The story of Stuxnet: A ‘revolution’ in cyber warfare

For decades, the damage wrought by computer viruses was confined to the digital realm. Hackers infiltrated computer systems mostly as displays of bravado, to harass users or deface websites. Later they began to steal passwords, snoop on Internet activity or swipe sensitive personal information, such as passwords and bank numbers. These days, the most common threats come from so-called “cyber-spies” who lurk in the dark recesses of the Internet, seeking to penetrate the defenses of large corporations, governments or data networks, like the intruders who brought down the PlayStation gaming network earlier this year and stole the personal information of more than 77 million users.

The National Cybersecurity and Communications Integration Center prepares for the Cyber Storm III exercise at its operations center in Arlington, Va. Photo: AP/J. Scott Applewhite

But Stuxnet was something different. The people who created Stuxnet, whoever they are, weren’t interested in cracking someone’s bank account or stealing their credit card numbers. They weren’t interested in extracting top-secret information from Iranian government servers, or spying on the regime’s political or financial activities. Stuxnet was designed for the singular purpose of disrupting Iran’s uranium-enrichment program by identifying the equipment responsible for regulating the speed of the spinning centrifuges, for example, and blowing that equipment apart.

Stuxnet is, by all accounts, the first computer worm to make the leap from the digital realm to the real world, by wreaking havoc on industrial equipment. Cyber-security experts are awed by the sophistication of the worm, its ability to spread undetected from one computer to the next, its talent for identifying, with unprecedented specificity, the industrial controls in Iran’s uranium-enrichment facilities. How the hackers who created Stuxnet did much of that is still unclear. What’s certain, though, is that Stuxnet represents a new phase in the ever-evolving world of cyber-warfare — a “revolution,” as one analyst put it, in the creation and dissemination of malicious code.

For more information on Stuxnet and the history of cyber-security, read the explanations of the questions you answered during your mission to disable the Acme Uranium Enrichment Facility below.


Question 1: A computer “worm” is different from a “virus” in that:
It doesn’t need to attach itself to an existing program.

Stuxnet isn’t your father’s malware. The code not only self-replicates, like a virus, it also spreads without having to attach itself to an existing program, allowing it to pass from one system to another undetected by users. In this case, Stuxnet spread to its host computers from simple thumb drives, eventually reaching the Iranian nuclear facility in Natanz. Often computer worms have what experts call a “payload” — the malicious impact of the program, such as deleting files or taking control of an operating system. In the case of Stuxnet, the payload was much more sophisticated: identify and hijack the industrial equipment responsible for enriching uranium at Iran’s nuclear facility, and stop Iranian engineer’s from disrupting Stuxnet’s work.

Question 2: In 1988, a 23-year-old Cornell graduate student:
Created the first Internet worm

In 1988, Robert Tappan Morris, a graduate student at Cornell University, had a simple goal: to count how many computers were connected to the Internet. To do so, he created what later became known as the “Morris worm,” by most accounts the first computer worm in history. The worm spread from one computer to the next, tallying the numbers of computers it infected for Morris’s research. But Morris made the mistake of instructing the worm to override itself in some cases when it thought it had already infected a computer. As a result, the worm spread rapidly, infecting as many as 10 percent of the computers on the Internet and costing millions of dollars in damage, by some estimates. Morris was tried and convicted under the Computer Fraud and Abuse Act. He is now a professor of computer science at the Massachusetts Institute of Technology.

Question 3: What does the “235″ refer to in uranium-235?
Its mass

Uranium-235 is one of the more stable isotopes of the naturally occurring element uranium, and one of only two “fissile isotopes,” along with plutonium-239, that can be used in a chain reaction of nuclear fission. Fission is a nuclear reaction that breaks apart an isotope, in this case uranium, into two or more elements, releasing massive amounts of energy that can be used to provide power or explode a nuclear bomb. Nuclear fuel produces millions of times more energy than an equivalent mass of chemical fuel, such as gasoline. A nuclear plant is designed to produce a steady, regulated supply of this energy, while a bomb is designed to release all of the energy at once.

Question 4: Crack the cryptograph: IBDLFS means:

Encryption, the process of transforming information using a special “cipher,” or code, is an important tool in the field of cyber-security. When you access a website containing sensitive information — your online banking portal, for example — you might notice an “HTTPS” at the beginning of the URL. This indicates, essentially, that the information you are entering and viewing is encrypted and protected from snoopers who might try to steal your personal data. But encryption isn’t the only technique used to protect sensitive information, and Stuxnet exploited several apparent loopholes in the Iranian security system. For example, the creators of Stuxnet somehow acquired highly guarded security certificates that allowed the worm to gain access to Iranian computer systems. That indicates that Stuxnet was likely created by a government rather than a group of rogue hackers, analysts say.

Question 5: Which is not associated with computer viruses or worms?
Scarlet Trumpet

Like the Greek myth, a Trojan Horse computer program disguises itself as a benign or even useful application to trick users into downloading the program onto their computers, where it can then cause destruction or steal sensitive information. A Trojan Horse is different from a virus in that a virus replicates itself. The first known computer virus was called “Brain,” or in some circles the “Pakistani Flu,” because it was written in 1986 by two brothers living in Lahore, Pakistan. The brothers claim the program was written to defend their medical software from piracy, by attacking copyright infringers, and not for any malicious purpose.

Question 6: About how many lines of code is Stuxnet?

The success of Stuxnet relied in large part on its ability to spread rapidly and without detection. The creators of the worm accomplished that feat, analysts say, by making Stuxnet relatively small and nimble compared to most other computer worms. At about 15,000 lines of code, Stuxnet was smaller than the average size of a digital image or music file on your home computer. That enabled Stuxnet to hide on an everyday flash drive, waiting to be plugged into a computer and find its way to Iran’s nuclear facility in Natanz.

Question 7: How much money did the Pentagon request for cyber-security in the 2012 budget submitted to congress?
$3.2 billion

The Pentagon originally requested $2.3 billion to bolster its network security systems when President Obama first submitted his 2012 budget proposal to Congress in February. But a month later, the Defense Department revised that request to $3.2 billion. The increase in funding represents a larger expansion of the government’s “cyber-security posture,” a Pentagon spokeswoman told the National Journal in March.

Question 8: To which of the following facilities does Stuxnet pose the smallest threat?

The key feature of Stuxnet is that it was not designed to steal sensitive personal or financial information but to cause actual physical damage in the real world. That sets Stuxnet apart from its predecessors in the field of cyber-security, and represents a new phase in the world of cyber-warfare. A worm like Stuxnet might not be dangerous to a financial institution like a bank, but it could be lethal to a power plant or manufacturing facility, wreaking havoc on a country’s economy, transportation infrastructure or energy grid.

Question 9: If Stuxnet were a real worm instead of a computer worm, which would be a fair statement?
There’s an Oligochaeta in the SCADA!

Stuxnet was designed to hijack the Iranian nuclear facility’s supervisory control and data acquisition system (SCADA). A SCADA is a system responsible for controlling industrial processes, such as those at a manufacturing or power plant. In this case, the system helped regulate the speed of the centrifuges responsible for enriching uranium at the Iranian nuclear facility in Natanz. The Stuxnet worm uploaded malicious code to the programmable logic controllers that regulated the speed of the centrifuges, forcing them to spin wildly out of control. Stuxnet also disguised what it was doing by sending the Iranian engineers at the facility a false report and by preventing the engineers from overriding what it was doing even if they did find out.