Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Stuxnet was attacking Iran's nuke program a year earlier than thought

Tim Greene | Feb. 27, 2013
The Stuxnet worm was at work sabotaging a uranium plant in Iran a year earlier than previously thought and before a U.S. covert program to disrupt the facility was officially authorized by former President George W. Bush, according to a report on a previously unknown version of the worm.

The worm also had a state table that laid out how attacks would unfold. This is how Symantec describes it:

" State 0 - Wait: Perform system identification and wait for the enrichment process to reach steady-state before attacking (approximately 30 days).

" State 1 - Record: Take peripheral snapshots and build fake input blocks for replaying later.

" State 2 - Attack centrifuge valves: Begin replaying fake input signals. Close valves on most centrifuges with the exception of the initial feed stage valves.

" State 3 - Secondary pressure reading: Open valves in the final stage of a single cascade to obtain a low pressure reading.

" State 4 - Wait for pressure change: Wait for desired pressure change or time limit. This can take up to two hours.

" State 5 - Attack auxiliary valves: Open all auxiliary valves except valves believed to be near the first feed stage (stage 10). Wait for three minutes in this state.

" State 6 - Wait for attack completion: Wait for six minutes whilst preventing any state changes.

" State 7 - Finish: Reset and return to state zero.

If this workflow is carried out Stuxnet expects pressure in the enrichment system to increase five times normal, the blog post says, which could damage the system and cause the uranium hexafluoride gas to revert to a solid. Symantec says it's unclear how successful these attacks were since it was just looking at the code intended to carry them out, not data on what was actually carried out.

Stuxnet 0.5 had four command and control servers located in the U.S., Canada, France and Thailand, and all their IP addresses are either unavailable or registered to an unrelated party, according to a separate Symantec blog.

The command and control was rudimentary, enabling just downloads of new code and the ability to update itself. It seems intended to be deployed in closed networks and to receive updates from other machines on the same network that are newly infected with the worm via USB sticks. "Stuxnet 0.5 uses Windows mailslots for peer-to-peer communication. Mailslots allow a process to pass a message to another process on a remote computer," the blog post says.

The homepage for the command and control servers was for an entity called Media Suffix, whose motto was "Deliver What the Mind Can Dream".


Previous Page  1  2 

Sign up for Computerworld eNewsletters.