Stuxnet, the most complex virus ever and how it took down part of the Iranian nuclear industry

Readwriteweb has an amazing story about Stuxnet. It features an analysis from Symantec about the anatomy, the distribution and the repercussions of the most complex computer virus ever seen. Stuxnet was very specifically aimed at the Siemens Step 7 Programmable Logic Controllers. These are used for controlling input/output in manufacturing environments for oil, electrical distribution systems, and nuclear power plants. The Siemens S-7 (pictured below) controls among others valves and switches.

the Siemens Step 7 Programmable Logic Controller

The makers of the virus (some 10,000 lines of code that took man-years to develop) knew that the Siemens controllers were used in Iranian nuclear power plants. Of the 9,000 controllers in operation in Iran, the virus took down about 1,000 of them. The considerable amount of damage caused by the virus eventually set back the Iranian nuclear program for a year or more.

For the virus to do its work, the makers had to overcome many hurdles. One of them was that the controllers weren’t connected to the internet, some old school human engineering was needed for the plan to work:

The authors targeted the five potential subcontractors of the plant, knowing that eventually a worker at one of them would carry their laptop into the plant and use a thumb drive to load some software onto the controller PCs. The virus used a special zero-day attack that hadn’t been seen previously that changed a Windows file icon shown in Explorer so that just viewing the file would compromise the PC.

and about the ingenuity of the virus itself:

…the programming skills were very sophisticated. There were 15 different modules to the software, and five different concealing mechanisms built-in. There were also two rootkits, one for the host PC and one on the Siemens controller itself running a special embedded OS called Step7. The virus authors also had stolen two digital certificates also from companies that were physically adjacent to each other in a Taiwan business park. Why two? Because the first one was discovered and expired before the virus could be deployed. All in all, there were six zero day infections coded into the virus. To give you an idea of this scope, Symantec found all of 14 total zero day attacks in all of 2010.

The authors of the virus aren’t known (yet), but the complexity of the virus and the information the authors had, point to a state sponsored effort (US, Israel?). It shows that cyber warfare can leave physical damage. This is only the first step I’m afraid. Read the complete article.

Also, take a look at this video that explains it all

Update: it seems that Israel was behind it.