Stuxnet is a computer worm, reportedly developed and launched by the United States and Israel, that specifically targets programmable logic controllers (PLCs) that control the automation of electromechanical processes, such as those used for centrifuges. It is considered to be the first cyberweapon used in the world due to its ability to cause physical destruction and the first known malware designed to infect industrial control systems (ICS). Stuxnet is typically introduced to a network via an infected USB drive and contains three modules: a worm that executes the main payload, an LNK file that automatically executes the propagated worm copies, and a rootkit that hides all malicious files and processes to evade detection. The worm propagates across the network searching for Siemens Step 7 software on computers controlling PLCs. Once the targeted machine is found, the malware injects the rootkit onto the PLC and Step 7 software, modifies the code, and sends commands to the PLC while displaying normal operation system information to the end user. Stuxnet was used specifically to target centrifuges at Iran's uranium enrichment facility outside Natanz, Iran. It manipulated valves on the centrifuges, increasing and decreasing their speed, putting additional pressure on them, and ultimately damaging the machines until they no longer functioned.

Leading up to the Stuxnet’s main attack on Iran’s centrifuges, Iran’s uranium enrichment program was progressing well, and they were on track to install the 6,000 centrifuges that then-Iran President Ahmadinejad had promised. By the summer of 2009, Iran had produced over 839 kilograms of low-enriched uranium, enough to achieve nuclear-weapons breakout capability. If they continued production at this same rate, Iran would have had enough uranium for two nuclear weapons in a year’s time.

A version of Stuxnet was launched in late June 2009. Threat actors had to gain physical access to one of the machines to infect the network as the targeted computers were air-gapped from the internet. Therefore, they designed Stuxnet to spread via infected USB drives and via a print-spooler zero-day exploit. The actors infected computers belonging to four outside companies believed to be connected to the Iran nuclear program via malicious Step 7 project files. The infected machines would then spread the malware to the Siemens computers. The four companies were infected with Stuxnet between June 23 and July 22, 2009; the companies all noted they had issues with a Siemens Step 7 .DLL file. It is unclear exactly how long it took for the malware to travel from the targeted companies into the uranium enrichment plant’s network; however, between June and August, the number of running centrifuges at the plant decreased to just 4,592. By November, the number further reduced to 3,936. Once inside the system, Stuxnet found the controlling software for the centrifuges, seized control, and manipulated the speed of the centrifuges. The malware forced the centrifuges to spin very fast for 15 minutes and then return them to normal speed. Within five months of the attack, the excessive speed changes caused the machines to break, resulting in the loss of about 1,000 centrifuges.

Unfortunately, Stuxnet was unintentionally unleashed in the wild, reportedly, when one of the engineers at an infected facility connected his work laptop to his home network. It infected many more machines than originally intended.

Technical Analysis

  • IEEE provides technical analysis of Stuxnet, here.
  • Wired provides technical analysis of Stuxnet, here and here.
ICS MalwareNJCCICstuxnet