Symantec discovers Stuxnet’s alternate attack method

By : |February 28, 2013 0

Symantec has reportedly discovered new intelligence on the earliest known version of Stuxnet.

In operation as early as 2007, this newly uncovered version featured an entirely different attack mechanism than its successors, a company release said.

The release adds that rather than affecting the speed of uranium enrichment centrifuges, Stuxnet 0.5 was designed to close crucial valves that feed uranium hexafluoride gas into the centrifuges, causing serious damage to the centrifuges and the uranium enrichment system as a whole. In addition, hints in this early version indicate work on the Stuxnet project as a whole could date back to 2005 or earlier. This was a time when hackers worked for bragging rights and it was a hobby to “trick users,” versus developing highly sophisticated cyber sabotage threats. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure.

In contrast, later versions of Stuxnet were designed to interrupt the enrichment of uranium and ultimately damage or destroy centrifuges by speeding them up and slowing them down at intervals. These later versions of the malware were ultimately discovered in July 2010 after spreading beyond the intended target of a uranium enrichment facility in Natanz, Iran.

Stuxnet 0.5 was a highly targeted attack with the purpose of cyber sabotage and followed the following sequence.

· State 0 (Wait): Perform system identification and wait for the enrichment process to reach steady state before attack. This can take approximately 30 days.

· State 1 (Record): Take peripheral snapshots and build fake input blocks for replaying later.

· State 2 (Attack centrifuge valves): Begin replaying fake input signals. Close valves on most centrifuges.

· State 3 (Secondary pressure reading): Open both centrifuge and feed stage valves in the final stage of a single cascade to obtain a low pressure reading.

· State 4 (Wait for pressure change): Wait for desired pressure change or time limit. This can take up to approximately two hours.
· State 5 (Attack auxiliary valves): Open all auxiliary valves except valves believed to be near the first feed stage. Wait for three minutes in this state.

· State 6 (Wait for attack completion): Wait for six minutes while preventing any state changes.

· State 7 (Finish): Reset and return to state zero

Symantec says that the discovery of Stuxnet 0.5 further clarifies the evolution of Stuxnet.

To put this evolution in context, we have mapped key dates of Stuxnet development against low-enriched uranium (LEU) production levels at Natanz. Interesting events are dips in feed or production amounts and lower levels of production given the same or greater feed amounts.

Whether Stuxnet 0.5 was successful is unclear, but later versions of Stuxnet were developed using a different development framework, became more aggressive, and employed a different attack strategy that changed the speeds of the centrifuges instead suggesting Stuxnet 0.5 did not completely fulfill the attacker’s goals.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.