Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (5 page)
It was clear this wasn’t a standard attack, and needed to be examined more closely. But the size and complexity of the code meant it was going to take a team of people to reverse-engineer and decipher it. So the question running through O’Murchu’s mind was should they even bother doing it? No one would blame Symantec if the researchers dropped the code and moved on to other things. After all, the primary task of any antivirus firm was to halt infections before they began or to rid infected systems of malware that was already on them. What malicious code did to computers once it was on them was secondary.
But even though their primary work stopped at the point of detection, any customer infected with Stuxnet would still want to know what the malware had done to their system, even if Symantec had already detected and deleted its malicious files. Had it pilfered credentials or important documents? Altered or deleted crucial data? O’Murchu felt it was their duty to find out.
But this wasn’t the only reason he wanted to continue digging through the code. The truth was, Stuxnet appealed to him because it was a huge adrenaline rush of a puzzle—a virus far too complex to be merely a tool for espionage, and far too sophisticated to be the work of mere cybercriminals. He just had to figure it out.
AS THE END
of that first day drew near, O’Murchu typed up his notes describing what he had uncovered so far and sent them off to Symantec’s team in Tokyo, regretting that he didn’t have more time to spend with the code.
The Tokyo team worked part of that weekend, mapping Stuxnet’s components and doing a high-level analysis of the code so that everyone could get a handle on what they were dealing with. Back in California, where O’Murchu lived with his British girlfriend near the beach in Marina del Rey, he tried to push the code out of his mind, but couldn’t. Memories of the complex way it hijacked a system invaded his mind until he started to question whether he was right about what he had seen. To silence his doubts, he returned to the office to look at the code again until he was satisfied that he was correct.
By the time Monday morning arrived, he was impatient to get to the office to meet with his colleague Eric Chien and report what he had found. Like O’Murchu, Chien had transferred from Symantec’s Dublin office to Culver City and was now technical director of the company’s Security Response team. Chien decided they should call Nicolas Falliere, a young senior software engineer and analyst in Symantec’s Paris office who was a whiz at deconstructing difficult code. The three of them worked out a plan for tackling the project.
Stuxnet was so large, with so many different parts, but the obvious place to start was the command-and-control servers. So while Falliere familiarized himself with the parts of Stuxnet that O’Murchu had already seen, Chien and O’Murchu focused on the servers.
Each time Stuxnet infected a system, it “phoned home” to one of two internet domains masquerading as soccer fan sites—mypremierfutbol.com and todaysfutbol.com. The domain names, registered by someone who used fake names and fraudulent credit cards, pointed to servers in Denmark and Malaysia that served as command-and-control stations for the attack. Each time Stuxnet infected a machine, it contacted the servers to
announce its conquest and communicate intelligence about the latest victim. The communication was encrypted to prevent anyone from casually reading it, but the encryption the attackers had used was surprisingly weak and easily cracked. Once Chien and O’Murchu unlocked it, they were able to see that Stuxnet was reporting the machine’s computer and domain names to the attackers, as well as the internal IP address, the version of Windows it was running, and whether or not it had the targeted Siemens software installed on it.
4
Each piece of data presumably helped the attackers determine if Stuxnet was closing in on its target. This was important because they were essentially flying blind in their attack. Once unleashed, a self-propagating worm like Stuxnet has a life of its own, and the attackers would have had no real control over where their malicious code traveled. The data coming back to the servers would have helped them track its path to some degree as it crawled through networks in search of its quarry.
But of all the information Stuxnet reported to its masters, the Siemens data was the most important because, as the researchers would soon learn, if Stuxnet found itself on a system that
didn’t
have the Siemens software installed, it simply shut itself down. It still sought other machines to infect, but it wouldn’t launch its payload on any machine that didn’t have
the Siemens software installed. Any system without the software was just a means to Stuxnet’s end.
5
O’Murchu contacted the DNS (domain name system) service providers for the two command-and-control domains and asked them to stop the traffic going to the attackers and divert it to a sinkhole—a computer dedicated to receiving hostile traffic—that Symantec controlled instead. DNS providers are the traffic cops of the internet, who make sure that e-mail and browsers reach their destinations, so that anytime someone types “nytimes.com” into their browser or clicks on a link for a website, they will arrive at the proper IP address.
6
By diverting the traffic to their sinkhole, the researchers could now collect the real-time data that Stuxnet, like a good soldier, was supposed to be reporting to the attackers. By Tuesday morning, July 20, a flood of traffic was coming to their sinkhole.
As each infected machine called in, O’Murchu and Chien mapped the domains and countries from which they reported and examined the data that Stuxnet sent in, looking for common characteristics—including the number of victims carrying the Siemens software. By the end of the week, more than 38,000 infected machines from dozens of countries had contacted the sinkhole, and at a rate of 9,000 new infections a day, the number was swiftly growing. They would eventually track more than 100,000 infections in more than 100 countries.
7
Stuxnet was still spreading, despite
signatures distributed by antivirus firms to stop it, indicating that many victims didn’t have the latest antivirus software installed. Among the infected machines calling in to their sinkhole was an occasional hit from an antivirus firm—a sign that researchers at some competing firms were still running Stuxnet on their test-beds.
As O’Murchu and Chien mapped the geographical location of each infection, an unusual pattern began to emerge. Out of the initial 38,000 machines they tracked, more than 22,000 were based in Iran. Indonesia was a distant second, with about 6,700 machines, followed by India with 3,700 infections. The United States had fewer than 400 infections, and the numbers in other countries dropped steeply from there. Only a small number of all of the infected machines had the Siemens software installed, and the majority of those were in Iran as well—217, as opposed to a mere 16 machines in the United States.
8
The infection numbers were way out of sync with previous patterns of worldwide outbreaks, in which Iran never placed high, if at all, in the infection stats. Even in outbreaks that began in the Middle East or Central Asia, Iran never tracked high on the charts. It seemed clear that they were looking at a targeted attack focused on the Islamic Republic. But if the attackers were primarily interested in Siemens machines installed in Iran, then Stuxnet had spread far beyond its target. And why was it spreading farther in India and Indonesia than in the United States and Europe? What did the three nations have in common that made the infections concentrate there? Given the time and money that had obviously gone into producing the code, they knew they weren’t looking at someone who was out to steal pharmaceutical recipes or the production secrets of an automobile plant, as Boldewin had speculated. The attackers had to be aiming to steal intelligence about critical systems, perhaps with strategic political importance to the region. The Siemens software that Stuxnet sought wasn’t
just used in industrial plants, it was also used in critical infrastructure systems. Chien did a quick Google search on Iran and India to see what the two countries had in common and found recent stories about a natural gas pipeline that was being built to connect the two nations. The so-called Peace Pipeline involved a 1,700-mile pipeline running from Iran’s South Pars gas field in the south of the country through Pakistan and into India, a plan the United States strongly opposed. The project had gone through a number of ups and downs over the years due to shifting geopolitical winds and funding issues, with India pulling out of it in 2009 under pressure from the United States. But in May 2010, just two months before Stuxnet was discovered, India had rejoined the project. Also that month, Iran was set to begin design and construction on the final portion of the pipeline to be built inside its borders.
But there was also something else dominating headlines about Iran—its rapidly expanding nuclear program. Iran was about to open a nuclear reactor at Bushehr, in the south of the country, which had been a source of great tension with Israel and the West for a number of years. But even more controversial than the reactor was a uranium enrichment plant in a place called Natanz that had been built to supply the reactor with nuclear fuel. The UN had voted for sanctions against Iran over the plant, and there was also talk about a possible air strike against the plant.
A disturbing geopolitical picture was beginning to emerge. The sophisticated nature of the malicious code, plus the stolen certificates and Iran’s place at the center of the outbreak made it appear that Stuxnet might be the product of a covert government spy mission—albeit one that had clearly run amok. Given that something in Iran appeared to be the target, the list of likely suspects was small—Israel, China, Russia, or the United States.
Chien paused to consider the implications. If Stuxnet
was
the product of a government spy mission, specifically a US spy mission, it made their sinkhole pretty audacious. By intercepting data the attackers were expecting to receive from infected machines in Iran, they had possibly landed
themselves smack in the middle of an international incident and also may have helped sabotage a classified operation. The potential ramifications were daunting.
But Chien couldn’t dwell upon this right now. Symantec’s job wasn’t to help protect covert government operations, no matter which country might be behind them. Their job was to protect the machines of customers. It didn’t matter who launched the code or what it was targeting; as long as it was affecting Symantec customers, the malicious code had to be stopped.
Although machines in Iran, where Symantec didn’t have customers, appeared to be the malware’s primary target, Stuxnet had infected thousands of computers in other countries as well and was still on the loose, continuing to spread. And the researchers still didn’t know what its malicious payload was designed to do or if it contained any bugs that might affect nontargeted machines.
They also couldn’t rule out the possibility that Iran was actually the source of the attack instead of its target. Perhaps Iranian engineers had been writing Stuxnet to target machines in the United States and had lost control of it in a lab, which would have helped explain all of the infections in Iran. If it now spread to critical systems in the United States—an electric plant or the control system for a dam or railroad—what would happen then?
Chien and O’Murchu decided they had to press on.
Whatever the political implications of their decision might be, these would have to wait for consideration another day.
1
The .LNK exploit on USB flash drives was configured to spread Stuxnet to only three new machines before it would shut down and delete the files from the USB flash drive.
2
Forensic evidence found inside the versions of Stuxnet Symantec examined indicated that the first infection in Iran occurred June 23, 2009.
3
Nicolas Falliere, Liam O’Murchu, and Eric Chien, “W32.Stuxnet Dossier” (report, February 2011), 13–15, available at
symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
. Symantec’s extensive dossier describes in detail Stuxnet’s technical specs and what each function in the code is designed to do.
4
A machine’s domain name and external IP address—the outer-facing address of machines connected to the internet—can reveal the name of the organization or company that owns the infected machine, based on who owns the block of IP addresses in which the machine’s address falls. This could help the attackers determine how fast and far Stuxnet spread. This information would also have told the attackers when Stuxnet traveled way off track as it began to show up in geographical regions far from its target. Internal IP addresses, on the other hand, are addresses that companies assign internally to machines to map them and route traffic between them. These IP addresses can be useful if the attackers possessed a map of the infected company or organization’s internal network, perhaps stolen from a system administrator’s computer, which indicated the internal IP address assigned to each machine on the network. If this was the case, the attackers could have tracked Stuxnet’s path as it slithered inside a network infecting machine after machine, reporting back to the command-and-control servers each time it infected one that was connected to the internet. As for the computer name, it could have helped the attackers identify which employee or work group inside an organization owned the machines that were infected. One machine, for example, was named GORJI-259E4B69A, another was PEYMAN-PC. But many of the infected systems shared the same generic name: “ADMIN-PC,” “USER-PC,” or “home laptop,” making it difficult to distinguish between them.
5
Alex Gostev, chief malware expert at Kaspersky Lab in Russia, found that Stuxnet sent to the command servers a file—named Oem6c.pnf—that identified not only which Siemens program was installed on the computer (the Siemens Step 7 programming software or the WinCC program, which operators use to monitor conditions on their PLCs) but also included a list of any Step 7 project files on the machine and the path string that showed where on the computer the files were located. The Step 7 project files contain the programming commands for PLCs. Gostev suspects that anytime the attackers found project files on a machine, they may have sent a separate tool to the computer to steal the files and examine them for configuration data to determine if Stuxnet had found the systems it was seeking.
6
The DNS providers had already dead-lettered the traffic to the two domains so that it was going nowhere when Symantec approached them. They had pointed the traffic to the IP address 127.0.01, which is commonly used to return traffic to the sender’s machine.
7
The 100,000 figure is the number that Symantec tracked during the first six months after Stuxnet was discovered. But the total number of infections, based on figures that other antivirus companies compiled as they added detection to their tools, eventually climbed to more than 300,000, according to Kaspersky Lab.
8
At a US Senate hearing in November 2010, Dean Turner, director of Symantec’s global intelligence network, testified that the number of unique infections in the United States had by then reached 1,600. Of these, 50 machines had the Siemens WinCC software installed on them.
