8/22/2019 Guide to Stuxnet
1/27
The42minuteGuidetoStuxnet
,
,
SymantecCorporation
The42MinuteGuidetoStuxnet 1
8/22/2019 Guide to Stuxnet
2/27
ThisisNatanz,Iran
2The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
3/27
AndtheseareNatanzs Centrifuges
3The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
4/27
AndthisishowtheyrecontrolledIndustrialcontrolsystemsare
typicallycontrolledbya
ProgrammableLogicController
CommunicationsProcessors(Routers)
WindowsPC
industrialcontrolsoftwarelikeSTEP7fromSiemens.
Communications
FrequencyConverters
are
responsibleforconvertingACfre uenciestoeither
ThePLCisaspecialized
commandsfromthePLCtogroupsofmechanical
devices.
higherorlowerfrequenciestooperatemotors.
orchestratescontrolofmultipleconnected
mechanicaldevices.
... ...FrequencyConverters
CentrifugesenrichUraniumsoitcanbeusedtopowernuclearplantsorweapons.
.
.
. .
.
.
Centrifuges
4The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
5/27
Andthisishowtheyreisolated
ProgrammableLogicController
CommunicationsProcessors(Routers)
WindowsPC
ResearchNetwork
... ...FrequencyConverters
.
.
. .
.
.
Centrifuges
5The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
6/27
Andthisis(probably)Who
wants
anIsraeli
Mossad Programmertointroduce
ontothis
computer
6The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
7/27
Sohowexactly Getontoan
oest is:
networkto
srupt
t ese:
Whereitcandisru tthecentrifu es
Allwhileevadingdetection.
7The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
8/27
Itsgottospreadonitsowntuxnet uses
seven
st nct
mec an sms
to
sprea
to
new
computers.
Sixoftheseattackstargetedflaws (backdoors)thatwere
Itcopies
itself
toIt
attacks
aholeIt
attacks
aholeIt
password
cracks
It
infects
SIEMENSPeers
update
other
Stuxnet uses
thumb
openfileshares.inWin ows printspooler.
n n ows .SIEMENSDBsoftware.PLCdatafiles.peers irect y.rivesto ri get egap
Butifthecentrifugesare
Usuallyweresurprisedwhenweseeathreat
airgapped
from
the
net,
howcanStuxnet jumptotheenrichmentnetwork?
arge ngone aw...USBdrives!
The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
9/27
UntilitdiscoversthepropercomputersItsgottospreadonitsownuxne s
ex reme y
p c y
an
on y
ac va es
itspayloadwhenitsfoundanexactmatch.
ThetargetedcomputermustberunningSTEP7
software
from
Siemens.
Thetargetedcomputermustbedirectlyconnectedto
an
S7
315
Programmable
Logic
Controller
from
Siemens.
ThePLCmustfurtherbeconnectedtoatleastsixCP3425NetworkModulesfromSiemens.
EachNetworkModulemustbeconnectedto~31
.
The42MinuteGuidetoStuxnet
8/22/2019 Guide to Stuxnet
10/27
Untilitdiscoversthepropercomputersuxne s
ex reme y
p c y
an
on y
ac va es
its payloadwhenitsfoundanexactmatch.
Nowif
you
do
the
math.
a aco nc ence
Thecreatorsof
Stuxnet verifiesthatthediscovered
ProgrammableLogic
Controller
uxne mus aveguessedallofthese
details.
Iscontrollingatleast
AndrecentlywelearnedthatIransUraniumenrichmentcascade ustha ens
touseexactly160centrifuges.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
11/27
NowStuxnet getsdowntobusinessUntilitdiscoversthepropercomputers
Whatyou(probably)didntrealize
is
that
the
PLC
uses
a
totallydifferentmicrochip&computerlanguagethan
WindowsPCs.
Stuxnet startsbydownloading
Stuxnet isthe
first
known
threattotargetanindustrialcontrolmicrochip!
.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
12/27
NowStuxnet getsdowntobusiness
Andmakessurethemotorsarerunningbetween807Hzand1210Hz.
This is coincidentall
the
frequency
range
requiredtoruncentrifuges.)
Afterall
whoever
wrote
Stuxnet wouldntwantittotakeoutaroller
coasterorsomething.)
Next,Stuxnet measurestheoperatingspeedofthefrequencyconvertersduringtheirnormal
operationfor13days!
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
13/27
NowStuxnet getsdowntobusiness
Onceitssure,themaliciousPLClogicbeginsitsmischief!
Thensleepsfor27days.
uxne ra ses esp nra e
to1410Hzfor
15
mins.
Thenslowsthespinrateto2Hzfor50mins.
ens eeps or ays.
Stuxnet repeatsthisprocessoverandover.
0Hz 1500Hz
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
14/27
NowStuxnet getsdowntobusiness
Whypushthemotorsupto1410Hz?
Well ~1380Hzisaresonancefre uenc .
Itis
believed
that
operation
at
this
frequency
for
even
a
fewsecondswillresultindisintegrationoftheenrichmenttubes!
Spewingaluminumshrapnelinalldirections.
Wh reduce the motors to2Hz?
Atsuchalowrotationrate,theverticalenrichmenttubeswillbeginwobblinglikeatop(alsocausingdamage).
0Hz 1500Hz
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
15/27
NowStuxnet getsdowntobusiness
Whataboutbuiltinfailsafesystems?
Well,in
fact,
these
facilitiestypicallydohavefailsafecontrols.
Stuxnetrecords
telemetry
readingswhilethecentrifugesareoperating
Theytriggerashutdown
ifthe
frequency
goes
out
normally.
Andwhenitlaunchesits
attack,it
sends
this
o eaccep a erange.
ButworrynotStuxnet takescareof
recordeddatatofoolthefailsafesystems!
AndStuxnetdisables
s
oo.theemergency
kill
switch
onthePLCaswell
Justincasesomeonetries
0Hz 1500Hzto ea ero.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
16/27
AllwhileevadingdetectionNowStuxnet getsdowntobusiness
Stuxnet usesfivedistinctmechanismstoconcealitself.
Stuxnet hidesitsownfilesoninfectedthumbdrivesusingarootkit.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
17/27
Allwhileevadingdetection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
Stuxnet inhibitsdifferentbehaviorsinthepresenceofdifferent.
aunc
ac
LaunchAttackB
LaunchAttackC
aunc
ac
LaunchAttackB
LaunchAttackC
aunc
ac
LaunchAttackB
LaunchAttackC
LaunchAttackD LaunchAttackD LaunchAttackD
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
18/27
Allwhileevadingdetection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
Stuxnet completelydeletesitselffromUSBkeysafterithas.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
19/27
Allwhileevadingdetection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
Stuxnets authorsdigitallysigneditwithstolendigitalcertificates .
Thetwocertificateswere stolen from
Realtek
RealTekandJmicron
asitturnsout,both
compan es
are
oca e
lessthan1kmapartinthesameTaiwanese
us nesspar .
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
20/27
Allwhileevadingdetection.
Stuxnet usesfivedistinctmechanismstoconcealitself.
Stuxnet concealsitsmaliciouscodechangestothePLC
InstructionstotheCentrifuges
Duringnormaloperation:PLC
Incaseofemergency:IGNOREOPERATORCOMMANDS
(Tocentrifuges)
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
21/27
DidItSucceed?Allwhileevadingdetection.e ,
ase
on
some
c ever
Symantecengineering,wevegotsomeinterestingdata.
Fact:As
Stuxnet spreads
between
computers,itkeepsaninternallogofeverycomputeritsvisited.
Fact:Stuxnet contacts
two
commandandcontrolserversWorking
with
ISPs,
Symantec
tookcontrolofthesedomains,
statusandcheckforcommands.
www.todaysfutbol.com
Symantecdatacenters.
www.mypremierfutbol.com
EnablingSymantec
to
track
everyInternetconnected
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
22/27
DidItSucceed?
n cat onsare
t at
t
Symantectelemetryindicatesthatratherthandirectly
Theattackers
infected
five
industrial
companies
with
otentialsubcontractin relationshi swiththe lant.
Thesecompanies(likely)thenunknowinglyferriedtheinfection
intoNatanzs research
and
enrichment
networks.
TheInstituteforScienceandInternationalSecuritywrites:
Itis
increasingly
accepted
that,
in
late
2009
or
early
2010,
Stuxnetdestroyedabout1,000IR1centrifugesoutofabout
, .
8/22/2019 Guide to Stuxnet
23/27
HeresWhatWeFound
(Thesegraphsshowhowthediscoveredsamplesspread)
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
24/27
HeresWhatWeFound
24
,
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
25/27
HeresWhatWeFound
67.6080.00
DistributionofInfectedSystemswithSiemensSoftware
50.00
60.00
70.00
8.10 4.98 12.1520.00
30.00
.
. . . .
0.00
.
IRAN
KOREA
USA
RITAIN
NESIA
AIWAN
INDIA
THERS
SOUT
H
GREAT
IN
D T
,
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
26/27
ToConclude
Stuxnet hassignaledafundamentalshiftinthemalwarespace.
Stuxnet provescyberwarfareagainstphysicalinfrastructureisfeasible.
Unfortunately,thesametechniquescanbeusedtoattackother h sicalandvirtuals stems.
The42
Minute
Guide
to
Stuxnet
8/22/2019 Guide to Stuxnet
27/27
Thankyou!Thankyou!
Copyright2010SymantecCorporation.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU.S.andothercountries. Othernamesmaybetrademarksoftheirrespectiveowners.
Thisdocumentisprovidedforinformationalpurposesonlyandisnotintendedasadvertising. Allwarrantiesrelatingtotheinformationinthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw. Theinformationinthisdocumentissubjecttochangewithoutnotice.
27The42
Minute
Guide
to
Stuxnet