Stuxnet (2010)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date Development of Stuxnet is believed by researchers at cybersecurity firms Symantec[1][2] and Chronicle[3] to have began in 2005. It was first reported on 17 June 2010.[4]
Suspected actor Unknown. There are speculations around the involvement of both the US and Israel.[5] However, there is no concrete evidence about the original developers of the worm. Due to its extremely elaborated architecture, it is likely that the worm has been designed by a highly organized and well-funded group of hackers.[6]

In 2019, researchers at Chronicle, a cybersecurity company, discovered that in addition to the threat actors Duqu and Flame and the APT group Equation Group, a threat actor known as Flowershop had also been involved in the Stuxnet operation.[7] Collectively, these four threat actors have been termed Gossip Girl, which is a supra threat actor (i.e., a threat actor representing multiple countries, institutions or groups).[3] Chronicle researchers suggest, therefore, that Stuxnet is the product of a collaboration between diverse and independent threat actors.[8]

Target Natanz Fuel Enrichment Plant and Bushehr nuclear power plant in Iran.[9] The worm infected both plants damaging a number of centrifuges installed in the Natanz nuclear facilities.[10]
Method According to a possible attacking scenario published by Symantec,[11] the worm, specifically designed to target industrial control systems, has been introduced by a willing or unwilling third party within the Natanz’ windows machine network through a USB flash drive.[12] In order to affect the system and gain privileges, the malicious code exploited 4 zero-days (unpatched) vulnerabilities of the Microsoft operating system.[13] Consequently, the malicious software was designed to search for specific program logic controls (PLCs) made by Siemens, used to give instructions to industrial machines. When it found that the computer was connected to the Siemens Step7 factory system software (SCADA), the worm reprogrammed the PLCs which control centrifuges used to enrich the uranium in order to force them to spin too quickly or too slowly, eventually breaking them apart. Otherwise, the worm remained still within the PLC and hid itself in the system. Even after having altered the instructions of the centrifuges, the worm was able to send back positive feedbacks to the controlling machine, thus covering its malicious intent.[14]
Purpose Despite the lack of an official statement from States, the media highlighted that the aim of Stuxnet was sabotaging nuclear infrastructures in Iran, probably to hinder the Iranian uranium enrichment programme.[15]
Result By altering the regulation of the rotor speed, Stuxnet was able to cause the failure of a number of centrifuges. A report shows that between the end of 2009 and early 2010, about 1,000 centrifuges at a Fuel Enrichment Plant facility in Natanz, Iran, had to be replaced, implying that those centrifuges had been broken.[16]
Aftermath Stuxnet has been seen as the first ever cyber-attack which caused destructive effects. It opened a precedent demonstrating that cyber-weapons can be efficiently targeted against critical infrastructures not only to disable them but also causing destruction.[17]
Analysed in Scenario 03: Power grid
Scenario 10: Cyber weapons

Collected by: Samuele De Tomas Colatin

  1. Kelly Jackson Higgins, “New Twist in the Stuxnet Story” DARK Reading (23 April 2019)
  2. Mike Lennon, “Symantec Uncovers Earliest Known Version of Stuxnet, Dates Cyber Weapon to 2005” Security Week (26 February 2013)
  3. 3.0 3.1 Eduard Kovacs, “New Module Suggests Fourth Team Involved in Stuxnet Development” Security Week (09 April 2019)
  4. Robert Lipovsky, “Seven years after Stuxnet: Industrial systems security once again in the spotlight”, We Live Security (16 June 2017).
  5. N Anderson, “Confirmed: US and Israel created Stuxnet, lost control of it”, (1 June 2012), ArsTechnica.
  6. N Hopkins, “Stuxnet attack forced Britain to rethink the cyber war”, (30 May 2011), The Guardian.
  7. Tara Seals, 'SAS 2019: 4 Stuxnet-Related APTs Form Gossip Girl, an ‘Apex Threat Actor’' ThreatPost (09 April 2019)
  8. J.A. Guerrero-Saade, Silas Cutler, 'STUXSHOP The Oldest Stuxnet Component Dials Up' Chronicle (09 April 2019)
  9. G Kessler, “New research confirms Iran's nuclear program was target of Stuxnet worm”, (15 November 2010), The Washington Post.
  10. P Hafezi, “Iran admits cyber attack on nuclear plants”, (29 November 2010), Reuters.
  11. N Falliere, L O. Murchu, E Chien, “W32.Stuxnet Dossier Version 1.4”, (February 2011), Symantec.
  12. A Shubert, “Cyber warfare: A different way to attack Iran's reactors”, (8 November 2011), CNN.
  13. L O. Murchu, “Stuxnet Using Three Additional Zero-Day Vulnerabilities”, (14 September 2010), Symantec Official Blog.
  14. M B. Kelley, “The Stuxnet Attack On Iran's Nuclear Plant Was 'Far More Dangerous' Than Previously Thought”, (20 November 2013), Business Insider.
  15. P Hafezi, “Iran admits cyber attack on nuclear plants”, (29 November 2010), Reuters.
  16. D Albright, P Brannan, C Walrond, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?”, (22 December 2010), report from the Institute for Science and International Security..
  17. C Walsh, “US Prepares for Cyber Threats in the Wake of Suspected “Stuxnet” Attack in Iran”, (7 October 2010), Harvard Law School National Security Journal.