Analysis: Stuxnet dissected

By Brett Winterford on Feb 24, 2011 6:10 AM
Filed under Security

Page 1 of 3 | Single page

How one of the world's most complex cyber attacks crippled Iran's nuclear programme.

The first clue something had gone horribly wrong would have been the noise.

Engineers working on Iran's nuclear enrichment program would have grown accustomed to the usual hum of the many hundreds of motors running its centrifuges, which spin at high speeds to enrich uranium gas.

Without warning, at some time in the middle of last year, those centrifuges were likely to have spun uncharacteristically faster for 15 minutes. The change in frequency would have been noticeable to the layman - to the engineers, it would have been deafening.

They no doubt would have stared at their screens and at each other - had someone made a mistake? There would be a scramble to upload new instructions to the system - to correct whatever error they thought they made earlier - only to find that the code running on the machine didn't match what they could see.

No matter what code they would upload, the machines wouldn't respond to their new commands.

It is highly likely the centrifuges - spinning well beyond their usual limits - would have shredded, with shards of metal piercing the soft aluminium sheaths that surround the cascades.

Engineers may have panicked and flicked a kill switch to dump the uranium before worse damage could be done.

The extent of the damage will probably never be known to those outside the enrichment program. The Iranian Government has admitted to its nuclear enrichment program being set back by the Stuxnet virus - but has not gone into a great amount of detail.

Thankfully, there is a great deal we do know - based on an excruciatingly detailed analysis of the Stuxnet worm by the Symantec Security Response team.

Stuxnet was - for a number of reasons - one of the most fascinating and sophisticated computer hacks in history.

Kevin Hogan, senior director at Symantec Security Response, devoted some of his best resources over the latter part of 2010 and early 2011 to reverse-engineering the threat to understand what precisely happened.

Read on to part 2 to discover the genesis of Stuxnet.

2 comments in this discussion

"Very interesting reading, great article, would love to see more feature articles like this more regularly here."

By Mordd

Tags

stuxnet, symantec security response, iran nuclear program, analysis, siemens, scada, analysis, supervisory control and data acquisition, centrifuge, lnk vulnerability, zeroday exploit, autorun vulnerability, s7315 s7417

NBN Co plays election catch-up

Aussie software ferrets out hidden money

CommBank shares IT security models with bank rivals

Telstra tests P2P traffic inspection on Victorian internet users

Breaking Stories

Mater CIO shows QLD Health 'how it's done'

QLD Transport to replace 'cumbersome' data search

Melbourne firies use drone to check dangling truck

DNS DDoS attacks skyrocket

Photos: Toshiba's 2013 laptops

Readers of this article also read...

Comments: 2

Corsair

Feb 24, 2011 11:19 AM

Wow. Talk about a sophisticated attack.

Just wondering about a particular point:

"Stuxnet would then log-in, create an internet connection and connect to two command and control servers to download instructions"

I imagine this means the laptop/computer that has a physical connection to the Internet - not the computer that is part of the SCADA network at the facility (since that SCADA network is physically isolated from the Internet so it wouldn't be possible to create an Internet connection)?

Mordd

Feb 24, 2011 8:32 PM

Very interesting reading, great article, would love to see more feature articles like this more regularly here.

Comments have been disabled for this article.

Ads by Google