This is the third podcast in the series examining Cyber Iran, and this time, we will focus on one of the more famous cyberattacks that was made public against Iran and became known as Stuxnet. It is unclear whether the malware was successful in achieving its goals, however, it is certain that the malware was discovered before it was supposed to but still created damage.
During 2010, a new type of malware that had never been seen before was discovered. It was discovered by a small Russian antivirus company located in Russia. One of their partners in Iran called with a problem of computers crashing often on some networks.
Then one researcher in the company started investigating and found out that a sophisticated virus which had not been seen before was infecting computer networks in Iran.
It took him some time and effort but the researcher realized that this malware was spreading by exploiting 4 different not previously known vulnerabilities (also known as 0day), they were exploiting vulnerability in the windows operating system which made the malware very efficient by spreading itself on designated networks. That was unique, as having 4 different 0-day exploits on one malware means that once the malware is exposed, all the exploits it uses might be exposed as well. Gaining such knowledge requires a lot of efforts, and that’s one of the reasons security experts believe a state like the USA was behind this cyberattack.
The malware also had lots of security checks to ensure that it stayed dormant unless very specific requirements were fulfilled. The malware looked for software and devices of well-known company, Siemens, and when the malware found a computer with the software running, it activated itself and became the first known malware that not only tried to gain control of physical controllers by controlling the software on the computer, but also tried to install itself on the physical controller to make sure it continued to work even if it was deleted from the computer.
The way Stuxnet was spreading was also well thought out. The malware used known vulnerabilities related to the USB to ensure that if a USB device was connected to a computer infected with Stuxnet, it would replicate itself to the USB causing the USB to infect other computers when connected. In addition, Stuxnet also used network connections to search for local network computers and tried to infect them as well. Stuxnet was designed to limit the acceleration of its spread by infecting a maximum of three computers from a single flash drive and was also coded to stop spreading to other devices on specific dates during 2012.
This malware targeted specific software and hardware that was used by Iran during their efforts to enrich Nuclear materials.
Stuxnet is known to have caused, at least, 1,000 centrifuges to explode by sending them commands to rotate at different speeds than they were supposed to, which caused them to expand and explode. There is a leaked video on the internet of the security cameras showing the moments it happened.
After the discovery of Stuxnet, several more variations of malware aimed at Iran and its Nuclear sites have been discovered. It is unknown how big the actual effect of Stuxnet was on the Iranians, but it will be remembered as one of the first cyberattacks against industrial systems. Security experts describe Stuxnet and its variants as a one-time cyber weapon, a weapon that was meant to perform specific tasks and delete itself after a while. And if it wasn’t for the accidental discovery of the malware, whoever was behind the attack would probably still be performing such attacks to this day; and maybe they still do that today anyway.
Stuxnet was recognized as a malware that had to have been developed by, at least, one nation, probably one of the super nations. The efforts that were required to develop and successfully launch such malware required a vast amount of resources.
With that, there are some things that are unclear, for example, if a state was behind the development of such advanced cyberattack, how come they released such advanced malware even though they knew it would cause windows computers to repeatedly crash; something simple that might trigger security experts’ attention.
Iran blamed both Israel and the USA, but no one ever took official responsibility. However, traces to Israel and USA were found by several people who researched Stuxnet and the variants that followed.
At the end of 2018, head of Iran’s civil defence agency told media outlets that the government successfully neutralized “a new generation of Stuxnet which consisted of several parts… and was trying to enter our systems.”
The Iranians, however, did not reveal the extent of its damage and no one claimed responsibility, we will cover this into more details in the future as this incident is interesting becuase it might have some old school espionage and spies involved!
That’s it for this podcast, stay safe and see you in the next podcast.Don’t forget to visit www.cybercure.ai for the latest podcasts on cyber intelligence.