Stuxnet is a computer worm that was designed to attack Iran’s nuclear facilities but has since evolved and spread to other industrial and energy-producing facilities. The original Stuxnet malware attack was designed to attack programmable logic controllers (PLCs), which are used to automate machine processes.
It was the first known virus capable of crippling hardware, and it appeared to have been created by the US National Security Agency, the CIA, and Israeli intelligence after it was discovered in 2010.
What was the purpose of the Stuxnet worm?
Stuxnet is said to have caused numerous centrifuges at Iran’s Natanz uranium enrichment facility to self-destruct by causing them to burn out. Other groups modified the virus overtime to make it attack facilities like water treatment plants, power plants, and gas lines.
Stuxnet was a multi-part worm that spread through Microsoft Windows computers via USB sticks. The virus looked for signs of Siemens Step 7 software on each infected PC, which is used by industrial computers acting as PLCs to automate and monitor electro-mechanical equipment.
The malware attack updated its code over the internet after discovering a PLC computer and began sending damage-inducing instructions to the electro-mechanical equipment the PC controlled.
At the same time, the virus gave the main controller false information. There would have been no indication of a problem until the equipment began to self-destruct if anyone had been monitoring it.
Stuxnet’s Aftermath
Stuxnet’s creators allegedly programmed it to expire in June 2012, and Siemens issued fixes for its PLC software, but the malware’s legacy lives on in other malware attacks based on the original code. Among the “Sons of Stuxnet” are:
- Duqu (2011). Duqu, which was based on the Stuxnet code, was designed to log keystrokes and mine data from industrial facilities in preparation for a future attack.
- Flame (2012). Flame, like Stuxnet, was spread via USB flash drive. The flame was a sophisticated spyware program that, among other things, recorded Skype conversations, logged keystrokes, and took screenshots. It primarily targeted the Iranian government and educational institutions and some private individuals in other Middle Eastern countries.
- Havex is a word that comes to mind when (2013). Havex’s goal was to collect data from companies in the energy, aviation, defense, and pharmaceutical industries. Havex malware primarily targeted organizations in the United States, Europe, and Canada.
- Industroyer (2016). This was aimed at power plants. In December 2016, it is blamed for causing a power outage in Ukraine.
- Triton is a fictional character (2017). This malware was designed to target the safety systems of a petrochemical plant in the Middle East, raising concerns about the malware’s intent to injure workers physically.
- The newest (2018). In October 2018, an unnamed virus with Stuxnet-like characteristics reportedly struck unspecified network infrastructure in Iran.
While ordinary computer users have little reason to be concerned about Stuxnet-based malware attacks, they pose a significant threat to a number of critical industries, including power generation, electrical grids, and defense.
While extortion is a common goal for virus creators, the Stuxnet family of viruses appears to be more focused on infrastructure attacks. How can a business safeguard itself against a Stuxnet-related malware attack? SeiMaxim’s recommendations are listed below.
How can Industrial Networks be Protected from Malware Attacks?
When it comes to preventing malware attacks, good IT security practices are always beneficial. Patches and updates on a regular basis, strong passwords, password management, and identification and authentication software are all examples of these best practices. Virus scanning (or banning) of all USB sticks and other portable media, as well as endpoint security software to intercept malware before it can travel over the network, are two important practices that may have helped protect against Stuxnet. Other methods for defending industrial networks against attacks include:
- Use firewalls and a DMZ to separate industrial and general business networks.
- Machines that automate industrial processes should be closely monitored.
- Use whitelisting for applications.
- Implement strong physical security for access to industrial networks, including card readers and surveillance cameras, to monitor and log all network activities.
Finally, businesses should develop an incident response plan to respond quickly to problems and quickly restore systems. Employees will be trained using simulated events, and a security culture will be established.