Stuxnet is a computer worm that was used to attack Iranian nuclear facilities. Learn more about this significant cyber attack below.


What is Stuxnet?

Stuxnet is a malicious computer worm that became infamous in its use to attack Iranian nuclear facilities. That attack made global news headlines in 2010 when it was first discovered. As Malwarebytes’ Senior Director of Threat Intelligence Jérôme Segura said in his article Stuxnet: new light through old windows, “Very few pieces of malware have garnered the same kind of worldwide attention as Stuxnet.”

While as a computer worm, Stuxnet is malicious software, it has been used to attack electro-mechanical equipment. As in the case of the major attack in Iran, attackers used Stuxnet to exploit multiple zero-day Windows vulnerabilities, search infected PCs for a connection to the software that controlled the electro-mechanical equipment, and send instructions intended to damage the equipment. While many types of malware infect a computer through the Internet, another unique feature of the Stuxnet attack in Iran is that the malware was introduced to the PCs via infected USB drives.  

Is Stuxnet a virus?

Many people call the malware “Stuxnet virus” even though it’s not a computer virus — it’s a computer worm. Although both viruses and worms are types of malware that can corrupt files, a computer worm can be far more sophisticated. For starters, unlike a virus, a worm doesn’t require human interaction to activate. Instead, it self-propagates, sometimes prolifically after it enters a system. Besides deleting data, a computer worm can overload networks, consume bandwidth, open a backdoor, diminish hard drive space, and drop other dangerous malware like rootkits, spyware, and ransomware.

What was the Stuxnet attack in Iran?

According to the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, in 2010, visiting inspectors from the Atomic Energy Agency were surprised to see many of Iran’s centrifuges failing. Neither the Iranians nor the inspectors could fathom why the Siemens-made equipment, designed to enrich uranium powering nuclear reactors, was malfunctioning so catastrophically.

It was hard to imagine that a piece of malicious software was responsible. After all, Iran’s nuclear facilities were air gapped — meaning they weren’t connected to a network or the Internet. For a malware attack to occur on the air gapped uranium enrichment plant, someone must have consciously or subconsciously added the malware physically, perhaps through an infected USB drive.

When a security team from Belarus came to investigate some malfunctioning computers in Iran, it found a highly complex malicious software. This aggressive malware would later spread further into the wild, with researchers dubbing it as Stuxnet, the “world’s first digital weapon.”

Why was Stuxnet so dangerous?

Experts call Stuxnet an incredibly complex piece of code and the world’s first cyberweapon. It may have physically degraded nearly 1000 Iranian centrifuges. Stuxnet worked by infecting the programmable logic controllers (PLCs) that controlled the centrifuges and sabotaging them.  

Centrifuges spin at extraordinarily fast speeds, creating a force many times faster than gravity in order to separate elements in uranium gas. The worm manipulated the centrifuges’ operating speed, creating enough stress to damage them. Stuxnet took its time, waiting weeks to slow down the centrifuges after accelerating them temporarily, making its activities hard to detect.

Stuxnet was also hard to detect because it was a completely new malware, an emerging threat with no known signatures. In addition, Stuxnet exploited multiple zero-day vulnerabilities, which are unfixed software security flaws.

Stuxnet also sent fake industrial process control sensor signals to hide its presence and malicious activity. In addition, Stuxnet was also able to drop a rootkit. Rootkits can give a threat actor control of a system at its core. With a rootkit installation, Stuxnet was more capable of furtive action.

Cybersecurity best practices for industrial networks

Strong cybersecurity measures are critical to any business. Reports of cyberattacks are in the news regularly, and it’s not always malicious software attacking useful software; as in the case of Stuxnet, malware can be used to ultimately attack electro-mechanical devices, hardware, and infrastructure.

One of the most notable cybersecurity incidents of 2021 was a ransomware attack that shut down the largest fuel pipeline in the US for nearly a week. It was later determined that a single compromised password enabled the attack. Other ransomware attack targets during the year included the world’s largest meatpacker and the largest ferry service in Massachusetts.

Whether it’s ransomware, computer worms, phishing, business email compromise (BEC), or another threat that keeps you up at night, you can take steps to protect your business. In our mission to bring cyberprotection to every one, Malwarebytes offers security solutions to businesses of all sizes. Your company can also adopt security best practices, such as:

  • Apply a strict Bring Your Own Device (BYOD) policy that prevents employees and contractors from introducing potential threats.
  • Air gap any computers that could affect national security.
  • Air gap all legacy systems that serve as human interfaces.
  • Adopt a sophisticated password regime with two-factor authentication that hinders brute force attacks and prevents stolen passwords from becoming threat vectors.
  • Secure computers and networks with the latest patches.
  • Use AI-powered cybersecurity software with machine learning capabilities.
  • Apply easy backup and restore at every possible level to minimize disruption, especially for critical systems.
  • Constantly monitor processors and servers for anomalies.
  • Try a demilitarized zone (DMZ) for industrial networks.
  • Look up application whitelisting for enhanced software security.

Related articles from Malwarebytes Labs

Are you interested in reading more about cybersecurity and infrastructure? Check out the following articles from Malwarebytes Labs: