Symantec’s Security Team revealed at the Virus Bulletin Conference in Canada a new cyber threat that can sabotage a nuclear plant. The threat known as Stuxnet worm is capable of hijacking software known as programmable logic controllers (PLCs) used to control industrial control systems (ICS).

Stuxnet Discovery

The worm was first seen on June 2010 which was reported by VirusBlokAda, a security firm in Belarus. The report exposes a new vulnerability in the way Windows operating systems handles LNK or shortcut files. The exploit automatically executes an application just by viewing the directory where the shortcut file resides. The use of such exploit overshadowed the actual threat that Stuxnet carry.

PLC Infection

Two months later, a group of security experts from Symantec revealed that Stuxnet is targeting a Siemen’s software, called Step7. Step7 applications are used by PLC, a type of computer which is used to control gas pipelines and power plants. The Stuxnet worm hijacks PLC code blocks. It employs the use of rootkits to hide its presence and its modification in the PLC code. The Symantec analysts dubbed it as the first PLC rootkit in the wild.

Computers using programmable logic controllers are rarely connected to a network and the only way they get updated is through the use of USB sticks to transfer files. The group behind Stuxnet wanted to ensure that it can jump on the computer that controls ICS. It uses a print spooler exploit to infect local area networks (LAN) to search for the computer that uses PLC code for testing. Then it infects USB sticks with a shortcut file exploit to execute the malware; finally hitting the main target where the ICS is being controlled.

Targeting Iran

The report also contains leads as to what it is actually targeting. They have monitored Stuxnet’s command and control (CnC) traffic with Iran getting the highest share of network traffic and infected computers. Engineers from Iran’s Bushehr plant confirmed most of its computers even the one used by their PLCs are infected. Though they denied any damages to their systems resulted from the Stuxnet attack; thus contradicting speculations that the attack delayed the plant’s opening.

Conspiracy Theory

The sophistication of the malware to target PLCs and at the same time employing two exploits solidifies the idea that this project was backed and financed by a government which is hostile to Iran’s nuclear project. There are insinuations that Stuxnet was created by the Israeli government or made it look that Israel was behind it due the use of “guava” to name Stuxnet project file. The guava was linked to Esther’s original name, who in a story told the King of Haman the plot to kill all Jews. The king then ordered the Jews to arm themselves and made the first strike. Another hint in the code which uses an infection marker which is matching the date a Jewish spy was killed. Though caution should be exercised drawing conclusion based on coincidences of the finding and that the Stuxnet authors have the natural desire to implicate another party.

New Arms Race

Majority of experts agree that this type of software can be classified already as a weapon. It is a cyber weapon created to destroy a physical infrastructure. The damage it will deal has a far greater effect than bombing a nuclear facility hidden in a well protected bunker. The delivery will be less alarming to the public drawing little or no attention at all. The public will think that the destruction of the infrastructure is of internal problem brought by budget constraints and mediocre technology.

Stuxnet just confirmed that cyber warfare is real. The only cyber defense every country has is still on the civilian hands. These security companies thrive on consumer and business expenditures of their products. We are not sure the extent that government’s involvement in this silent war. But we should be glad that there are these security companies and experts who disclose what is going on in the cyber world.