Stuxnet analysis by Langner

Our Stuxnet analysis is considered a milestone in cyber forensics. Here is the one-stop place where you can access our most consequential material.
In the summer of 2010, a malware of unprecedented complexity made the news. It used multiple zero-day exploits, and was dubbed “Stuxnet” by anti-virus companies. Even though it proved to be the most sophisticated piece of malicious code known to man, nobody had a clue what its purpose was. The simple reason: All IT security experts were looking in the wrong direction. Stuxnet didn’t act like any previous malware before. Its objective was not the theft or manipulation of data. It was the physical destruction of gas centrifuges in the Natanz fuel enrichment plant, the crown jewel of Iran’s nuclear program.

Once that rumors emerged that Stuxnet could be targeting industrial control systems, our team downloaded a copy of the malware and started an analysis that ultimately spanned three whole years. During the course of this analysis, we:

– identified that Stuxnet was a targeted cyber-physical attack, aimed at one specific, unique target
– identified that this target was the Iranian nuclear program (something that nobody wanted to believe — for months)
– analyzed the exact details of how this attack, or more accurately: these two attacks, were intended to work.

The Stuxnet analysis team, from left to right: Ralf Rosen, Andreas Timm, Ralph Langner. Picture taken on Sep 16, 2010, when we published that Stuxnet was a targeted cyber-physical attack against the Iranian nuclear program.

Videos

The Stuxnet Story

Ralph Langner’s TED talk
Stuxnet Technical Deep Dive at S4x12
German Language Introduction

Documents

To kill a centrifuge

A summary of three years of forensic analysis, with a special focus on how the two versions of Stuxnet are dramatically different, and what that means for understanding the campaign.

Stuxnet’s secret Twin

Abbreviated version of “To kill a centrifuge” for Foreign Policy

Stuxnet und die Folgen

Updated and extended 2017 German language version of “To kill a centrifuge”. With lots of material that was excluded from the original English language text, such as samples of the attack code, and a timeline of Stuxnet-related events.