What the Heck Was Stuxnet!?
As many of you know, I firmly believe that hacking is THE skill of the future. Although the term "hacking" often conjures up the image of a pimple-faced script kiddie in their mother's basement transfixed by a computer screen, the modern image of the hacker in 2015 is that of a professional in a modern, well-lit office, hacking and attempting to development exploits for national security purposes. As the world becomes more and more digitally-dependent and controlled, those that can find their way into and out of these systems will be in great demand.
More and more, international relations are done and dictated by hackers who work for national militaries, espionage, and security organizations. EVERY government now employs hackers to spy, steal, and disable their opponents.
Probably the best example of how international relations are being dictated by hackers and hacking is the worm that became known as "Stuxnet."
Stuxnet is/was a worm that by all indications was probably released into the wild by the NSA in 2009. The U.S. government, worried about the rapid advance of Iran's nuclear development program, was being pressured to take military action to stymie the developments. There was precedence for a stealth bombing attack, similar to what Israel conducted in 1981 against Iraq's nuclear power plant. Such a "kinetic" attack would likely cost many lives, provoke international outrage, and possibly elicit a counterattack from Iran. Could there be a better way?
The NSA and other national security leaders in the U.S. believed there was. What if the U.S. could hack into the nuclear facilities and disable them?
As it turned out, that is exactly what happened. The NSA was able to hack into the nuclear facilities in Iran and by messing with the controllers of their centrifuges, set back the Iranian nuclear ambitions by several years. It was this hack that made possible the present warming of relations between the U.S. and Iran and the proposed lifting of sanctions that was announced by President Obama on April. Stuxnet was most sophisticated malware in history.
The NSA knew (using good, old "cloak and dagger" spying) that the Iranians had purchased programmable logic controllers (PLC) from Seimens of Germany for their centrifuges (a centrifuge is a device that spins very rapidly and precisely in order to enrich, in this case, uranium). They then acquired the specs for the Seimens controllers and set to work.
The NSA developed a worm that used the zero day vulnerability of Microsoft Windows systems that became known as MS10-046. This vulnerability exploits the processing of shortcuts/.lnk files. This vulnerability is nearly identical to the one we used here in this tutorial.
The worm was then released into the wild and infected machines throughout the Middle East and the world. Since the nuclear facilities in Iran had no Internet connection, they were counting on infecting so many systems that eventually someone would walk the worm in through a thumb drive or other removable device. In fact, that is what happened.
Once inside the Windows operating system, Stuxnet then targeted the operating system of the Seimens PLCs.
One of the most interesting parts of hack is that it used signed drivers to get past Microsoft's requirements that all drivers must have a certificate of a legitimate software company. As you know, Microsoft's operating systems secure against malicious software masquerading as new drivers (which then have access to the kernel) by checking the driver's certificate. Stuxnet initially used the certificate of Realtek and when Verisign revoked Realtek's certificate, Stuxnet then switched to the certificate of a little known Taiwanese company known as JMicron. This clearly illustrates the weakness of this certificate-based signing system.
The Stuxnet worm, once it had penetrated the Microsoft operating system and then the PLCs' OS, had the centrifuges spinning out of control, eventually leading to their destruction. Since Stuxnet had penetrated ring 0 of the operating system (kernel level), it can control what the operating system reports to the user. As such, the operators of the plant were totally unaware of anything going wrong until it was too late. In this way, the Iranians remained unaware of the hack and the end result of months and years of work was improperly enriched uranium that was not suitable for use in peaceful nuclear applications, much less nuclear weapons.
Stuxnet was the MOST sophisticated hacking attack in the world of cyber warfare yet known, but I am certain it has and will be superseded by other attacks soon. One more reason to keep developing your hacking skills here at Null Byte, my rookie hackers!