So many new facts have come up during the last days of hard lab work that many people who followed this blog will have lost track. Before we continue with even more technical stuff, let’s take a short break and put into perspective what we have found so far.
One weapon, two warheads, different targets
Technical analysis shows that Stuxnet contains two different digital warheads that are obviously unrelated. The warheads are considerably different in structure and run on different platforms. Warhead one runs on Siemens S7-315 controllers and is fairly simple in structure. Warhead two runs on S7-417 controllers and is much more complex in structure. Technical analysis shows that both warheads are developed using different tools, perhaps by different teams.
It appears that warhead one and warhead two were deployed in combination as an all-out cyber strike against the Iranian nuclear program. None of the targets, which are detailed below, can be categorized as critical infrastructure; both are dedicated military targets.
Potential target for warhead one: Uranium enrichment plants
Warhead one is running on Siemens S7-315 controllers. It contains the much-quoted DEADFOOT sequence, first discovered by us on Sep 16 2010, where control is temporarily taken away from the legitimate program. Code analysis shows that warhead one manipulates an array of up to 186 high-speed drives attached to up to six Profibus segments. In essence, the manipulation is cycling drive speeds (RPM) between low values and high values. For a gas centrifuge, this will sooner or later result in cracking the rotor, thereby destroying the centrifuge. The configuration suggests that one S7-315 controller is controlling one module within a centrifuge cascade. A centrifuge cascade may consist of several thousand centrifuges, that is, of many cascade modules.
An important strategic aspect for warhead one is that it would very likely be able to attack and destroy centrifuge facilities that are unknown to IAEA inspectors and the world. Actually we believe that this possibility was a major strategic aspect in developing warhead one.
Potential target for warhead two: Bushehr nuclear power plant
Warhead two is running on a Siemens S7-417 controller. It has no obvious relation to warhead one in structure, configuration and timing. The configuration that warhead two is looking for matches that of a steam turbine controller as it is used in power plants, such as the Bushehr nuclear power plant.
To understand the attack, the following should be kept in mind. A nuclear power plant (NPP) isn’t that much different from a fossile power plant in structure. The main thing that’s different is the boiler that generates the steam. In a NPP, that’s where the radiation exists. Outside the primary cycle, a NPP is pretty much like a fossile power plant. Steam is fed to a turbine that converts the steam pressure to rotation, which is then converted to electrical power by a generator. A basic layout of the Bushehr NPP is shown here, with the red marking highlighting the steam turbine by us.
A cyber attack on a NPP intending to blow up the reactor is practically impossible. A cyber attack on equipment outside of the primary cycle IS possible. The component that an attacker would want to go after is the turbine controller. A steam turbine of a NPP, or any big power plant, is quite a big chunk of metal. The K-1000-60/3000-3 turbine that is used in Bushehr is approximately 150 ft in extension. To our best knowledge, it is controlled by a redundant S7-417 controller. Manipulating this controller by malware as we see it in Stuxnet can destroy the turbine as effectively as an air strike.
Code analysis of the 417 attack code brought some shocking news. The attack is much more sophisticated than what we had assumed before. Actually, it carries advanced cyber attack technologies from computers to controllers. Warhead two uses attack technology that had never even thought possible before, namely a man-in-the-middle attack on a PLC, providing the legitimate control program with fake input data, pre-recorded from the actual process by the attack code residing on the controller.
It is obvious that several years of preparation went into the design of this attack. It is also obvious that the attack methodology used is not restricted to specific targets, or controller types and brands.
Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield. The technology is that much superior to anything ever seen before, and to what was assumed possible. An aspect that should be kept in mind is that there is no precedence for this type of attack. Before Stuxnet, there was the Maroochi incident back in 2000, where a disgruntled insider intentionally dumped sewage by manipulating control systems. Compared to Stuxnet, this appears like a joke. It’s like going from 80’s style password guessing to APT (advanced persistent threat) cyber attacks in one huge leap with no learning curve.
Who’s behind it
Any discussion about the creators of Stuxnet should consider the following. If chances are that rogue nation states could be behind it, or even botnet operators, as Sean McGurk suggested in his testimony in the US Senate’s hearing on Stuxnet, we had a full-blown crisis. For now, let’s just HOPE the US is the leading force behind Stuxnet.