79140409644
academy
Security
Privacy
Performance
English

Stuxnet: What Is It & How Does It Work?

When Stuxnet emerged in 2010, cybersecurity experts quickly realized they were dealing with sophisticated malware unlike anything they’d seen before. The Stuxnet worm showed that malware can cause not just digital chaos, but physical destruction too. Keep reading to learn more about the Stuxnet worm, how it works, and how Avast One’s comprehensive security can protect you from all kinds of cyberthreats.

PC-editors-choice-icon
2023
Editors' choice
AV-Test-Top-product-icon
2022
Top Rated
Product
Academy-What-is-The-Stuxnet-Virus-Hero
Written by Oliver Buxton
Published on July 14, 2022
This Article Contains
This Article Contains

    What is Stuxnet?

    Stuxnet is a computer worm that was designed and deployed to attack Iranian nuclear facilities. Arguably the world’s first cyberweapon that impacted physical infrastructure, Stuxnet targeted Iranian nuclear centrifuges, damaging and destroying critical military capabilities, and causing major disruption to Iran’s nuclear program.

    While it’s never been officially disclosed exactly who created Stuxnet, the worm is widely understood to have been developed together by the US and Israel governments. Increasingly concerned by the progression of Iran’s nuclear weapons program, the two governments examined a range of options, which included airstrikes against atomic research and development centers.

    Due to the risk that direct military action against Iran’s nuclear program could erupt into a major regional or global conflict, US and Israeli planners instead focused on more subtle forms of attack. In 2006, the decision was made to cripple Iranian uranium enrichment facilities through an unprecedented campaign of cyberattacks.

    How was Stuxnet created?

    Stuxnet was created by a top-secret program — codenamed Operation Olympic Games — led by US and Israeli intelligence services. Under the leadership of the US National Security Agency (NSA), the joint operation was tasked with developing a virus or other form of malware that didn't just infect computers, but could actually damage physical infrastructure too.

    The resulting Stuxnet worm was game-changing in its level of complexity, even though it was engineered in much the same way as any other malicious worm designed to self-replicate across networks. Once embedded, malware can be used to steal data, install backdoor access into systems, or — as in the case of Stuxnet in Iran — implant bots to take control of entire system settings.

    Is Stuxnet a virus?

    Stuxnet malware is often referred to as the “Stuxnet virus,” but it’s more accurately classified as a worm rather than a computer virus. Both viruses and worms are designed to cause damage and disruption by infecting systems, corrupting files, and spreading rapidly. But unlike viruses, which require a host file or program to activate and self-replicate, worms are self-sufficient. In other words, worms self-replicate without needing external input like a host file or program, making them a particularly sophisticated and dangerous cyberthreat.

    Worms self-replicate without needing an external host.Computer worms are an especially sophisticated form of malware.

    What does the Stuxnet worm do?

    Once introduced into a network, Stuxnet malware spread rapidly, making use of previously unknown zero-day vulnerabilities in the Windows operating system to jump from computer to computer. But the computers infected in the 2010 Stuxnet zero-day attack were not the final target of the worm — they were simply the vehicles for getting at the hardware they controlled.

    Having infiltrated Iran’s nuclear enrichment facility, Stuxnet went on the hunt for computers connected to the programmable logic controllers (PLCs) that interact with and control centrifuges and other industrial machinery involved in the production of weapons-grade nuclear material.

    The worm then altered the PLCs’ code so that the centrifuges spun too fast, and for too long, while at the same time sending bogus data to make it appear as if everything was functioning normally. This caused major damage to the sensitive instruments, temporarily derailing Iran’s nuclear program.

    How did Stuxnet spread?

    Because the targeted nuclear facility was not connected to the internet, the Stuxnet virus couldn't be delivered via a digital hack. Instead, the worm was apparently delivered via a laptop, USB stick, or other removable media device. As soon as one computer was infected, the worm quickly replicated itself and jumped from device to device until the entire network was compromised.

    The Stuxnet worm attacked the Iranian network that controlled the country's nuclear program.The Stuxnet worm attacked the network that controlled Iran's nuclear program.

    Because the system running Iran’s nuclear enrichment program was air gapped (disconnected from the wider Internet), the infection should have been contained. But somehow Stuxnet did end up on internet connected computers and spread rapidly into the wild, allowing third-parties to get their hands on the code.

    What happened to Stuxnet?

    Stuxnet was not a single, isolated attack; it was a slow burn campaign lasting weeks and months. When Stuxnet was discovered and diagnosed by Belarussian cybersecurity specialists in late 2010, the effects of Stuxnet already included tens of thousands of infected computers and hundreds of disabled centrifuges.

    What the experts say

    "Advanced persistent threat actors have demonstrated their capability and intent to target governmental and military entities, employing a range of techniques from spear phishing to complex malware."


    Luigiano Camastra, Malware Researcher, Avast 2023 Threat Report

    Iran furiously denounced Stuxnet as an act of electronic warfare, and set about trying to contain the worm and remove it from their networks. But these efforts were hampered by Stuxnet’s ability to mutate and continue spreading. By the end of 2010, Iranian officials publicly admitted that it would take several months to root the Stuxnet worm out of all their systems.

    Although the Stuxnet virus was engineered to expire in 2012, having leaked outside of the facilities initially targeted, the cat was well and truly out of the bag. Since then, there have been a spate of further cyberattacks on infrastructure using worms with similar characteristics and capabilities as Stuxnet.

    Here’s a look at some of the most high-profile Stuxnet spin-offs:

    Duqu

    In 2011, threat analysts discovered a new worm and they named it Duqu. The striking similarities between Duqu and Stuxnet led experts to believe that the two strains of malware were closely related. In fact, they were nearly identical — the only difference being that Duqu wasn’t designed to sabotage machinery, but to act as spyware by capturing keystrokes and harvesting system data.

    Flame

    Yet more malware suspected to be linked to Stuxnet emerged in 2012. Dubbing the new threat Flame, researchers found that the virus shared much of its code in common with Stuxnet, in particular the way it was designed to target the same Windows vulnerabilities and propagate via USB storage devices.

    Petya

    Although not directly related to Stuxnet, the Petya malware that ravaged institutions in Ukraine throughout 2017 is another example of how cyberattacks are increasingly weaponised against entire sectors and even countries. Although classified as ransomware, Petya’s main aim seems to have been to cause mayhem in the Ukrainian banking system.

    How to protect against malware attacks

    Stuxnet may be a particularly extreme and high-profile example of malware, but it’s a powerful reminder that the distinction between digital and real-world security is becoming increasingly blurred. To prevent ransomware and neutralize other sophisticated threats such as Stuxnet and related viruses, following security best-practices is critical.

    Keeping the use of USB drives and other removable storage devices to a minimum helps to reduce the risk of malware gaining a foothold in your computer through an infected removable storage device. And along with the many other benefits of using a VPN, an encrypted connection helps to conceal your identity and guard against man-in-the-middle attacks.

    But while you often do need a VPN, they’re no substitute for dedicated antivirus software with real-time threat scanning that can thwart attacks before they do damage. The best cybersecurity packages featured dedicated malware removal tools such as trojan removers that can quarantine and purge even new and emerging threats.

    Cybersecurity software protects against a variety of online threats.Avast’s cybersecurity software protects you against the wide array of today’s online threats.

    Protect against viruses with Avast

    As our lives move further into the digital space, and emerging threats develop in sophistication, it’s important to protect yourself with robust online security that can stop cyberthreats from unraveling into real-world catastrophes.

    Avast One comes packed with powerful anti-malware features that turn your device into a fortress, with layers of security to detect and block advanced malware threats. And with a host of other security, privacy, and performance features — including a firewall and VPN — Avast One is an all-encompassing cybersecurity solution to protect your digital life.

    Get Avast One for iPhone to help block hackers and malware

    Free install

    Get Avast One for Android to help block hackers and malware

    Free install
    Viruses
    Security
    Oliver Buxton
    14-07-2022