Stuxnet; most famous APT
What is Stuxnet?
Stuxnet is the most well-known APT (advanced persistent threat) that has been developed in the 2000s by a joint effort between the US NSA and the Israeli military’s cyber division as a tool to delay Iranian program to develop nuclear weapons. They believed that if Iran were on the verge of developing atomic weapons, Israel would launch airstrikes against Iranian nuclear facilities, but that could start a regional war, so crippling the hardware through an injected worm was seen as a nonviolent alternative. It had been specifically coded to target industrial control systems. Its role was to modify the settings of centrifuges used for nuclear enrichment operations by altering rotor speeds slowly raising and decreasing them, with the purpose of inducing vibrations and destroying the machines. Many experts believe that Stuxnet destroyed as much as 1,000 centrifuges.
It captured media attention after it was discovered in 2010 when over fifteen Iranian facilities were attacked by the Stuxnet worm. Stuxnet was never intended to spread beyond the Iranian nuclear facility but still the malware did end up on internet-connected computers and began to spread in the wild. Though it did little damage to outside computers it infected. This APT got so famous that a documentary film “Zero Days” was made focused on Stuxnet and its unforeseen consequences.
How it caused Damage?
Stuxnet relied on the programmable logic controllers (PLC) devices to be connected to a machine running the Windows operating system. The virus searched each infected PC for Siemens Step 7 software, which industrial computers serving as PLCs use for monitoring and automating electro-mechanical equipment. As soon as the PLC computer is found, the malware attack updated its code over the internet and began sending instructions to damage the electro-mechanical equipment the PC controlled. Also, the virus sent false feedback to the main controller. Anyone monitoring the equipment would have had no hint of a problem until the equipment began to self-destruct.
How to protect against it?
These practices include regular updates, using strong passwords, and identification and authentication software. Two important practices that might have helped protect against Stuxnet are virus scanning (or banning) of all portable media, and endpoint security software to try to seize malware before it can travel over the network. Other practices for protecting networks against attacks include the following:
- Separating the industrial networks from general business networks with firewalls and a demilitarized zone (DMZ)
- Monitoring and logging all activities on the network
- Mission-critical devices relying on a standard PC platform should not be attached to a WAN unless absolutely necessary and need to be protected from access by non-critical personnel
Finally, organizations should develop an incident response plan for quickly responding to problems and restoring systems quickly.
