Anatomy of a Breach

Anatomy of a Breach: Stuxnet — The World's First Cyber Weapon

> series: anatomy_of_a_breach —— part: 018 —— target: iranian_nuclear_programme —— weapon: stuxnet —— zero_days: 4<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2010 14 min read
stuxnet cyber-weapon ics-security scada ot-security iran zero-day nation-state series
Breach #018

The code that made centrifuges tear themselves apart.

In June 2010, VirusBlokAda, a small Belarusian security firm, identified a piece of malware unlike anything the industry had seen before. The worm, which came to be known as Stuxnet, exploited four separate zero-day vulnerabilities in Microsoft Windows, used stolen digital certificates from Realtek and JMicron to disguise itself as legitimate software, spread via USB drives to cross air-gapped networks, and specifically targeted Siemens Step 7 SCADA software controlling Siemens S7-300 programmable logic controllers — the exact configuration used in Iran's uranium enrichment centrifuges at the Natanz facility.

Stuxnet's payload was extraordinary: it caused the centrifuges to spin at speeds outside their design parameters while simultaneously reporting normal operating conditions to the operators' monitoring systems. The centrifuges destroyed themselves, and the operators saw nothing wrong. It is widely attributed to a joint US-Israeli operation codenamed Olympic Games, though neither government has officially confirmed responsibility. Stuxnet was the first demonstrated use of a cyber weapon to cause physical destruction — and it changed the nature of warfare.

Technical Sophistication
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The most complex malware ever engineered.

Stuxnet — Technical Capabilities
── Propagation ─────────────────────────────────────────────
USB autorun exploitation (crosses air gaps)
Windows Print Spooler vulnerability
Windows Server Service vulnerability
Network shares and Siemens WinCC database connections

── Zero-Day Exploits (4) ───────────────────────────────────
CVE-2010-2568 (Windows Shell LNK vulnerability)
CVE-2010-2729 (Windows Print Spooler)
CVE-2010-3338 (Windows Task Scheduler)
CVE-2010-3888 (Windows kernel)

── Evasion ─────────────────────────────────────────────────
Stolen digital certificates (Realtek, JMicron)
Rootkit hiding modified PLC code
Code signed to appear legitimate

── Payload ─────────────────────────────────────────────────
Targets Siemens S7-300 PLCs running specific configurations
Modifies centrifuge motor frequency converter speeds
Feeds false 'normal' data to operator monitoring systems
Centrifuges spin outside design parameters → physical damage
Why This Matters

OT/ICS security became a national security concern.

Stuxnet's significance extends far beyond Iran's nuclear programme. It demonstrated that cyber attacks can cause physical destruction of industrial equipment, that air-gapped networks can be breached via USB, that industrial control systems — designed for reliability, not security — are vulnerable to sophisticated attack, and that nation-states will develop and deploy cyber weapons against industrial targets. For any organisation that operates industrial control systems — from manufacturing to critical infrastructure — Stuxnet rewrote the threat model permanently.

IT/OT Convergence Risk
Stuxnet crossed from IT systems (Windows workstations) to OT systems (Siemens PLCs) via shared engineering workstations. This IT/OT boundary — which we assess in our <a href="/penetration-testing/infrastructure">infrastructure penetration testing</a> for manufacturing clients — remains the most critical vulnerability in industrial environments. Our <a href="/blog/sector-under-the-microscope-manufacturing">manufacturing sector analysis</a> examines this convergence risk in depth.
USB as Attack Vector
Stuxnet's primary propagation method was USB drives — the same vector used by the <a href="/blog/anatomy-of-a-breach-mariposa-botnet">Mariposa botnet</a>. For air-gapped environments, USB remains one of the few viable attack paths. <a href="/cyber-essentials">Cyber Essentials</a> includes removable media controls as a baseline requirement, and our testing validates that these controls are technically enforced.
PLC Security
Stuxnet targeted the PLC code itself — modifying the instructions that controlled the centrifuge motors. Most ICS/SCADA security assessments focus on the network layer; Stuxnet demonstrated that the PLC firmware and logic are also attack surfaces. Our <a href="/blog/from-the-hacker-desk-default-credentials-ics">ICS engagement case study</a> demonstrates what we find when we test industrial control systems.
Operator Deception
Stuxnet's most insidious capability was feeding false data to operator monitoring systems — making everything appear normal while the centrifuges destroyed themselves. This man-in-the-middle attack on process data challenges the fundamental assumption that operators can trust what their screens display. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for anomalies at the network level, independent of process data, providing a detection capability that Stuxnet's operator deception could not circumvent.
Relevance to UK Industry

Stuxnet's lessons for your organisation.

If your organisation operates any form of industrial control system — manufacturing equipment, building management systems, environmental controls, SCADA infrastructure — the Stuxnet precedent applies. The specific weapon targeted Iran, but the vulnerability classes it exploited are universal: USB propagation, engineering workstation compromise, PLC default configurations, and the absence of monitoring between IT and OT networks.

Our infrastructure penetration testing includes IT/OT boundary assessment for industrial clients. Our ICS security assessments test the same attack paths Stuxnet used — USB, engineering workstation, PLC configuration. Cyber Essentials establishes baseline controls including USB restrictions and patching. And SOC in a Box for Engineering provides 24/7 monitoring across both IT and OT environments. For incident response in industrial environments, UK Cyber Defence has the specialist expertise to investigate OT-targeted attacks.

OT/ICS Security

Stuxnet proved that cyber attacks cause physical damage. Is your OT environment tested?

Our <a href="/penetration-testing/infrastructure">OT/ICS penetration testing</a> assesses the IT/OT boundary, USB propagation paths, PLC security, and engineering workstation controls. <a href="https://www.socinabox.co.uk/sectors/engineering-contractors">SOC in a Box for Engineering</a> monitors for the anomalies that Stuxnet-style attacks produce.

Assess Your OT Security Next: AT&T iPad Email Breach
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 28 February 2021

Anatomy of a Breach: Oldsmar — A Hacker Tried to Poison a City's Water Supply Through TeamViewer

Breach #146. On 5 February 2021, an operator at the Oldsmar water treatment plant in Florida observed a mouse cursor moving on its own across a SCADA control screen — someone had remotely connected to the system via TeamViewer and was attempting to increase the level of sodium hydroxide (lye) in the water supply from 100 parts per million to 11,100 parts per million — a potentially lethal concentration. The operator immediately reversed the change. The attack, conducted through a shared TeamViewer password on an internet-connected workstation running Windows 7, demonstrated that critical infrastructure controlling public safety can be accessed through consumer-grade remote access tools with no authentication controls.

oldsmar water-treatment
14 min read
Anatomy of a Breach 31 August 2012

Anatomy of a Breach: Saudi Aramco and Shamoon — 30,000 Workstations Wiped in Hours

Breach #044. On 15 August 2012, a destructive wiper malware known as Shamoon struck Saudi Aramco — the world's most valuable company — wiping the hard drives of approximately 30,000 workstations and replacing their master boot records with an image of a burning American flag. The attack, attributed to Iranian state-sponsored actors, was the most destructive cyberattack against a single company at the time. Unlike Stuxnet (which targeted centrifuges) or Flame (which gathered intelligence), Shamoon had a single purpose: destruction.

shamoon saudi-aramco
13 min read
All Posts Get in Touch