Stuxnet 0.5: Disrupting Uranium Processing at Natanz
When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.
After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally. It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.
Figure 1. Summary of the Stuxnet 0.5 attack strategy
Given Stuxnet 0.5 is an earlier version of Stuxnet, the 417 attack strategy was the original strategy, and likely abandoned in favor of modifying the centrifuge speeds instead—a technique used in Stuxnet 1.x versions.
Stuxnet 1.x contained missing pieces of code, which are present in Stuxnet 0.5. These pieces of code perform the necessary fingerprinting of the target system before deploying the 417 attack strategy and build a critical PLC data block (DB8061). Therefore, we can now fully describe the intended 417 attack strategy.
Fingerprinting target system configuration
This version of Stuxnet extensively fingerprints the target system to determine whether it is in the right location before it will activate the payload. To make this determination, Stuxnet checks if the infected system is running Step 7 software and parses the symbol table of the target system. The symbol table holds identification labels for each physical device in the target system. For example, each valve, pump, and sensor will have a unique identifier. The symbol labels loosely follow the ANSI/ISA-5.1 Instrumentation Symbols and Identification standard, which is used in piping and instrumentation diagrams (P&ID).
Figure 2. An example of a P&ID diagram from a uranium enrichment facility in Iran (Source: PressTV)
The following table summarizes what devices and labels Stuxnet looks for within the symbol table.
Table 1. Device types and labels targeted by Stuxnet
The labels for each of these devices follow the following specific format:
For example, for a valve in module A21, in cascade eight, associated with centrifuge 160, the label would be PV-A21-8-160.
The logic used to parse these strings yields additional interesting clues. For example, the cascade module must be between A21 and A28; this matches the known configuration of cascade modules at Natanz, Iran. Stuxnet expects a maximum of 18 cascades per module, 164 centrifuges grouped into 15 stages per cascade, which again matches the published configuration at Natanz, Iran.
Furthermore, the number of centrifuges is expected to be distributed within stages, as shown in the following table.
Table 2. Configuration of process stages and centrifuges
Within each stage, centrifuges can be further grouped into sub-clusters of four.
During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration. Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information into data block DB8061.
When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.
After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally. It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.
Figure 1. Summary of the Stuxnet 0.5 attack strategy
Given Stuxnet 0.5 is an earlier version of Stuxnet, the 417 attack strategy was the original strategy, and likely abandoned in favor of modifying the centrifuge speeds instead—a technique used in Stuxnet 1.x versions.
Stuxnet 1.x contained missing pieces of code, which are present in Stuxnet 0.5. These pieces of code perform the necessary fingerprinting of the target system before deploying the 417 attack strategy and build a critical PLC data block (DB8061). Therefore, we can now fully describe the intended 417 attack strategy.
Fingerprinting target system configuration
This version of Stuxnet extensively fingerprints the target system to determine whether it is in the right location before it will activate the payload. To make this determination, Stuxnet checks if the infected system is running Step 7 software and parses the symbol table of the target system. The symbol table holds identification labels for each physical device in the target system. For example, each valve, pump, and sensor will have a unique identifier. The symbol labels loosely follow the ANSI/ISA-5.1 Instrumentation Symbols and Identification standard, which is used in piping and instrumentation diagrams (P&ID).
Figure 2. An example of a P&ID diagram from a uranium enrichment facility in Iran (Source: PressTV)
The following table summarizes what devices and labels Stuxnet looks for within the symbol table.
Table 1. Device types and labels targeted by Stuxnet
The labels for each of these devices follow the following specific format:
For example, for a valve in module A21, in cascade eight, associated with centrifuge 160, the label would be PV-A21-8-160.
The logic used to parse these strings yields additional interesting clues. For example, the cascade module must be between A21 and A28; this matches the known configuration of cascade modules at Natanz, Iran. Stuxnet expects a maximum of 18 cascades per module, 164 centrifuges grouped into 15 stages per cascade, which again matches the published configuration at Natanz, Iran.
Furthermore, the number of centrifuges is expected to be distributed within stages, as shown in the following table.
Table 2. Configuration of process stages and centrifuges
Within each stage, centrifuges can be further grouped into sub-clusters of four.
During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration. Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information into data block DB8061.