The Stuxnet worm was at work sabotaging a uranium plant in Iran a year earlier than previously thought and before a U.S. covert program to disrupt the facility was officially authorized by former President George W. Bush, according to a report on a previously unknown version of the worm.
The early version of the worm - Stuxnet 0.5 - was found in the wild in November 2007 and stopped infecting July 4, 2009, according to a new Symantec blog post. Bush authorized the U.S. to use covert activities to target Iran's uranium works at Natanz in January 2009, just before he left office.
Previously the worm, whose existence came to public attention in June 2010, was thought to have been at work since 2008. It turns out that that was a later version called Stuxnet 1.001, which attacked centrifuges used to enrich uranium for Iran's nuclear program.
Like the previously known version, the earlier one used sophisticated means to disrupt machinery made by Siemens that was used to enhance uranium.
The worm would find Siemens programmable logic controllers (PLC) used to manipulate valves that fed a gaseous state of uranium ore into centrifuges for separating out the uranium. Closed at the right time the valves would disrupt the flow of the gas and possibly damage the centrifuges, the Symantec report says.
But first it would monitor the normal system state of the machinery so that after the worm closed the valves, it could simulate readouts that would mask the effects of the attack. "It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle," the blog post says. So even if the operator figured out something was wrong, there was nothing that could be done about it.
Stuxnet carefully probed potential target Siemens machines to make sure they were actually in the Natanz facility, the blog post says, and the criteria it used indicate that whoever wrote the worm had detailed intelligence about the configuration of the centrifuges at the site.
Thousands of centrifuges were arranged in groups called cascades that were identified by a code. The logic used by Stuxnet to parse these strings sought particular cascade modules, seeking those labeled between A21 and A28 and expecting to find a maximum of 18 cascades per module with each cascade consisting of 164 centrifuges grouped into 15 stages. That exactly matches the known configuration at Natanz.
This process is called fingerprinting. "During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration," the blog post says. "Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information[.]"
The worm also had a state table that laid out how attacks would unfold. This is how Symantec describes it:
" State 0 - Wait: Perform system identification and wait for the enrichment process to reach steady-state before attacking (approximately 30 days).
" State 1 - Record: Take peripheral snapshots and build fake input blocks for replaying later.
" State 2 - Attack centrifuge valves: Begin replaying fake input signals. Close valves on most centrifuges with the exception of the initial feed stage valves.
" State 3 - Secondary pressure reading: Open valves in the final stage of a single cascade to obtain a low pressure reading.
" State 4 - Wait for pressure change: Wait for desired pressure change or time limit. This can take up to two hours.
" State 5 - Attack auxiliary valves: Open all auxiliary valves except valves believed to be near the first feed stage (stage 10). Wait for three minutes in this state.
" State 6 - Wait for attack completion: Wait for six minutes whilst preventing any state changes.
" State 7 - Finish: Reset and return to state zero.
If this workflow is carried out Stuxnet expects pressure in the enrichment system to increase five times normal, the blog post says, which could damage the system and cause the uranium hexafluoride gas to revert to a solid. Symantec says it's unclear how successful these attacks were since it was just looking at the code intended to carry them out, not data on what was actually carried out.
Stuxnet 0.5 had four command and control servers located in the U.S., Canada, France and Thailand, and all their IP addresses are either unavailable or registered to an unrelated party, according to a separate Symantec blog.
The command and control was rudimentary, enabling just downloads of new code and the ability to update itself. It seems intended to be deployed in closed networks and to receive updates from other machines on the same network that are newly infected with the worm via USB sticks. "Stuxnet 0.5 uses Windows mailslots for peer-to-peer communication. Mailslots allow a process to pass a message to another process on a remote computer," the blog post says.
The homepage for the command and control servers was for an entity called Media Suffix, whose motto was "Deliver What the Mind Can Dream".
(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at [email protected] and follow him on Twitter https://twitter.com/#!/Tim_Greene.)
Read more about wide area network in Network World's Wide Area Network section.