The best detailed and low level analysis of the malware is from Symantec.http://www.symantec.com/connect/blog...ection-process
It's quite a read, and unless you're a network/software person, it may not mean a whole lot, so I'll summarize. For reference, a PLC is a programmable logic controller which is a small industrial computer system designed to run a dedicated task by reading inputs and generating outputs. A PLC does not run an operating system in a traditional sense. Each PLC manufacturer does things their own way internally on the units and each PLC implementation is unique to the system is connected to.
* Uses three previously entirely unknown Microsoft Windows security exploits, known as 0-day exploits. This is entirely unprecedented.
* Uses a security hole within the Microsoft print spooler that was known, but only within a small community of Eastern European software security analysts.
* Uses two stolen digital security certificates from legitimate companies (Realtec and JMicron). This is impressive in its own right as these use a public/private key system.
* The main infection vector was USB key sharing combining one new Windows exploit and the stolen certificates. Further infection is spread via other Windows exploits both 0-day and known exploits methods.
* Implements a relatively complicated (for a piece of malware) peer-to-peer network to update itself if the command and control server is taken offline (which it has been since late August I believe)
* The purpose of the virus is not commercial (botnets) or data mining but to infect a VERY SPECIFIC subset of Siemens PLCs running ONE specific program
* The virus actually lies dormant (outside of occasional update checks against C&C server an on the P2P network) unless it is connected to a Siemens PLC system
* Completely subverts the functionality of the Siemens PLC programing software to inject NEW code into the PLC. The virus actually maps the software in the connected PLC to verify that new code should be injected
* The majority of the known infections have been found in Iran
Symantec and Kasperspy are convinced that only a nation state could have the resources to develop such a piece of software. The use of three 0-day exploits is not the MO of a disruptive or commercial hacking group. These exploits are INCREDIBLY valuable. Imagine having the ONLY skeleton key to nearly one billion computers around the work. Apparently, the exploits are often developed in the Eastern European region and sold off to organized crime. Why would a group want to expose its whole hand when it wasn't needed? The only reason I can think of is that someone wanted to make damn sure they reached whatever the target was.
The acquisition of the stolen digital certificates requires completely different set of hacks/social engineering/inside intel job/etc. These are occasionally sold on the black market as well.
The code for the software is written in several computer languages as has file creation dates going back into 2009. This indicates that a team was working on the malware for an extended period of time.
The injection of PLC code into a system leads directly to the conclusion that the developers had a copy of the PLC software and likely the technical engineering drawings for how the target facilities was wired and piped. Typically, PLC code is not very useful without drawings to map the input/output points to actual hardware (motors, pressure sensors, temperatures sensors, valve actuators, etc.).
It would be easy to crash the PLC if so desired by injecting trash code that the system could not understand and would likely cause the CPU to fault. This would be the sledgehammer solution that could be PLC code/system independent. However, crashing a PLC typically does not have a detrimental effect on the system. Industrial control systems are design to be fail safe so that when inputs and outputs stop updating, the facility automatically goes to a safe state. This could be by the venting of pneumatic or hydraulic pressure or by removing electrical signals that activate solenoids. Stuxnet doesn't just try to crash a PLC. After determining that the target PLC is likely running code that Stuxnet is familiar with, it activates one of two sequences. One sequence even runs a sequence that can be monitored and controlled by a part of the virus's software.
This type of targeted attack is much more dangerous. As opposed to crashing the PLC, it could, for example, leave a pump running after the pressure has exceeded the safe limit of the system, or it could open a series of valves in an order not normally allowed by the system for safety reasons. It could even bypass shutdown signals without the facility operators being aware of it.
I don't know who wrote this software, but it was a team of people was a variety of skills and knowledge of a variety of software packages.
I also think that the target was hit, whatever it was. The results may or may not have been as catastrophic as the designers intended. This virus was first detected by a group out of Belarus at the request of entities in Iran. Stuxnet runs a very low profile for the most part, so it would be tough to detect. It does not load communication networks, so it's likely that it was noticed only after some series of upsets that drove the facility owners to look at a low level.
I don't think that this necessarily means that all industry is suddenly exposed as it takes LOTS of insider knowledge and also technical skill to pull of a successful attack such as this. I do think that it will make us in the industry look more closely at our policies regarding outside Internet connections and the use of removable memory a little closer.