Researcher offers new perspective on Stuxnet-wielding sabotage program
Posted on 21.11.2013
Stuxnet, the malware that rocked the security world and the first recorded cyber weapon, has an older and more complex “sibling” that was also aimed at disrupting the functioning of Iran's uranium enrichment facility at Natanz, but whose modus operandi was different.

The claim was made in a recently published report by well-known German control system security expert and consultant Ralph Langner, who has been analyzing Stuxnet since the moment its existence was first discovered.

In his report, he pointed out that in order to known how to secure industrial control systems, we need to know what actually happened, and in order to do that, we need to understand all the layers of the attack (IT, ICS, and physical) and be acquainted with the actual situation of all these layers as they were at the time of the attack.

He then went on to explain that Stuxnet actually had two attack routines. “Both attacks aim at damaging centrifuge rotors, but use different tactics. The first (and more complex) attack attempts to over-pressurize centrifuges, the second attack tries to over-speed centrifuge rotors and to take them through their critical (resonance) speeds,” he shared.

Researchers have concentrated on the second one, mainly because it was the one that was ultimately so successful. But Langner isn’t the only one to have analyzed the first (known) version of Stuxnet - Symantec researchers have also released a whitepaper on “Stuxnet 0.5”, which was first detected in the wild in 2007 when someone submitted it to the VirusTotal malware scanning service, but at the time no-one knew what it did and how dangerous it was.

So why wasn’t this “first” version ultimately used for a longer time? “The results of the overpressure attack are unknown,” says Langner. “Whatever they were, the attackers decided to try something different in 2009.”

He speculates that the attackers were interested in slowing down Iran’s uranium enrichment efforts, and breaking down a great number of old centrifuges used at the plant would alert its operators to the fact that something was going on. But with the later Stuxnet variant, the attackers didn’t seem to mind that much if the attack was discovered.

“Much has been written about the failure of Stuxnet to destroy a substantial number of centrifuges, or to significantly reduce Iran's LEU production. While that is undisputable, it doesn’t appear that this was the attackers’ intention,” he pointed out. “If catastrophic damage was caused by Stuxnet, that would have been by accident rather than by purpose. The attackers were in a position where they could have broken the victim’s neck, but they chose continuous periodical choking instead.“

“Stuxnet is a low-yield weapon with the overall intention to reduce the lifetime of Iran’s centrifuges and make their fancy control systems appear beyond their understanding,” he says, and estimates that the Stuxnet set back the Iranian nuclear program by over two years. He also pointed out that a simultaneous catastrophic destruction of all operating centrifuges wouldn't have caused such a delay, as Iran was able to produce the centrifuges at an industrial scale, and had a massive number of them already in stock.

He also posits that while at the beginning the attackers - confirmed to be the US and Israel - were interested in keeping the attack secret, after a while they had an interest in showing who was behind the attack.

“Uncovering Stuxnet was the end to the operation, but not necessarily the end of its utility. It would show the world what cyber weapons can do in the hands of a superpower,” he explains. “Unlike military hardware, one cannot display USB sticks at a military parade. The attackers may also have
become concerned about another nation, worst case an adversary, would be first in demonstrating proficiency in the digital domain – a scenario nothing short of another Sputnik moment in American history.”

Langner’s report is extensive, and it goes into detail about how the ICS system and the physical centrifuges work, and dispels several misconceptions about Stuxnet (including the one how it escaped from Natanz into the wild). It’s an extremely fascinating read that shows a new perspective on the whole thing, and I advise everyone to read it.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th