And again about Stuxnet


    On July 9, 2010, specialists of the Belarusian antivirus company VirusBlokada discovered in Iran malicious software (malware), which was named Stuxnet. Antivirus companies do not have a unanimous opinion of exactly when Stuxnet appeared, according to some reports, the distribution has already occurred since January 2009. Distinctive features:
    • Stuxnet contains several modules written using several development environments and programming languages;
    • To circumvent anti-virus protection mechanisms, some malware modules (drivers) had a digital signature made using certificates from Realtek and JMicron (presumably stolen);
    • several distribution methods - via USB-Flash drives and over the network. In the 2009 version, the widely used method of launching through autorun.inf was used (which, as a rule, is disabled for security reasons), in the 2010 version it was replaced by a more effective one - using the MS10-046 shortcut processing vulnerability (zero-day at that time ) The vulnerabilities MS08-067 (previously used in 2009 by Kido malware, which led to mass infections) and MS10-061 (zero-day at that time) were used for distribution through the network;
    • to ensure the work, privileges were increased to the level of the system administrator by using two local vulnerabilities (zero-day at that time) MS10-073 (Windows 2000 and XP) and MS10-092 (Windows Vista, including x64 version), thus Provides for the normal launch of malware from limited accounts;
    • Stuxnet organizes its own peer-to-peer (P2P) network to synchronize and update its copies;
    • there is a functionality that allows you to send information found on a computer to remote management servers;
    • unusual “payload” - a violation of the normal operation of the SIMATIC automation system, manufactured by Siemens, which is usually used in various industrial process control systems.

    Impact on the Siemens SIMATIC system

    An information security specialist from Germany, Ralph Lengner, published an analysis of Stuxnet's actions regarding SIMATIC in September 2010 on his own website.

    SIMATIC WinCC (Windows Control Center) - software for creating a human-machine interface, part of the SIMATIC family of automation systems. It runs on the Microsoft Windows NT family of operating systems and uses the Microsoft SQL Server 2000 database (starting with version 6.0). WinCC works with STEP 7.

    SIMATIC STEP 7 is software for developing automation systems based on SIMATIC S7-300 / S7-400 / M7 / C7 programmable logic controllers (PLCs) and WinAC.

    If Stuxnet determines that it is running on an engineering station, it replaces the part of STEP7 that is responsible for flashing the code in the PLC. When the engineer connects to the controller, if Stuxnet recognizes the appropriate hardware configuration, it modifies the code that is transmitted to the PLC. The researchers found that the attackers were interested in the 6ES7-417 and 6ES7-315-2 controllers, as well as industrial networks of the Profibus-DP standard. Modified STEP7, when trying to read modified blocks of the program, the PLC displays them in their original form (rootkit component to hide the fact of modification).

    Stuxnet identifies the target system by checking the DB 890 data block. This happens periodically every five seconds in a WinCC environment.

    If the condition is met, Stuxnet modifies the OB 35 module during the transfer from Simatic Manager to the PLC. The OB 35 module is called up in the PLC every 100 ms by timer, in it the Stuxnet interceptor checks the return code of the FC 1874 function. If the return code from FC 1874 is DEADF007, the original contents of the OB 35 are not executed.

    The Pux Stuxnet code allows you to:
    • listen to the Profibus-DP network (through which the PLCs communicate) and generate their packages, and the data for these packages can be updated from the engineering station;
    • read PLC inputs and control its outputs, sensors and actuators (MI) are connected to them, respectively, while for targeted action you need to know specifically which sensors / IMs are connected to which inputs / outputs;
    • synchronize their copies among infected PLCs via the Profibus-DP network (PLCs cannot be infected from each other, the executable code of the controllers cannot be overwritten on the fly, only data is a limitation of Siemens controllers).

    Stuxnet also tries to connect to the WinCC database using the “default password”.

    Siemens confirms that the purpose of the virus is a specific technological configuration. In total, the company reported 15 cases of infection at work, mainly in Germany. In no case did Stuxnet infiltrate the PLC because the parameters did not match. At the same time, this did not affect the operation of the equipment, and in all cases Stuxnet was able to neutralize.


    These facts allow us to draw the following conclusions:
    • Stuxnet is a carefully designed malware engine that was developed by a team of specialists in various fields;
    • no distribution facts were revealed through the Internet, only via USB-Flash and via the network - these signs are typical for implementation in a closed system that does not have a direct connection to public networks;
    • the functional disruption of the normal operation of the Siemens WinCC manufacturing process control system (computer tamper tool) implies that Stuxnet developers for testing had a hardware-software system identical to the one on which the attack was planned. In addition, they focused on a specific goal (using data from recruited personnel within the organization);
    • the development of such a scale involves significant funding - the payment of a group of programmers, the organization of the theft of digital certificates, the purchase or development of 4 zero-day vulnerabilities, access to the deployed Siemens WinCC system.

    All these indirect signs may indicate involvement in the development of Stuxnet law enforcement agencies or special services of any state. The main function of malware - distribution and autonomous work in a closed system with subsequent sabotage of the work of the production process control system - is not peculiar to "traditional" cybercriminals who usually pursue the goal of "monetizing" profit (the ultimate goal is money) and, as a rule, use malware developed lone programmers. It is for these reasons that Stuxnet is called a cyber weapon.


    Experts suggest that Stuxnet could be designed for use against a nuclear power plant in Bushehr, Iran. Possible developers may be Israel and the United States. The version is based on the following facts:
    • Iran is one of the most affected by Stuxnet regions. Judging by the dynamics of infection data - approximately in May-June 2010, Iran was the leader in the number of infections;
    • The Bushehr Nuclear Power Plant (NPP) is one of the most important military targets in Iran;
    • Nuclear power plants began to be built back in the 1970s. In the construction, Siemens was involved. In 1979, Siemens stopped working in this country (due to the revolution). Subsequently, Siemens returned to Iran and it was one of its largest markets. In January 2010, Siemens again announced the termination of cooperation with Iran. However, in the summer she was convicted of supplying components to Bushehr. Whether Siemens uses process control software at the plant is officially unknown. On one of the screenshots of a computer screen posted on the Internet, allegedly inside the nuclear power plant, you can see the Siemens WinCC control system;
    • participation in the construction of nuclear power plants of the Russian company Atomstroyexport, which has projects in India, as well as the traditional neglect of information security issues by Russian companies, which could lead to the spread of Stuxnet in India;
    • Israel is one of the countries most interested in disrupting the operation of the Bushehr nuclear power plant. Iran is suspected that at this station, under the guise of nuclear fuel, reserves will be manufactured for the production of its own nuclear weapons, which are most likely to be used against Israel;
    • Israel is one of the countries with highly qualified specialists in the field of information technology, able to use them both for attacks and for espionage.

    Another version of the target of the attack is a uranium enrichment facility in Natanz (Iran). This version is indirectly confirmed by the following facts:
    • the uranium enrichment plant in Natanz - a powerfully fortified and hidden deep underground facility - according to experts, poses much greater risks in terms of nuclear weapons production than the Bushehr nuclear power plant;
    • in July 2009, one of the sources related to Iran’s nuclear program confidentially reported a serious nuclear accident shortly before that in Natanz. Later, according to Iranian media and the British BBC, Golamreza Agazadeh, the head of the Iranian Atomic Energy Organization (IAEO), resigned. At the same time, according to official data provided by the IAEO to supervisory structures, the number of functioning centrifuges in Natanz fell significantly (by several thousand), which could be a consequence of Stuxnet exposure.


    In the United States in June 2012, a book was published entitled "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power"(Confrontation and Concealment: Obama's Secret Wars and the amazing use of American power), according to which Stuxnet was developed precisely in the USA with the participation of Israeli experts and precisely with the aim of neutralizing Iran’s nuclear program. The author - The New York Times journalist David Sanger - claims that Stuxnet was developed during the presidency of George W. Bush. The project was called Olympic Games. At first it was a spyware distribution program, thanks to which it was possible to get an idea about the equipment of the Iranian uranium enrichment center in Natanz. After that, a functional was developed that acted on the software managing the uranium purification centrifuges.

    Last year, David Sanger and two of his colleagues published an article in the New York Times stating that Stuxnet was indeed the work of American and Israeli intelligence agencies and that they tested it at the Dimona secret Israeli center in the Negev desert. Officially, Israel refuses to admit that it has its own nuclear program, but the authors of the article refer to certain knowledgeable experts in the intelligence and military fields who confirm that centrifuges in Dimon are almost identical to those in Natanz. Stuxnet's ability to disable them has been tested, including on them.

    According to The Wall Street Journal, the FBI is conducting an investigation into an information leak, as a result of which it became known that the government was involved in cyber attacks on Iran’s nuclear facilities.

    Many experts are skeptical of this information. They consider her another "stuffing" of information on the eve of the US presidential election.

    Detailed sources of information about Stuxnet:

    Symantec analytic report “W32.Stuxnet Dossier” , version 1.4, February 2011, (pdf);

    Eset analysis report “Stuxnet Under the Microscope” , revision 1.31, (pdf);

    material of the scientific center “NAUTSILUS” “Stuxnet code analysis” , (pdf), which is an abridged version of the Russian translation of the Symantec report.

    Also popular now: