Guide to Stuxnet

8/22/2019 Guide to Stuxnet

1/27

The42minuteGuidetoStuxnet

,

,

SymantecCorporation

The42MinuteGuidetoStuxnet 1


2/27

ThisisNatanz,Iran

2The42MinuteGuidetoStuxnet


3/27

AndtheseareNatanzs Centrifuges



4/27

AndthisishowtheyrecontrolledIndustrialcontrolsystemsare

typicallycontrolledbya

ProgrammableLogicController

CommunicationsProcessors(Routers)

WindowsPC

industrialcontrolsoftwarelikeSTEP7fromSiemens.

Communications

FrequencyConverters

are

responsibleforconvertingACfre uenciestoeither

ThePLCisaspecialized

commandsfromthePLCtogroupsofmechanical

devices.

higherorlowerfrequenciestooperatemotors.

orchestratescontrolofmultipleconnected

mechanicaldevices.

... ...FrequencyConverters

CentrifugesenrichUraniumsoitcanbeusedtopowernuclearplantsorweapons.

.

.

. .

.

.

Centrifuges



5/27

Andthisishowtheyreisolated

ProgrammableLogicController

CommunicationsProcessors(Routers)

WindowsPC

ResearchNetwork

... ...FrequencyConverters

.

.

. .

.

.

Centrifuges



6/27

Andthisis(probably)Who

wants

anIsraeli

Mossad Programmertointroduce

ontothis

computer



7/27

Sohowexactly Getontoan

oest is:

networkto

srupt

t ese:

Whereitcandisru tthecentrifu es

Allwhileevadingdetection.



8/27

Itsgottospreadonitsowntuxnet uses

seven

st nct

mec an sms

to

sprea

to

new

computers.

Sixoftheseattackstargetedflaws (backdoors)thatwere

Itcopies

itself

toIt

attacks

aholeIt

attacks

aholeIt

password

cracks

It

infects

SIEMENSPeers

update

other

Stuxnet uses

thumb

openfileshares.inWin ows printspooler.

n n ows .SIEMENSDBsoftware.PLCdatafiles.peers irect y.rivesto ri get egap

Butifthecentrifugesare

Usuallyweresurprisedwhenweseeathreat

airgapped

from

the

net,

howcanStuxnet jumptotheenrichmentnetwork?

arge ngone aw...USBdrives!

The42MinuteGuidetoStuxnet


9/27

UntilitdiscoversthepropercomputersItsgottospreadonitsownuxne s

ex reme y

p c y

an

on y

ac va es

itspayloadwhenitsfoundanexactmatch.

ThetargetedcomputermustberunningSTEP7

software

from

Siemens.

Thetargetedcomputermustbedirectlyconnectedto

an

S7

315

Programmable

Logic

Controller

from

Siemens.

ThePLCmustfurtherbeconnectedtoatleastsixCP3425NetworkModulesfromSiemens.

EachNetworkModulemustbeconnectedto~31

.

The42MinuteGuidetoStuxnet


10/27

Untilitdiscoversthepropercomputersuxne s

ex reme y

p c y

an

on y

ac va es

its payloadwhenitsfoundanexactmatch.

Nowif

you

do

the

math.

a aco nc ence

Thecreatorsof

Stuxnet verifiesthatthediscovered

ProgrammableLogic

Controller

uxne mus aveguessedallofthese

details.

Iscontrollingatleast

AndrecentlywelearnedthatIransUraniumenrichmentcascade ustha ens

touseexactly160centrifuges.

The42

Minute

Guide

to

Stuxnet


11/27

NowStuxnet getsdowntobusinessUntilitdiscoversthepropercomputers

Whatyou(probably)didntrealize

is

that

the

PLC

uses

a

totallydifferentmicrochip&computerlanguagethan

WindowsPCs.

Stuxnet startsbydownloading

Stuxnet isthe

first

known

threattotargetanindustrialcontrolmicrochip!

.

The42

Minute

Guide

to

Stuxnet


12/27

NowStuxnet getsdowntobusiness

Andmakessurethemotorsarerunningbetween807Hzand1210Hz.

This is coincidentall

the

frequency

range

requiredtoruncentrifuges.)

Afterall

whoever

wrote

Stuxnet wouldntwantittotakeoutaroller

coasterorsomething.)

Next,Stuxnet measurestheoperatingspeedofthefrequencyconvertersduringtheirnormal

operationfor13days!

The42

Minute

Guide

to

Stuxnet


13/27


Onceitssure,themaliciousPLClogicbeginsitsmischief!

Thensleepsfor27days.

uxne ra ses esp nra e

to1410Hzfor

15

mins.

Thenslowsthespinrateto2Hzfor50mins.

ens eeps or ays.

Stuxnet repeatsthisprocessoverandover.

0Hz 1500Hz

The42

Minute

Guide

to

Stuxnet


14/27


Whypushthemotorsupto1410Hz?

Well ~1380Hzisaresonancefre uenc .

Itis

believed

that

operation

at

this

frequency

for

even

a

fewsecondswillresultindisintegrationoftheenrichmenttubes!

Spewingaluminumshrapnelinalldirections.

Wh reduce the motors to2Hz?

Atsuchalowrotationrate,theverticalenrichmenttubeswillbeginwobblinglikeatop(alsocausingdamage).

0Hz 1500Hz

The42

Minute

Guide

to

Stuxnet


15/27


Whataboutbuiltinfailsafesystems?

Well,in

fact,

these

facilitiestypicallydohavefailsafecontrols.

Stuxnetrecords

telemetry

readingswhilethecentrifugesareoperating

Theytriggerashutdown

ifthe

frequency

goes

out

normally.

Andwhenitlaunchesits

attack,it

sends

this

o eaccep a erange.

ButworrynotStuxnet takescareof

recordeddatatofoolthefailsafesystems!

AndStuxnetdisables

s

oo.theemergency

kill

switch

onthePLCaswell

Justincasesomeonetries

0Hz 1500Hzto ea ero.

The42

Minute

Guide

to

Stuxnet


16/27

AllwhileevadingdetectionNowStuxnet getsdowntobusiness

Stuxnet usesfivedistinctmechanismstoconcealitself.

Stuxnet hidesitsownfilesoninfectedthumbdrivesusingarootkit.

The42

Minute

Guide

to

Stuxnet


17/27



Stuxnet inhibitsdifferentbehaviorsinthepresenceofdifferent.

aunc

ac

LaunchAttackB

LaunchAttackC

aunc

ac

LaunchAttackB

LaunchAttackC

aunc

ac

LaunchAttackB

LaunchAttackC

LaunchAttackD LaunchAttackD LaunchAttackD

The42

Minute

Guide

to

Stuxnet


18/27



Stuxnet completelydeletesitselffromUSBkeysafterithas.

The42

Minute

Guide

to

Stuxnet


19/27



Stuxnets authorsdigitallysigneditwithstolendigitalcertificates .

Thetwocertificateswere stolen from

Realtek

RealTekandJmicron

asitturnsout,both

compan es

are

oca e

lessthan1kmapartinthesameTaiwanese

us nesspar .

The42

Minute

Guide

to

Stuxnet


20/27



Stuxnet concealsitsmaliciouscodechangestothePLC

InstructionstotheCentrifuges

Duringnormaloperation:PLC

Incaseofemergency:IGNOREOPERATORCOMMANDS

(Tocentrifuges)

The42

Minute

Guide

to

Stuxnet


21/27

DidItSucceed?Allwhileevadingdetection.e ,

ase

on

some

c ever

Symantecengineering,wevegotsomeinterestingdata.

Fact:As

Stuxnet spreads

between

computers,itkeepsaninternallogofeverycomputeritsvisited.

Fact:Stuxnet contacts

two

commandandcontrolserversWorking

with

ISPs,

Symantec

tookcontrolofthesedomains,

statusandcheckforcommands.

www.todaysfutbol.com

Symantecdatacenters.

www.mypremierfutbol.com

EnablingSymantec

to

track

everyInternetconnected

The42

Minute

Guide

to

Stuxnet


22/27

DidItSucceed?

n cat onsare

t at

t

Symantectelemetryindicatesthatratherthandirectly

Theattackers

infected

five

industrial

companies

with

otentialsubcontractin relationshi swiththe lant.

Thesecompanies(likely)thenunknowinglyferriedtheinfection

intoNatanzs research

and

enrichment

networks.

TheInstituteforScienceandInternationalSecuritywrites:

Itis

increasingly

accepted

that,

in

late

2009

or

early

2010,

Stuxnetdestroyedabout1,000IR1centrifugesoutofabout

, .


23/27

HeresWhatWeFound

(Thesegraphsshowhowthediscoveredsamplesspread)

The42

Minute

Guide

to

Stuxnet


24/27

HeresWhatWeFound

24

,

The42

Minute

Guide

to

Stuxnet


25/27

HeresWhatWeFound

67.6080.00

DistributionofInfectedSystemswithSiemensSoftware

50.00

60.00

70.00

8.10 4.98 12.1520.00

30.00

.

. . . .

0.00

.

IRAN

KOREA

USA

RITAIN

NESIA

AIWAN

INDIA

THERS

SOUT

H

GREAT

IN

D T

,

The42

Minute

Guide

to

Stuxnet


26/27

ToConclude

Stuxnet hassignaledafundamentalshiftinthemalwarespace.

Stuxnet provescyberwarfareagainstphysicalinfrastructureisfeasible.

Unfortunately,thesametechniquescanbeusedtoattackother h sicalandvirtuals stems.

The42

Minute

Guide

to

Stuxnet


27/27

Thankyou!Thankyou!

Copyright2010SymantecCorporation.Allrightsreserved.SymantecandtheSymantecLogoaretrademarksorregisteredtrademarksofSymantecCorporationoritsaffiliatesintheU.S.andothercountries. Othernamesmaybetrademarksoftheirrespectiveowners.

Thisdocumentisprovidedforinformationalpurposesonlyandisnotintendedasadvertising. Allwarrantiesrelatingtotheinformationinthisdocument,eitherexpressorimplied,aredisclaimedtothemaximumextentallowedbylaw. Theinformationinthisdocumentissubjecttochangewithoutnotice.

27The42

Minute

Guide

to

Stuxnet

Guide to Stuxnet

Documents