Worms in the Real World (Stuxnet)

In this video, we’re going to talk about Stuxnet. This is on the most popular cyber attacks that’s happened so far in the history of cybersecurity. And it’s a great example of a worm in action. So in 2010, researchers in Iran started noticing that their centrifuges were breaking down significantly faster than they should. And actually, it wasn’t researchers, it was auditors of a nuclear power company, that was their job was that they created enriched uranium gas. And they used the centrifuges do that. So an audit company came, they noticed that these centrifuges were failing at an extreme rate.

Around the same time, strong companies were starting to notice that their machines were rebooting rapidly and they couldn’t figure out what the problem was. So this is the first sign that something was suspicious. The centrifuges were on an air-gapped network. And in order for them to be compromised, the attackers need to first get the malware to them. But it was hard to do because of the environment. This is a uranium gas refinement facility in Iran. And in 2010, Iran was in a difficult political situation. So everything was kind of right for a major cyber event to happen, but difficult for something like a stranger to walk into a building in a highly secure compound and put something on the network.

So they then said, the attackers targeted the secondary people in the supply chain. They hit the manufacturers and the maintenance companies that they knew went into this facility. And they put Stuxnet on USBs because they knew the people from these companies would go in, they would have to plug the USBs in to do updates, or something of that nature. And at the time, there was an auto run feature within Windows, that when the USB was plugged in without auto-runners on the USB. And that would be Stuxnet in this case.

Once one machine was targeted, or once Stuxnet was on to the network where the centrifuges were, as we know from worms, it would start looking for other centrifuges and replicate itself. It’s interesting because Stuxnet is often considered the first digital weapon. And I think what we mean by this is one of the first times that we know of that a cyber attack, a computer piece of malware falls over into the physical world. Right now, we’re affecting nuclear uranium gas centrifuges, and this can have an actual loss of life type of impact. So this is kind of seem almost as an act of war at the time.

And this became a big problem because all fingers pointed toward the United States, and the United States allies that were targeting Iran. Now, at this point in time almost 10 years later, I think that most people agree that it was some sort of coalition of Western countries that put this together. But the thing here to understand is that attribution is really hard. And the reason for that is if I am a nation state actor, and we talked about that in the earlier part of this course, what that means.

If I’m an nation state actor, and I know– let’s say, for example, I am North Korea, and I went to attack somebody, but I don’t want it to look like North Korea is attacking, maybe I would use indicators of compromise, IOCs, behaviours and tactics, techniques, and procedures of another country, maybe Russia. So maybe North Korea is going to attack a target and make it so they look like they’re Russian. And that becomes very messy in the digital space to suss out what is real and what is not. So attribution is very, very hard and very often it is not accurate, at least in the first attempt.

Because you can see you can kind of game theory all potential things that you could do. A nation state could actually hire people from another country that are going to use, by default, the languages of that country. Maybe if they’re going to put comments in their code that run in that country’s native language. Things like that and it’s going to make it very, very hard to identify the true source of this. There was a book that came out it’s called Countdown to Zero Day.

And it’s a really great kind of story, a narrative story on what Stuxnet was, the danger that it caused, the timing at the time that it happened in Iran, and kind of the chaos that was already going on. So if you want to learn more about that, I would check out that book. So what we’re going to do now, we want to look at malware we’re going to go ahead and give a sample of it. We’re going to get the hash of it, we’re going to stick it into VirusTotal and we’re going to see what that looks like. There are lots of malware sample arrays out there. There this is an open one in GitHub.

There are several like it, but this one does have a Stuxnet example of it. And actually if we go back here, you can see some of the files that comes with it. For this. malware.exe is what we’re interested in. The exe most likely the closest thing to what was actually found on those centrifuges. So if we go and click on this exe, it’ll download. It is downloaded.

We’ll open up a terminal here. We’re going to go ahead and proceed in the download to make it easy.

We can see that we have that malware.exe file there in our download folder. So we’re going to use Ubuntu. We’re going to run MD5 sum.

There it’s pass that file. And then it gives us the MD5 hash of that file, which is Stuxnet.

We’re going to copy that hash.

Now, we’re going to come over here to VirusTotal. We’re going to copy and paste that. We’re going to paste that hash into the search bar here, hit enter. And as you can see, 66 out of 72 engines detected it as Stuxnet. You can see it here is the name of a few different places. There’s some details on it, all the different hashes like we talked about when it was first seeing the various names that it has gone under. All those things we talked about in some of the earlier videos.

I’m sure if you go to the community here, there’s a bunch of very interesting analyses that’s been done on it. It took several years before we saw something before we really understood what this was. And part of that was because like this says here, it’s practically harmless on home computers, but extremely dangerous for SCADA systems. And these are those industrial control systems. In this case, those uranium gas centrifuges. OK, so that’s that Stuxnet. That’s a quick overview of Stuxnet. That’s a quick overview of worms, and their capabilities and behaviours. And in the next section, we’re going to talk about trojans.