To summarize some of the reasons that it has engendered such praise:"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team."I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. By comparison, other notable attacks, like the one dubbed "Aurora" that hacked Google's network, and those of dozens of other major companies, was child's play.
- It used 4 unique 0-day vulnerabilities
- It utilized other vulnerabilities as well to propagate (including RPC)
- It spread across the network but could air-gap jump using USB devices , network shares and WebDav
- It has been stealthily operating since at least June 2009
- It utilized not one, but two digital signatures to digitally sign its Windows rootkit
- It contained the first observed SCADA rootkit
- The code was "exceptionally well written" software designed to handle errors, not crash and utilized remote updating.
- It contained a unique targeting capability ensuring it only hit a particular SCADA network
- It was capable of traditional client/server C2 (command and control) but also utilized a peer-to-peer update functionality in case the C2 server was down/unavailable
- The majority of the published analysis on Stuxnet was done by Langer (a German Siemens expert) and Symantec. An analysis of the Stuxnet structea, and the installation process, are available and helpful for those interested.
- The best and most comprehensive discussion of Stuxnet to date can be found in the Symantec Stuxnet Dossier available here.
- The code is designed to stop propagating on June 24, 2012. This is different then typical worms which are designed to infect as many machines as possible and implies a limited scope and specific objective(s).
Recently, multiple different parties conducting analysis (or reviewing the public analysis) have concluded that the attack was likely against an Iranian nuclear facility, either the Bushehr nuclear power plant or the Uranium enrichment facilities in Natanz and likely originated in Israel. I'll attempt to summarize the arguments below:
- Almost 60% of the infections are in Iran according to Symantec (who took over the C2 server)
- The SCADA/PLC payload doesn't get activated unless the particular network fingerprint is found. None of the systems infected with Stuxnet have been reporting (of course, they might hide/cover it up if they were targeted) that this fingerprint matched. Given the investment it appears likely that a particular high value network was targeted.
- Guesswork from multiple parties wondering what high value systems might be targeted in Iran quickly jumped to nuclear facilities. Arguments for Bushehr (here, here, and a screenshot of their HMI showing their Siemens WinCC license here) and Natanz are available and have been picked up across technical web sites, the blogosphere and increasingly even the mainstream media. Of course, depending on how unique the target fingerprinting is (and the fact there are confirmed to be at least four variants) it's possible the answer is both of them.
- Israel was connected due to their obvious interest in delaying/destroying/disrupting the Iranian nuclear program, their cyberwarfare capabilities (also articles here and here) and cyber security expertise and a clue in the code. Specifically, the word "myrtus" (meaning "myrtle") is the name of the root directory for the exploit code. That was picked up by Kaspersky but they didn't grasp the meaning. However, the guys at DigitalBond noticed that in Hebrew this was the original name of the Biblical character Esther, who saved the Jewish race from extinction from a hostile (Persian) nation. NYT picked up on this recently as well. Could always be a false lead as well, but a rather advanced one if so. Update: At the VB2010 Liam Murchu presented a more detailed analysis which included the "already infected" registry key that Stuxnet uses to prevent multiple infections. The marker was 19790509. Wikipedia points out that that was the date that Habib (Habibollah) Elghanian, an Israeli businessman, was killed by the new Islamic Iranian regime for "corruption", "contacts with Israel and Zionism", "friendship with the enemies of God", "warring with God and his emissaries", and "economic imperialism". He was the first jew and one of the first civilians killed by the new government.
One final note: Stuxnet is probably NOT the first acknowledged/published nation-nation cyber attack. Rumors have been around for quite a while regarding the US providing a "trojan horse" to the Russians, resulting in a Siberian pipeline explosion, but it sounds like it's moved into the acknowledged realm now.
December 7th, 2010 Update: At this point the rest of the post has been essentially validated by public research and acknowledgments. There is no speculation that Stuxnet was designed to affect a particular high frequency drive designed in Iran, deployed in Iran for their nuclear program. And that it had at least moderate success. And it appears clear that well organized individuals remain motivated to attack the Iranian nuclear program, via more traditional means. I'll probably update this one last time in 3-4 months with any of the more interesting fallout implications. The specific new evidence/events:
- Symantec, with some help from a Dutch company completed the analysis of the PLC payload and published the results on November 12th. It found that it was targeted at very specific high frequency drive controllers manufactured in Finland and Iran. These devices have limited applications, (with centrifuges being one of them), causing them to be on the list of export controlled devices as a result. The Finnish company denies exporting them. The payload is, as was assumed, designed to render the targeted devices unreliable and cause them to malfunction in a way that would degrade/destroy the targeted drive and manufacturing process.
- Iran's leader Mahmoud Ahmadinejad confirmed on November 29th that its centrifuges were indeed hit and negatively impacted by Stuxnet. IAEA confirmed that enrichment activities were shut down (at least temporarily).
- On the same day, the top Iranian expert for Stuxnet (and one of their most senior nuclear researchers) was assassinated November 29th. A second researcher was targeted that same day but the attack did not kill him or his wife and only caused injuries. Iran has developed a special security service to attempt to mitigate these physical attacks in the future.