentcascadej touseexactly160centrifuges.
The42MinuteGuidetoStuxnet
Until itStuxnet discovers the proper Now gets down tocomputers business
NowStuxnet getsdowntobusiness
Andmakessurethemotorsarerunningbetween807Hzand1210Hz.
(Thisiscoincidentally thefrequencyrange requiredtorun centrifuges.)
NowStuxnet getsdowntobusiness
Onceitssure,themaliciousPLClogicbeginsitsmischief!
St Stuxnet t raises i th thespin i rate t to1410Hz for15mins. Thensleepsfor27days. Thenslowsthespinrate to2Hzfor50mins. Th sleeps Then l for f 27d days. Stuxnet repeatsthis processoverandover.
0Hz The42MinuteGuidetoStuxnet
1500Hz
NowStuxnet getsdowntobusiness
Whypushthemotorsupto1410Hz? Well, ,~1380Hzisaresonancefrequency. q y Itisbelievedthatoperationatthisfrequencyforevena fewsecondswillresultindisintegrationoftheenrichmenttubes! Spewingaluminumshrapnelinalldirections. Whyreducethemotorsto2Hz? Atsuchalowrotationrate,theverticalenrichmenttubes willbeginwobblinglikeatop(alsocausingdamage).
0Hz The42MinuteGuidetoStuxnet
1500Hz
NowStuxnet getsdowntobusiness
Whataboutbuiltinfailsafesystems?
Stuxnet Well,records infact,telemetry these readings whilethe facilities typically do centrifuges arecontrols. operating havefailsafe normally. They trigger shutdown Andwhen ita launches its ifthe frequency goes out attack, itsends this fth t bl of theacceptable recorded data tofool frange. the failsafe systems! But worry not Stuxnet takesdisables careof AndStuxnet thistoo. tookillswitch theemergency onthePLCaswell Justincasesomeonetries tobe b ahero. h
0Hz The42MinuteGuidetoStuxnet
1500Hz
#5
Stuxnet hidesitsownfilesoninfectedthumbdrivesusingarootkit.
The42MinuteGuidetoStuxnet
Allwhileevading detection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
#4
Stuxnet inhibitsdifferentbehaviorsinthepresenceofdifferent securityproductstoavoiddetection. detection
Allwhileevading detection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
#3
Stuxnet completelydeletesitselffromUSBkeysafterithas spreadtoexactlythreenewmachines. machines
The42MinuteGuidetoStuxnet
Allwhileevading detection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
#2
Stuxnets authorsdigitallysigneditwithstolendigitalcertificates tomakeitlooklikeitwascreatedbywellknowncompanies companies. Thetwocertificates werestolenfrom RealTek andJmicron
Realtek
The42MinuteGuidetoStuxnet
Allwhileevading detection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
#1
Stuxnet concealsitsmaliciouscodechangestothePLC fromoperationalpersonnel(Ithidesitsinjectedlogic)! InstructionstotheCentrifuges
PLC
(Tocentrifuges)
The42MinuteGuidetoStuxnet
www.todaysfutbol.com www.mypremierfutbol.com
DidItSucceed?
I di ti arethat Indications th titdid! Symantec telemetryindicatesthatratherthandirectly tryingtoinfiltrateNatanz Natanz Theattackersinfectedfiveindustrialcompanieswith potentialsubcontracting p grelationships p withtheplant. p Thesecompanies(likely)thenunknowinglyferriedtheinfection intoNatanzs researchandenrichmentnetworks. TheInstituteforScienceandInternationalSecuritywrites: Itisincreasinglyacceptedthat,inlate2009orearly2010, Stuxnet destroyed about1,000IR1centrifugesoutofabout 9 000deployedatthesite. 9,000 site
HeresWhatWeFound
(Thesegraphsshowhowthediscoveredsamplesspread)
The42MinuteGuidetoStuxnet
HeresWhatWeFound
HeresWhatWeFound
DistributionofInfectedSystemswithSiemensSoftware
80.00 70.00 60.00 50.00 40 00 40.00 30.00 20.00 10 00 10.00 0.00
IRAN TA AIWAN GREATB BRITAIN SOUTHKOREA INDO ONESIA OTHERS O USA INDIA
67.60
8.10
ToConclude
Stuxnet hassignaledafundamental shiftinthemalwarespace.
Unfortunately,thesametechniquescanbeusedto attackotherphysicalandvirtualsystems.
The42MinuteGuidetoStuxnet
Thankyou!
The42MinuteGuidetoStuxnet
27