STUXnet | Iran got Hacked
The story of an attack on Iran's nuclear program and the hack that will cripple Iran
2017-02-19 23:51:40 - aatventure.news
John Byrd, CEO, Gigantic Software; Director, Sega; Sr Manager, Electronic Arts; Harvard '91:
The most sophisticated software in history was written by a team of people whose names we do not know.
It’s a computer worm. The worm was written, probably, between 2005 and 2010.
Because the worm is so complex and sophisticated, I can only give the most superficial outline of what it does.
This worm exists first on a USB drive. Someone could just find that USB drive lying around, or get it in the mail, and wonder what was on it. When that USB drive is inserted into a Windows PC, without the user knowing it, that worm will quietly run itself, and copy itself to that PC. It has at least three ways of trying to get itself to run. If one way doesn’t work, it tries another. At least two of these methods to launch itself were completely new then, and both of them used two independent, secret bugs in Windows that no one else knew about, until this worm came along.
Once the worm runs itself on a PC, it tries to get administrator access on that PC. It doesn’t mind if there’s antivirus software installed — the worm can sneak around most antivirus software. Then, based on the version of Windows it’s running on, the worm will try one of two previously unknown methods of getting that administrator access on that PC. Until this worm was released, no one knew about these secret bugs in Windows either.
At this point, the worm is now able to cover its tracks by getting underneath the operating system, so that no antivirus software can detect that it exists. It binds itself secretly to that PC, so that even if you look on the disk for where the worm should be, you will see nothing. This worm hides so well, that the worm ran around the Internet for over a year without any security company in the world recognizing that it even existed.
The software then checks to see if it can get on the Internet. If it can, it attempts to visit either http://www.mypremierfutbol.com or http://www.todaysfutbol.com . At the time, these servers were in Malaysia and Denmark. It opens an encrypted link and tells these servers that it has succeeded in owning a new PC. The worm then automatically updates itself with the newest version.
At this point, the worm makes copies of itself to any other USB sticks you happen to plug in. It does this by installing a carefully designed but fake disk driver. This driver was digitally signed by Realtek, which means that the authors of the worm were somehow able to break into the most secure location in a huge Taiwanese company, and steal the most secret key that this company owns, without Realtek finding out about it.
Later, whoever wrote that driver started signing it with secret keys from JMicron, another big Taiwanese company. Yet again, the authors had to figure out how to break into the most secure location in that company and steal the most secure key that that company owns, without JMicron finding out about it.
This worm we are talking about is sophisticated.
And it hasn’t even got started yet.
At this point, the worm makes use of two recently discovered Windows bugs. One bug relates to network printers, and the other relates to network files. The worm uses those bugs to install itself across the local network, onto all the other computers in the facility.
Now, the worm looks around for a very specific bit of control software, designed by Siemens for automating large industrial machinery. Once it finds it, it uses (you guessed it) yet another previously unknown bug for copying itself into the programmable logic of the industrial controller. Once the worm digs into this controller, it’s in there for good. No amount of replacing or disinfecting PCs can get rid of the worm now.
The worm checks for attached industrial electric motors from two specific companies. One of those companies is in Iran, and the other is in Finland. The specific motors it searches for are called variable-frequency drives. They’re used for running industrial centrifuges. You can purify many kinds of chemicals in centrifuges.
Such as uranium.
Now at this point, since the worm has complete control of the centrifuges, it can do anything it wants with them. The worm can shut them all down. The worm can destroy them all immediately — just spin them over maximum speed until they all shatter like bombs, killing anyone who happens to be standing near.
But no. This is a sophisticated worm. The worm has other plans.
Once it controls every centrifuge in your facility… the worm just goes to sleep.
Days pass. Or weeks. Or seconds.
When the worm decides the time is right, the worm quietly wakes itself up. The worm randomly picks a few of those centrifuges while they are purifying uranium. The worm locks them, so that if someone notices that something is wrong, a human can’t turn the centrifuges off.
And then, stealthily, the worm starts spinning those centrifuges… a little wrong. Not a crazy amount wrong, mind you. Just, y’know, a little too fast. Or a little too slow. Just a tiny bit out of safe parameters.
At the same time, it increases the gas pressure in those centrifuges. The gas in those centrifuges is called UF6. Pretty nasty stuff. The worm makes the pressure of that UF6, just a tiny bit out of safe parameters. Just enough that the UF6 gas in the centrifuges, has a small chance of turning into rock, while the centrifuge is spinning.
Centrifuges don’t like running too fast or too slow. And they don’t like rocks either.
The worm has one last trick up its sleeve. And it’s pure evil genius.
In addition to everything else it’s doing, the worm is now playing us back a 21-second data recording on our computer screens that it captured when the centrifuges were working normally.
The worm plays the recording over and over, in a loop.
As a result, all the centrifuge data on the computer screens looks completely fine, to us humans.
But it’s all just a fake recording, produced by the worm.
Now let’s imagine that you are responsible for purifying uranium using this huge industrial factory. And everything seems to be working okay. Maybe some of the motors sound a little off, but all the numbers on the computer show that the centrifuge motors are running exactly as designed.
Then the centrifuges start breaking. Randomly, one after another. Usually they die quietly. Rarely though, they make a scene when they die. And the uranium yield, it keeps plummeting. Uranium has to be pure. Your uranium is not pure enough to do anything useful.
What would you do, if you were running that uranium enrichment facility? You’d check everything over and over and over, not understanding why everything was off. You could replace every single PC in your facility if you wanted to.
But the centrifuges would go right on breaking. And you have no possible way of knowing why.
And on your watch, eventually, about 1000 centrifuges would fail or be taken offline. You’d go a little crazy, trying to figure out why nothing was working as designed.
That is exactly what happened.
You would never expect that all those problems were caused by a computer worm, the most devious and intelligent computer worm in history, written by some incredibly secret team with unlimited money and unlimited resources, designed with exactly one purpose in mind: to sneak past every known digital defense, and to destroy your country’s nuclear bomb program, all without getting caught.
To have one piece of software do any ONE of those things would be a small miracle. To have it do ALL of those things and many more, well…
… the Stuxnet worm would have to be the most sophisticated software ever written.