Zum Inhalt springen

Stuxnet: The Cyberweapon That Used Four Zero-Days Simultaneously

Zusammenfassung

Stuxnet, discovered in 2010, was a computer worm designed to sabotage Iranian uranium enrichment centrifuges at the Natanz facility. It was the first cyberweapon to cause physical destruction of industrial equipment. What made Stuxnet technically unprecedented was its use of four previously unknown (zero-day) Windows vulnerabilities simultaneously — an unheard-of level of sophistication. The previous record for zero-days in a single piece of malware was one. Stuxnet was widely attributed to the United States and Israel, though neither government officially acknowledged it.

The Technical Design

Stuxnet was designed with extreme specificity. It infected Windows computers through multiple vectors (including USB drives and network shares), spread through a network, and then checked whether it was running on a machine connected to Siemens S7-300 programmable logic controllers (PLCs) controlling Siemens frequency converter drives operating at speeds between 807 and 1210 Hz — the specific configuration used for uranium enrichment centrifuges.

Only if all these conditions were met would Stuxnet activate its payload. Infected machines that did not meet these criteria were used only for spreading; the worm did nothing destructive on non-target systems.

The four zero-days used:

  1. Windows Shell LNK file parsing vulnerability (CVE-2010-2568)
  2. Windows Print Spooler service vulnerability (CVE-2010-2729)
  3. Windows Task Scheduler privilege escalation (CVE-2010-2772)
  4. Windows Win32k.sys keyboard-layout privilege escalation (CVE-2010-2743, MS10-073)

Each zero-day was a distinct, previously-unknown vulnerability. (Stuxnet also exploited the older Windows Server Service flaw MS08-067, but that vulnerability had already been patched in 2008 and so was not a zero-day.) Cybersecurity researchers universally described the combination as the work of a well-resourced nation-state. Zero-days are expensive to acquire and use; using four simultaneously would be rational only if the operation required absolute reliability in a one-shot mission.

The Physical Effect

Once on a Siemens PLC at Natanz, Stuxnet modified the frequency converter driver to alternately speed up and slow down the centrifuges — causing mechanical stress that damaged or destroyed them — while reporting normal operation to the monitoring systems. Operators watching their dashboards saw normal readings while their centrifuges were being destroyed.

Iran’s enrichment program experienced a series of centrifuge failures that initially appeared to be equipment problems. By 2010, Western intelligence agencies’ assessments of Iran’s enrichment capacity had declined significantly from earlier projections. The New York Times and other outlets later reported that the centrifuge failures had set the Iranian nuclear program back by at least two years.

The full context of cyberwar and its consequences is covered in The History of Cyberwar.

The Attribution and Precedent

Stuxnet’s attribution to the US/Israel (a joint NSA/CIA and Unit 8200 operation, reportedly codenamed “Olympic Games”) was reported by the New York Times in 2012 based on sources within the US government. Neither government has officially confirmed or denied it.

The precedent Stuxnet set — using cyberweapons to cause physical destruction of infrastructure — was cited immediately in debates about cyberwar doctrine, the laws of armed conflict, and the potential for similar attacks on power grids, water treatment facilities, and financial infrastructure. The Tallinn Manual, produced by NATO’s Cooperative Cyber Defence Centre of Excellence, addressed the legal status of cyber operations under international humanitarian law in response partly to the Stuxnet precedent.

📚 Sources