Safety Instrumented Systems / Stuxnet

Stuxnet and the Paradigm Shift in Cyber Warfare

A Brief History of the Stuxnet Worm Including Its Targets, the Initial Findings, Possible Creators of the Worm and Its Effects

By Robert M. Lee 

"President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter."

- Comprehensive National Cybersecurity Initiative (CNCI) The White House

In July 2010, a public announcement appeared regarding the discovery of the Stuxnet worm that has since caused drastic changes in the worldwide cyber community. This article is a brief history of the Stuxnet worm, including its targets, the initial findings, possible creators of the worm and its effects, using the facts known at the time of writing. This will provide the foundation to describe the changes the worm has had on the cyber community in an effort to show the Stuxnet worm has caused a paradigm shift in cyber warfare.

What Is Cyber Warfare?

To discuss if there was a paradigm shift in cyber warfare, you must define the term cyber warfare. Activities in cyberspace between people, corporations and nations have existed for many years. However, due to events in recent history, including the US military's stand up of Cyber Command in 2009, there has been an increased interest in defining the difference between cyber-based espionage, sabotage, hacktivism, cyber terrorism, etc.. and what would be deemed as actual warfare that takes place in the cyberspace domain. The U.S. Air Force published "Cyberspace Operations" Air Force Doctrine Document (AFDD) 3-12 that discusses operations in cyberspace, but the document itself states: "Although cyberspace operations are integral to all combatant commands, Services and agency boundaries, as of the date of publication of this AFDD (15 July 2010), there is no overarching joint doctrine for planning or operations in cyberspace."  Operations conducted in cyberspace, including that deemed as cyber warfare, is very new in relation to other forms of warfare. For this reason, it is difficult for doctrine to keep up with the ever-evolving actions that take place in cyberspace. 

Outside of military doctrine, one of the leading definitions of cyber warfare comes from U.S. government security expert Richard A. Clarke. He calls cyber warfare "Actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption."  However, Clarke stated that the definition was only for how he used the term "cyber war" in his book. Other sources, including the widely viewed Wikipedia, have used his definition as the sole definition of cyber warfare. The issue with this definition outside of his book, though, is that it does not include the ability for non-state actors and groups to conduct cyber warfare. The traditional idea of warfare and nations conducting warfare using tanks, airplanes, aircraft carriers, etc. does not apply in cyberspace. Anyone with a fair amount of training can sit down at almost any computer and turn it into a weapon system. Furthermore, you cannot limit cyberspace by boundaries and sovereign territories. When you combine those facts with the budget and resources many large corporations or powerful groups can supply, you reach a point where warfare is not confined to activities between nation-states.

Specifically in reference to this paper, it is not currently known if Stuxnet was created by a nation-state, corporation, or group of people; yet by Clarke's definition, Stuxnet would not be an act of cyber warfare if it was not used by a nation-state. Therefore, for the purpose of this paper, I offer this definition of cyber warfare instead: Actions taken by nation-states, corporations or groups of influence and power to penetrate networks of a nation-state for the purposes of causing damage or disruption to the networks, or espionage conducted for the purpose of extending warfare to other domains. This definition still requires a nation-state as the target. This is more in line with traditional warfare, considering the entities that engage in warfare are nations, whether they are on the receiving or delivering end. Carl Von Clausewitz stated that war is a continuation of politics by other means; the capabilities and actions demonstrated in cyberspace have reached the point where they can influence politics and have become an extension of the traditional war fighting domains.

History of Stuxnet

In June 2010, the Belarus security firm VirusBlokAda first publicly reported the Stuxnet worm.1 It was immediately identified as a critical threat, and companies, including Symantec, began working on analyzing it. Analysis of infection sites pointed to Iran as being a major target of the worm, and news media began running the story of the cyber-attack. On November 29, 2010, President Mahmoud Ahmadinejad of the Islamic Republic of Iran publicly acknowledged that malicious software had infected the Iranian nuclear facilities and disrupted the nuclear program by targeting the facilities' centrifuges.2 However, the Stuxnet worm was likely affecting the nuclear facilities for over a year before its discovery. Symantec released a dossier that had the earliest form of Stuxnet being detected in June 2009. The Trojan.Zlob variant exploiting the LNK vulnerability later identified in Stuxnet was detected November 20, 2008.3 These pieces of evidence point to the Stuxnet worm being developed and active long before widespread detection and acknowledgement by Iranian officials.

According to Symantec, by September 29, 2010, there were 100,000 infected hosts in the world with approximately 60% of those residing in Iran. The next five countries to experience the most infections were Indonesia, India, the United States, Australia and the United Kingdom respectively.4 Although the infection spread through computers around the world, it was programmed to only activate on computers that ran Siemens Supervisory Control and Data Acquisition (SCADA) software, specifically the S7-400 PLC and WinCC. The worm took advantage of five vulnerabilities to carry out its operations. Of the five vulnerabilities four were zero-day exploits, which are previously unpatched vulnerabilities. The previously patched vulnerability in Stuxnet was the same vulnerability, MS08-067, that was used in the Conficker attack. Kaspersky Lab's Alexander Gostev stated, "The fact that Stuxnet targets four previously unidentified vulnerabilities makes the worm a real standout among malware."

The use of four zero day exploits, the first ever programmable logic controller (PLC) rootkit, a Windows rootkit, peer-to-peer updates, command-and-control interfaces, use of two stolen signed digital certificates, and the amount of testing required for the worm on a mirrored environment has many experts hailing it as the most advanced malware ever to be released.

Although the Stuxnet worm is incredibly advanced, to bypass the security controls set up around and within the Iranian nuclear facilities, it is believed that the worm had to have been placed onto the systems via a USB memory device. This lends credence to the idea that there was someone within the nuclear facilities in Iran that sabotaged the facility, knowingly or not, or that the PLCs were compromised before they were sent to Iran. The worm was then able to direct itself to two command-and-control servers through the websites and One server was located in Denmark and the other in Malaysia; the servers functioned to update Stuxnet and send commands. Symantec stated in its dossier that the earliest version of Stuxnet penetrated the nuclear facility to steal the ICS's schematics for the specific configuration of the PLCs. Once Stuxnet obtained the schematics, they were uploaded to the command-and-control server, where an updated version of Stuxnet was created specifically for the ICS in use at that facility. Once the two websites were discovered, they were redirected, which disabled the command-and-control servers from interacting with the worm. However, Stuxnet also has a peer-to-peer function that allows it to communicate with any other copy of itself to update itself and receive commands.6

After the Stuxnet worm infected the nuclear facilities in Iran, information about the worm's success becomes more speculative.5 Iran has been careful about releasing exactly what damage the worm did, although there are some verified conclusions. One confirmed effect of the worm was the destruction of 1,000 centrifuges at the Natanz facility by slowly increasing and decreasing their motor speed.7 Considering the known damage, Stuxnet has been credited with setting Iran's nuclear program back by at least two years.8

The worm has been described as a one-shot weapon that has already had its intended effects. However, Stuxnet is capable of causing much deadlier outcomes, including a nuclear meltdown. We know the worm acted slowly, for example, making small changes to the centrifuges to degrade them over time, after spreading in the Iranian nuclear facility. This slow method of attack points to an effort by the attacker to remain covert. Everything Stuxnet did during its time on the nuclear facility networks though is unknown. Without knowing the intentions of the creator of the worm, whether or not Stuxnet was "successful" in its mission is purely speculative. Given the highly sophisticated coding of Stuxnet, the money required to develop it and the time it had to operate, one can assume that much more damage other than destroying 1,000 centrifuges could have been caused if that had been a desired outcome.

Possible Perpetrators

At the writing of this paper, there has been no attribution for the Stuxnet worm. However, it is still important to think about who may be responsible for the worm so that we may look at possible agendas for the attack. By looking at the signature of the code, we can gain hints on possible future uses and, in general, understand the worm more fully. At this point, attributing Stuxnet to any group of nation-states or corporations would be an ill-advised move, given the known evidence. This is because it is easy to leave false evidence behind in cyberspace.

That being said, two pieces of evidence found in the Stuxnet code itself supposedly link Israel in the creation of the worm. The number 19790509 was found, and some news sources and analysts state that it represents the date May 9, 1979. Further speculation puts the date as representing the execution in Tehran by firing squad of Habib Elghanian, a Jewish Iranian. The death of  Elghanian, one of the first civilian executions by the new Islamic Iranian government, is credited with prompting a mass exodus out of Iran of the 100,000 person Jewish community. However, if the number is a date (which it does seem to represent), it could be related to any number of events, including the Stuxnet author's birthday. The second piece of evidence from the code itself is the file location name "Myrtus," which has been suggested is a reference to the Book of Esther in the Bible's Old Testament. Again, though, this word could represent many things, including the words "My RTUs," which stands for Remote Terminal Units and are commonly used in SCADA systems and with PLCs.

Even disregarding these items, Israel may still be considered one of the primary candidates for the creation of the worm. With its troubled history in the geographical area and its desire that Iran not have a nuclear program, it seems to be a likely candidate based on motive alone. Another piece of the puzzle that seems to indicate Israel is its secretive Dimona complex in the Negev desert. The New York Times posted articles stating, according to confidential experts, the Dimona complex was responsible for testing the Stuxnet worm on P-1 centrifuges identical to those at the Natanz nuclear facility.9 The Israeli chief of staff, General Gabi Ashkenazi, also took credit for the Stuxnet worm as part of his achievements at his retirement ceremony.10 

The New York Times, among other news organizations, states that the Dimona complex and its possible use of P-1 centrifuges leads to a U.S. connection. The United States obtained P-1 centrifuges after Libya gave up its nuclear program in late 2003 and sent them to the Oak Ridge National Laboratory in Tennessee. The Oak Ridge National Laboratory is part of the Department of Energy, which cooperated with Siemens in early 2008 at its Idaho National Laboratory. The cooperation allowed the Idaho National Laboratory to test out vulnerabilities in Siemens computer controllers used in industrial machinery throughout the world.11 

However, there is also evidence that points away from the U.S./Israeli connection to Stuxnet. Security expert Jeffery Carr wrote a white paper titled "Dragons, Tigers, Pearls and Yellowcake: Four Stuxnet Attack Scenarios" in which he discusses varying motives that the creators of Stuxnet could have had in releasing it. His four theories include; sabotage of countries rich in rare-mineral mining operations, the use of Stuxnet as eco-terrorism by groups such as Greenpeace to target nuclear facilities, corporate sabotage of Siemens by competitors such as French nuclear corporation Areva, and sabotage by China in an effort to increase oil imports.12 The white paper serves to take a look at possibilities surrounding the creation of Stuxnet that have not been widely explored in popular news media.

It is the opinion of the author, though, that as much evidence seems to point to the United States and Israel, eco-terrorists or China, it is important to look at other possibilities as well. In cyberspace it is easy to make evidence seem to point in one direction when it was either created to do so or simply misinterpreted. The key is to understand there is evidence out there, and we must be thinking critically to anticipate what is next both from the creators of Stuxnet and others that have the same capabilities.

Effects on Cyber Community

To properly look at the effects of Stuxnet as a paradigm shift in cyber warfare, we must not only look at the damages Stuxnet caused, but the effects that it has had on the cyber community. The first part of the community to look at specifically would be Iran, as it suffered the most direct effects of Stuxnet. Since the detection of Stuxnet, the Iranian government has tried to bolster its cyber security and monitoring. The Iranian government launched its first cyber police unit in January 2011, stating that it will be tasked with patrolling and monitoring the Internet for purposes of countering spies and misuse of public and private information.13 Unfortunately, a side effect of this move to try to protect its networks is that the cyber police have also been tasked with subverting social networks. The social networks are the same ones that were used to organize protests during the disputed presidential election of 2009. These cyber police units were ultimately delegated much more power over the freedom of speech through the Internet in Iran.

Another approach Iran is taking is the recruiting of hackers to launch a cyber warfare campaign against Iran's enemies. Brigadier Gen. Gholamreza Jalali, who leads the Iranian Passive Defense Organization, states that its mission is "to fight our enemies with abundant power in cyberspace and Internet warfare."  The hackers recruited by Iran are being offered very generous salaries to aid in the cyber warfare campaign.14 One group, calling itself Iran's Cyber Army, has already taken credit for attacks launched against websites of the opposition party in Iran. 

Since the Stuxnet attack, Iran has also looked to increase its IT presence in the international community. Iran made claims of creating a supercomputer that, if true, will rank in the Top 500 list of the world's most powerful computers.15 This is no small achievement for Iran and shows its desire to compete on an international scale in the cyber warfare and IT realm.

The United States government is also on edge regarding the Stuxnet worm and the effects it will have due to the attack. Stuxnet re-emphasized and undoubtedly informed many for the first time, that even large and powerful nations are not immune to cyber-attacks and can become targets. President Obama has pushed for a large increase in cybersecurity research in the 2012 federal budget, going as far to say that the need for an increase in the science and technology sector is a new Sputnik moment for the United States. The budget would increase cybersecurity research and development by 35%, bringing the total to $548 million in 2012.16

Outside of what the media is reporting, the impacts of Stuxnet on the way governments across the world handle cyber warfare is speculation. It is not often to the benefit of nations to advertise what steps they are taking in their own security or actions taken to prepare for war, and this holds true for war in cyberspace as well. Cyber warfare is a hot topic right now, in part to Stuxnet, and opens up many new attack vectors and vulnerabilities to governments that they are undoubtedly exploring. 

What Is Next?

Stuxnet has been part of an intense debate in the cyber community as to whether or not it is the most advanced malware ever created. However, it is generally accepted that Stuxnet is incredibly advanced and impressive; in the future, though, the malware will only be considered advanced for its time. Cyberspace is a quickly evolving domain that takes innovation and information from people all over the world to turn out impressive technology. Although Stuxnet has shaken the community in terms of its nature and feature set, we have to look at what's next in cyber warfare so that we are not caught off guard.

Researchers at the data security company Imperva released predictions that in 2011 we will see more state-sponsored cyber-attacks. They have stated that there will be more advanced persistent threats like Stuxnet that build upon the techniques and concepts from the commercial hacking community.17  What we are essentially seeing is technology that is impressive and dangerous, but in its youth. Just as the F-4 fighter jet was impressive during the Vietnam War, it is nowhere near as advanced as the F-22 fighter jet of today.

Not only will we see more state-sponsored attacks in cyberspace, but we also will also see more non-state attacks from groups possessing powerful technology and software. In February 2011, the hacking group Anonymous, affiliated with Wikileaks, claimed possession of and then released a copy of the Stuxnet worm. The worm itself, as described earlier, is very precise and poses little threat to anyone else. However, the worm can be broken into two parts: the weapon system and the payload. The weapon system is the part of the worm's code that allowed it to gain access into computer systems and networks, whereas the payload is the part of the code that modified and attacked the PLCs of the Iranian nuclear facility. It is theoretically possible to modify the Stuxnet worm to have a different payload while still taking advantage of the weapon system. This would mean that the Stuxnet worm could gain access into computers all over the world that were not properly patched against it and have whatever effects the programmers desired. These effects could include stealing corporate secrets, stealing personal information from individuals and even targeting other SCADA systems, including oil refineries and water filtration plants. The Stuxnet worm will eventually be outdone by a new contender, but the threats posed and inspired by Stuxnet and its variants will be around for years to come.

The Paradigm Shift

Cyber warfare is new relative to traditional warfare, but it has been around years before Stuxnet. However, Stuxnet has changed the face of the cyber community around the world. It not only showed just how vulnerable even large governments are to cyber-attacks, but also how quickly a cyber-attack could take place while remaining undetected for so long. The allure to corporations and nation-states alike to conduct cyber-based attacks and espionage is great. The Stuxnet worm was a demonstration to groups and nation-states, both those who were planning to invest in cyber warfare and those who were not, that cyber warfare lacks much of the normal attribution and the high financial and political costs usually associated with traditional warfare. To those groups and nation-states that were not investing a significant amount in cyber warfare, the threat of catastrophic loses echoed across the deserts of Iran and into the fiber that connects the world.

Stuxnet has had an impact on politics and the federal budget, been used as the inspiration and justification for cyber police units with tremendous power over the Internet and freedom of speech in Iran, and has been publicly released with the intent of modification by powerful groups such as Anonymous. In addition, it has unquestionably inspired other governments and groups to develop their own cyber weapons, as well as increase defenses on their networks. On a larger international scale, the Russian ambassador to NATO, Dmitry Rogozin, said that NATO should investigate Stuxnet, as it was "very toxic, very dangerous" and "could lead to a new Chernobyl."18 Cyber warfare has changed.

The public's knowledge on cyber warfare has also changed due to Stuxnet. In the months following the public release of information on Stuxnet, it was nearly impossible to turn on the nightly news, access news websites or escape Internet forums talking about the worm. The vulnerability of governments also has left a sense of serious vulnerability to many civilians about their personal information and assets. If a worm as powerful as Stuxnet could have been created to infiltrate extremely secretive and protected security measures around a nuclear facility, then it was more than theoretically possible that a worm could be designed or reverse-engineered to easily access banking information and personal details of millions of people around the world. When people of a nation do not feel secure, they look to their government to protect them; if the government cannot, then the people look towards change in the government. Stuxnet could have had much more drastic effects and a much more costly outcome. It was a wake-up call to those operating in cyberspace and to those who never before thought they would have to be concerned with it.

Stuxnet also raises the question of how non-state actors will be viewed in cyberspace in the future. If Stuxnet were launched from a non-state actor, for example, a corporation, what implications would it have for the non-state actor's home nation and how would Iran react?  If a non-state actor launches a cyber-attack of the magnitude of Stuxnet and possibly one with more damaging effects, including a nuclear meltdown, would the nation under attack consider it an act of war? Would the non-state actor be held responsible by its home nation, and if so, to what extent?  These questions are not easy to answer, but now must be addressed.

Stuxnet has caused a paradigm shift in cyber warfare and changed the way nations, corporations and we as citizens view cyber warfare. This is just the beginning of a new era of warfare that will only become more invasive and costly to each of us.

Robert M. Lee is an officer in the United States Air Force; however this paper and his views do not constitute an endorsement by or opinion of the Air Force or Department of Defense.