One of the joys of continuing my education is having getting to write a mini-article once a week for my fellow students and instructors. I’ve decided to share some of the better ones here. B.
In 2009 something happened that had never been done before in the history of computer malware. A digital weapon was released with the express purpose of attacking specific machines and causing them to fail, sometimes spectacularly. The weapon eventually became known as Stuxnet, a computer worm that was specifically designed to target centrifuges used to produce enriched uranium that powers nuclear reactors and weapons (Zetter, 2014).
Stuxnet was first identified and made public in 2010, and while no government has officially claimed responsibility for the malware, it is generally accepted that Stuxnet was created by intelligence agencies of the United States and Israel (Fruhlinger, 2017). The intended targets for Stuxnet were centrifuges manufactured by Siemens that were known at the time to be used by Iran in their quest to develop nuclear weapons. Stuxnet was not intended (or expected) to spread beyond the air-gapped Iranian nuclear facility at Natanz (Fruhlinger, 2017).
The success of Stuxnet, and its expansion far beyond its original set of targets, is owed to the fact that it took advantage of multiple zero-day exploits that complimented each other extremely well. According to Roel Schouwenberg of Kaspersky Labs, who helped unravel what Stuxnet was and how it worked:
The LNK [a file shortcut in Microsoft Windows] vulnerability is used to spread via USB sticks. The shared print-spooler vulnerability is used to spread in networks with shared printers, which is extremely common in Internet Connection Sharing networks. The other two vulnerabilities have to do with privilege escalation, designed to gain system-level privileges even when computers have been thoroughly locked down. It’s just brilliantly executed.
Kushner, 2016
Because the initial targets for Stuxnet were air-gapped systems, Stuxnet was designed to be extremely portable and to spread via infected USB drives. That means the “patient zero” systems were infected through physical access, but the virulence of the worm lead to it spreading quickly far beyond those confines (Zetter, 2014). The good news is that Stuxnet does little or no harm to computers not involved in uranium enrichment (Fruhlinger, 2017). The bad news is that it set a precedent of crossing the barrier between the digital world and the physical one, bringing to light the vulnerability of industrial machines (Kushner, 2016).
References
Fruhlinger, J. (2017, August 20). What is Stuxnet, who created it and how does it work? CSO Online. https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html
Kushner, D. (2016, February 26). The Real Story of Stuxnet. IEEE Spectrum: Technology, Engineering, and Science News. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Zetter, K. (2014, November 3). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. WIRED. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/