Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors—which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.

Although more than 12 million viruses and other malicious files are captured each year, only about a dozen or so zero-days are found among them.

Rootkits come in several varieties, but the most difficult to detect are kernel-level rootkits, which burrow deep into the core of a machine to set up shop at the same privileged level where antivirus scanners work. If you think of a computer’s structure like the concentric circles of an archer’s target, the kernel is the bull’s eye, the part of the operating system that makes everything work. Most hackers write rootkits that operate at a machine’s outer layers—the user level, where applications run—because this is easier to do. But virus scanners can detect these—so a truly skilled hacker places his rootkit at the kernel level of the machine, where it can subvert the scanner. There, it serves as a kind of wingman for malicious files, running interference against scanners so the malware can do its dirty work unhindered and undetected.

Kupreev determined that the rootkit was designed to hide four malicious .LNK files—the four other suspicious files they’d found on the system in Iran. The malware appeared to be using an exploit composed of these malicious files to spread itself via infected USB flash drives, and the rootkit prevented the .LNK files from being seen on the flash drive.

Windows .LNK files are responsible for rendering the icons for the contents of a USB flash drive or other portable media device when it’s plugged into a PC. Insert a USB flash drive into a PC, and Windows Explorer or a similar tool automatically scans it for .LNK files to display the icon for a music file, Word document, or program stored on the flash drive.8 But in this case, the attackers embedded an exploit in a specially crafted .LNK file so that as soon as Windows Explorer scanned the file, it triggered the exploit to spring into action to surreptitiously deposit the USB’s malicious cargo onto the machine,

That was because, Ulasen realized with alarm, they were signed with what appeared to be a legitimate digital certificate from a company called RealTek Semiconductor.10

In this case, the attackers had used a valid certificate from RealTek—a trusted hardware maker in Taiwan—to fool computers into thinking the drivers were legitimate RealTek drivers.

The attackers appeared to be searching for computers that had one of two Siemens proprietary software programs installed—either Siemens SIMATIC Step 7 software or its SIMATIC WinCC program. Both programs are part of an industrial control system (ICS) designed to work with Siemens programmable logic controllers (PLCs)—small computers, generally the size of a toaster, that are used in factories around the world to control things like the robot arms and conveyor belts on assembly lines.

The infection numbers were way out of sync with previous patterns of worldwide outbreaks, in which Iran never placed high, if at all, in the infection stats. Even in outbreaks that began in the Middle East or Central Asia, Iran never tracked high on the charts. It seemed clear that they were looking at a targeted attack focused on the Islamic Republic.

And why was it spreading farther in India and Indonesia than in the United States and Europe? What did the three nations have in common that made the infections concentrate there?

A disturbing geopolitical picture was beginning to emerge. The sophisticated nature of the malicious code, plus the stolen certificates and Iran’s place at the center of the outbreak made it appear that Stuxnet might be the product of a covert government spy mission—albeit one that had clearly run amok.

He continued for several more hours, and when he had all the pieces of the puzzle he needed—it was exactly what he’d suspected. Stuxnet was indeed intercepting commands passing from the Siemens .DLL to the PLCs and replacing them with its own.

PLCs, connected to monitoring stations via a facility’s production network, were in a constant state of chatter with the machines, sending frequent status reports and updates to give operators a real-time view of whatever equipment and operations the PLC controlled. The Siemens .DLL was central to both the Step 7 and WinCC programs, serving as middleman to create commands for the PLCs or receive status reports from them. That’s where Stuxnet’s rogue .DLL came in. It did everything the real .DLL was designed to do, and more.

Stuxnet was kidnapping the Siemens .DLL and putting the doppelgänger in its place to hijack the system. It did this by changing the name of the Siemens .DLL from s7otbxdx.DLL to s7otbxsx.DLL and installing the rogue .DLL with the original’s name in its place, essentially stealing its identity. Then when the system called up the Siemens .DLL to perform any action, the malicious .DLL answered instead.

The second part of the attack was even more ingenious. Before Stuxnet’s malicious commands went into action, the malware sat patiently on the PLC for about two weeks, sometimes longer, recording legitimate operations as the controller sent status reports back to monitoring stations. Then when Stuxnet’s malicious commands leapt into action, the malware replayed the recorded data back to operators to blind them to anything amiss on the machines—like a Hollywood heist film where the thieves insert a looped video clip into surveillance camera feeds.

While Stuxnet sabotaged the PLC, it also disabled automated digital alarms to prevent safety systems from kicking in and halting whatever process the PLC was controlling if it sensed the equipment was entering a danger zone. Stuxnet did this by altering blocks of code known as OB35 that were part of the PLC’s safety system.

But with Stuxnet modifying the data the safety system relied on, the system was blind to dangerous conditions and never had a chance to act.2

If programmers noticed something amiss with a turbine or other equipment controlled by the PLC and tried to view the command blocks on the PLC to see if it had been misprogrammed, Stuxnet intervened and prevented them from seeing the rogue code. It did this by intercepting any requests to read the code blocks on the PLC and serving up sanitized versions of them instead, minus the malicious commands.

A programmer could reprogram the PLC a hundred times, and Stuxnet would swap out the clean code for its modified commands every time.

The fact that it was injecting commands into the PLC and trying to hide that it was doing so while at the same time disabling alarms was evidence that it was designed not for espionage but for sabotage.

The attackers weren’t trying to sabotage the PLC by shutting it down—the PLC remained fully functional throughout the attack—they were trying to physically destroy whatever process or device was on the other end of the PLC.

Stuxnet wasn’t just attacking two specific models of Siemens PLCs, it was attacking a specific facility where the PLCs were used. Stuxnet was a military-grade precision weapon aimed at a single target.

But the configuration Stuxnet was looking for was so precise that it was likely to be found in only a single facility in Iran or, if more than one, then facilities configured exactly the same, to control an identical process. Any system that didn’t have this exact configuration would remain unharmed;

More important, if centrifuges were destroyed and uranium gas was wasted in the process, it would deplete Iran’s already dwindling supply of precious materials for the nuclear program. Experts estimated that Iran had only enough materials to build 12,000 to 15,000 centrifuges; if an attack could force Iran to waste a few thousand of the devices, it would cut sharply into that supply.

It could also achieve them covertly in a way a physical bomb could never do, by silently damaging a system over weeks and months without being detected.

Even if the Iranians discovered the malware, a digital attack done properly left no fingerprints to be traced back to its source. This plausible deniability was key, since the United States was trying to prevent a war, not start one.

But a digital attack could slip past air-defense systems and electrified fences to burrow effortlessly into infrastructure deep underground that was otherwise unreachable by air and other means.

The CIA would let the Soviets continue to obtain the technology they wanted—but with the spy agency slipping modified designs and blueprints into the mix to misdirect their scientific efforts toward money-wasting ventures.

Under the scheme, “contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory,” Weiss wrote.

According to Reed, one of the items on the Line X shopping list was software for controlling the pumps, valves, and turbines on the Trans-Siberian Pipeline, which was being built to carry natural gas from the Urengoi gas fields in Siberia to countries in Europe. When the CIA learned the Soviets were trying to obtain the software from a company in Canada, the agency, in cooperation with the firm, embedded a logic bomb in the code. The code was designed to reset pump speeds and valve settings on the pipeline to “produce pressures far beyond those acceptable to the pipeline joints and welds,” Reed wrote.20 The software “ran the pipeline beautifully—for a while,” he noted. But then at some predetermined

One such operation occurred after the CIA infiltrated A. Q. Khan’s nuclear supply network around 2000 and began inserting doctored parts into components headed to Iran and Libya—where Khan had also begun peddling his illicit nuclear services. A weapons expert at Los Alamos National Laboratory worked with the CIA to alter a series of vacuum pumps so that they would malfunction at random intervals. As with the operation against the Soviets, the plan was to sabotage the parts so subtly that they would work fine for a little while before breaking down in such a way that it would be difficult to spot a pattern or pinpoint the problem.

The Khan network evidently purchased the devices from two businessmen in Turkey and secretly shipped them to Iran and Libya.23 But in early 2006, when Iran attempted to enrich its first batch of uranium in a small cascade at the pilot plant at Natanz, things went terribly wrong. The cascade ran fine for about ten days, but then the sabotage kicked in and all of the centrifuges had to be replaced. No one said anything about it at the time. But a year later, during a televised interview, the head of Iran’s Atomic Energy Organization described what had occurred. Technicians had installed 50 centrifuges in the cascade, he explained, but one night “all 50 had exploded.” The UPS controlling the electricity “had not acted properly,” he said, and created a surge. “Later we found out that the UPS we had imported through Turkey had been manipulated.” He also said that after the incident occurred they began checking all imported instruments before using them.24

The daring and sophisticated scheme, which combined both covert and clandestine activities, was reportedly conceived by US Strategic Command—the Defense Department division that operates and oversees the country’s nuclear weapons—with Gen. James Cartwright as one of its architects.27

Later versions reportedly combined code from the NSA with code from the Israeli Defense Force’s Unit 8200—Israel’s version of the NSA.

The Air Force was the first to take steps in this direction in 1993, when it transformed its Electronic Warfare Center into the Air Force Information Warfare Center and established, two years later, the 609 Information Warfare Squadron—the military’s first cybercombat unit.

To track Hassan Ghul, an associate of Osama bin Laden who was killed in a drone strike in 2012, the NSA deployed “an arsenal of cyber-espionage tools” to seize control of laptops, siphon audio files, and track radio transmissions—all to determine where Ghul might “bed down” at night, according to Snowden documents obtained by the Washington Post.30

In 2011, the NSA mounted 231 offensive cyber operations against other countries, according to the documents, three-fourths of which focused on “top-priority” targets like Iran, Russia, China, and North Korea.

In 2008, the NSA had 22,252 implants installed on systems around the world. By 2011, the number had ballooned to 68,975, and in 2013, the agency expected to have 85,000 implants installed, with plans to expand this to millions.

All of these operations, however—from Kosovo to Syria to Libya, and the ones exposed in the Snowden documents—have focused on stealing or distorting data or using cyber methods to help deliver physical bombs to a target. None involved a digital attack as replacement for a conventional bomb. This is what made Stuxnet so fundamentally different and new.

One of the things the Symantec researchers discovered was that right before Stuxnet unleashed its destructive payload on a 315 PLC, it searched the PLC for three “magic values”—combinations of numbers and letters embedded in the data blocks of the PLC itself. When Stuxnet encountered a 315 PLC, it rifled through these blocks in search of the magic values 2C CB 00 01, 7050h, and 9500h—and knew it had reached its target when it found all three.

One of the first things that struck him about the attack was that it unfolded in six stages that repeated over weeks and months. Once the attack was done, it recycled itself and began again. This meant that rather than launching a single blow that caused catastrophic failure, as the researchers originally believed Stuxnet was designed to do, the attackers were going for subtle sabotage that extended over time.

The first part of the attack, a reconnaissance stage, lasted about thirteen days, during which Stuxnet sat silently on the PLC recording normal operations in order to loop that data back to operators when the sabotage began.

Once enough data was recorded, a two-hour countdown commenced. Then when the count reached zero, the sabotage began. It lasted just fifteen minutes, however, and once it was done, normal operations on the PLC and the devices it controlled resumed. Then, after a five-hour interval passed, the entire sequence began again, with Stuxnet this time waiting about twenty-six days to strike, and recording twice the amount of data it recorded the first time. And when the sabotage kicked in this time, it lasted fifty minutes instead of fifteen. As before, once the sabotage was done, operations returned to normal for another twenty-six days, and the whole cycle repeated again. Each time the sabotage occurred thereafter, it alternated between fifteen minutes and fifty minutes in length, though the reconnaissance stage remained twenty-six days.

Frequency converters are power supplies that control the electric current fed to motors and rotors to modulate their speed. Increase the frequency of the drive and the speed of the motor increases. The 9500h ID was for a frequency converter made by a company named Vacon in Finland; the 7050h ID was an unspecified model of converter made by a company named Fararo Paya in Iran. O’Murchu suspected the Fararo Paya converters were an Iranian knock-off of the Finnish one.4 If this was the case, there was likely no other facility outside of Iran that used the converters from Fararo Paya.

Before Stuxnet began its assault on the S7-315 PLC, it made sure the system was using frequency converters made by Vacon and Fararo Paya, and that the converters were operating at a frequency somewhere between 807 Hz and 1,210 Hz. Stuxnet was looking for a plant that had up to 186 of the converters installed, all of them operating above 800 Hz. Frequency converters were used in a number of varied applications, but converters that operated at 600 Hz or higher had limited use—so limited, in fact, that when Chien did a search online he discovered they were regulated for export in the United States by the Nuclear Regulatory Commission. There could be no doubt about it now. Stuxnet was targeting a nuclear facility. Langner had gone out on a limb asserting that Stuxnet was targeting Iran’s nuclear program, but now they had evidence in the code to back it up.

Once Stuxnet found a Step 7 machine, it unpacked its Step 7 .DLL doppelgänger and kidnapped the Siemens .DLL to take its place. Then it waited patiently for a programmer to launch the Step 7 program to read or create code blocks for an S7-315 PLC. Stuxnet then injected its malicious code into the blocks and waited until the programmer connected his laptop to a PLC or copied the commands to a USB flash drive to transfer them to a PLC. It could take days or weeks for the malicious commands to land on a PLC, but once they did, the attack unfolded without resistance. After the initial reconnaissance stage recording data for thirteen days, Stuxnet first increased the frequency of the converters to 1,410 Hz for fifteen minutes, then reduced it to 1,064 Hz, presumably the normal operating frequency, for about twenty-six days. Once Stuxnet recorded all of the data it needed to record during these three weeks, it dropped the frequency drastically to 2 Hz for fifty minutes, before restoring it to 1,064 Hz again. After another twenty-six days, the attack began again. Each time the sabotage commenced, the man-in-the-middle attack fed false frequency readings back to the operators and safety system to keep them blind to what was happening.

Duqu was essentially a remote-access Trojan, or RAT, which operated as a simple back door to give the attackers a persistent foothold on infected machines. Once the back door was installed, however, Duqu contacted a command-and-control server, from which the attackers could download additional modules to give their attack code more functionality, such as the keystroke logger/infostealer the Hungarians had found on one of their systems.

As for Duqu’s intent, it was pretty clear it wasn’t a saboteur like Stuxnet, but an espionage tool. Whereas Stuxnet was a black ops mission bent on destruction, Duqu appeared to be the forward scout, sent out to collect intelligence for future assaults. Symantec suspected it was the precursor to another Stuxnet-like attack. Duqu’s life-span was limited, however; a kill date in the code forced it to self-destruct after thirty-six days, deleting all traces of itself from an infected machine.

Perhaps, the Kaspersky researchers posited, Duqu was really a precursor to Stuxnet, not a successor to it, as Symantec assumed.

Kaspersky and Symantec had always suspected that prior to Stuxnet’s assault on the centrifuges in Iran, the attackers had used an espionage tool to collect intelligence about the configuration of the Siemens PLCs. The information could have come from a mole, but now it seemed more likely that a digital spy like Duqu had been used.