threatintel
actor tracker
Named attack · kill-chain walkthrough

Stuxnet

The first known cyber weapon designed to cause physical destruction

Equation Group2007–2010 (discovered Jun 2010)Moderate confidence

Widely attributed to a joint U.S./Israeli operation (Operation Olympic Games) per reporting by David Sanger / NYT 2012; never officially confirmed by either government. U.S. and Israeli governments have neither acknowledged nor denied involvement. Attribution here is sourced from journalistic reporting, not official government disclosure.

Stuxnet was a precision cyber weapon that silently infiltrated the air-gapped Natanz uranium-enrichment facility via infected USB drives carried by Iranian contractors. Once inside, it identified Siemens S7-315/417 PLCs controlling IR-1 centrifuge cascades, reprogrammed them to destroy rotors through extreme speed cycling, and simultaneously replayed falsified normal telemetry to SCADA operators — all while remaining invisible for months. Roughly 1,000 of Natanz's ~9,000 IR-1 centrifuges were replaced between late 2009 and late 2010.

scene 00 / 07
INITIAL ACCESS — USB CARRIES THE WEAPON ACROSS THE AIR GAPFoolad TechnicBehpajoohKala ElectricAIR GAP — Natanz Fuel Enrichment Plantphysical boundaryWindows hostCVE-2010-2568 LNK exploiticon renders → payload executeszero user interaction required4 Windows zero-daysCVE-2010-2568 LNK exploitCVE-2010-2729 Print Spooler RCECVE-2010-2743 Win32k LPECVE-2010-3338 Task Scheduler LPEPrivilege EscalationWin32k keyboard layout bugTask Scheduler job exploitSYSTEMStolen code-signing certsRealtek SemiconductorJMicron Technology(Taiwan · both revoked 2010)Dual rootkitmrxcls.sys / mrxnet.syshides files on Windows+ hides code blocks in STEP 7first known PLC rootkitCVE-2010-2729 Print Spooler+ MS08-067 SMB propagationSiemens STEP 7engineering workstationWinCC / PROFIBUSOB35 interceptedDISCOVERY — fingerprint check (only activates at Natanz)Environmental fingerprint (all 3 required)S7-315-2 / S7-417 PLCVacon NX or Fararo Paya VFDs164 drives / cascade geometryIf any check fails → stay dormant. Inert on every other Siemens installation globally.IMPACT — PLCs reprogrammed · ~1,000 centrifuges destroyed · operators see nothingS7-315PROFIBUSS7-315PROFIBUSS7-315PROFIBUSS7-315PROFIBUS×4 PLCs reprogrammedIR-1IR-1IR-1IR-1IR-1IR-1IR-1IR-1IR-1IR-1IR-1IR-1~1,410 Hz spikethen ~2 Hz · rotor fatigue~1,000 of ~9,000 IR-1 centrifuges replaced at Natanz, Nov 2009 – late 2010ALL NOMINAL1064 Hz · no alarmsSCADA control room — operator viewPayload kill date: 24 Jun 2012 · Attribution: journalistic (Sanger/NYT 2012); unconfirmed by either governmentSources: Symantec Dossier v1.4 · MITRE S0603 · Langner 2013 · ICS-CERT ICSA-10-201-01C
  1. Phase 01 · Initial AccessTA0001

    Infected USB drives crossed the air gap via Iranian contractors linked to Natanz

    • The initial infections hit a small set of Iranian companies with known ties to Natanz: Foolad Technic Engineering, Behpajooh Co., Neda Industrial Group, Control Gostar Jahed, and Kala Electric — the latter suspected as a supplier of centrifuge components.
    • Stuxnet exploited the 'trusted relationship' of contractors: their Windows laptops were periodically connected to engineering workstations inside the facility, carrying the worm across the physical air gap on USB drives.
    • Propagation across the air gap did not require any network connection — only physical media insertion. The worm was designed to replicate to any connected USB drive and to limit hops to a maximum of three machines to contain spread.
    • Infections ultimately reached at least five Iranian organizations; Symantec's analysis of Stuxnet version timestamps and victim logs indicates earliest builds existed by 2007.
    Techniques
    T1091 · Replication Through Removable MediaT1199 · Trusted Relationship
    Sources
  2. Phase 02 · ExecutionTA0002

    CVE-2010-2568: inserting a USB drive executed code before a user clicked anything

    • The primary execution vector was CVE-2010-2568 (Windows Shell LNK shortcut vulnerability): Windows Explorer automatically parsed malicious .lnk files when rendering drive icons in any file browser or on the desktop — no user interaction required beyond inserting the drive.
    • This zero-day allowed DLL loading via crafted shortcut files and was fully weaponized in Stuxnet before Microsoft issued MS10-046 on August 2, 2010.
    • Stuxnet also carried autorun.inf-based fallback execution for older Windows versions, and exploited the Windows Print Spooler service (CVE-2010-2729) for network execution on machines with shared printers.
    • Once running, Stuxnet injected itself into legitimate Windows processes (e.g., lsass.exe, services.exe) to persist in memory and begin environmental checks.
    Techniques
    T1203 · Exploitation for Client ExecutionT1059 · Command and Scripting InterpreterT1091 · Replication Through Removable Media
    Indicators
    ~WTR4141.tmp — Stuxnet dropper component written to USB drives (Symantec Dossier §Dropper)~WTR4132.tmp — Stuxnet main DLL payload written to USB drives
    Sources
  3. Phase 03 · Privilege EscalationTA0004

    Four Windows zero-days: two local privilege escalation exploits ensured SYSTEM-level access

    • CVE-2010-2743 (MS10-073): Win32k.sys kernel driver improperly loaded keyboard layout files, allowing elevation to SYSTEM from a limited user account.
    • CVE-2010-3338 (MS10-092): Windows Task Scheduler vulnerability allowed a crafted job file to execute with elevated privileges — a second independent local privilege escalation path.
    • Stuxnet was the first known malware to deploy four simultaneous Windows zero-day exploits; deploying two separate LPE paths ensured SYSTEM access regardless of patch state.
    • SYSTEM-level privileges were required to install the rootkit driver with a valid (stolen) code-signing certificate and to interact directly with Siemens WinCC/STEP 7 software.
    Techniques
    T1068 · Exploitation for Privilege Escalation
    Sources
  4. Phase 04 · Defense EvasionTA0005

    Stolen Realtek and JMicron certificates signed the rootkit; a PLC rootkit hid payload code from Siemens software

    • Stuxnet's kernel-mode driver was digitally signed with a stolen code-signing certificate from Realtek Semiconductor Corp. (Taiwan). After Realtek's certificate was revoked, a second stolen certificate from JMicron Technology Corp. was used in later Stuxnet variants — indicating ongoing access to a supply of Taiwanese hardware-vendor credentials.
    • A Windows rootkit hid Stuxnet's files, registry keys, and processes from the operating system using standard hooking of NTFS/filesystem APIs.
    • Critically, Stuxnet also contained the first known PLC rootkit: it intercepted calls between Siemens STEP 7 programming software and the S7-315/417 PLCs, hiding the injected malicious code blocks from engineers inspecting the PLC program on their workstations.
    • The replay of falsified SCADA telemetry (described in Phase 7) is itself a defense evasion measure against human operators — ensuring that anomalous centrifuge behavior was invisible to the control room for months.
    Techniques
    T1553.002 · Subvert Trust Controls: Code SigningT1014 · RootkitT1562 · Impair Defenses
    Indicators
    b7c62d4a0e…4c0e0b — mrxcls.sys — Stuxnet rootkit driver signed with Realtek cert (Symantec Dossier §Drivers)mrxcls.sys — Stuxnet kernel-mode rootkit driver (Realtek-signed)mrxnet.sys — Stuxnet kernel-mode rootkit driver (JMicron-signed)
    Sources
  5. Phase 05 · Lateral MovementTA0008

    Four propagation mechanisms spread Stuxnet across Windows networks toward the engineering workstation

    • CVE-2010-2729 (MS10-061, Print Spooler RCE): allowed unauthenticated remote code execution on any Windows machine sharing a printer on the local network — no credentials required.
    • CVE-2008-4250 (MS08-067, Server Service): the same vulnerability exploited by Conficker; Stuxnet used it for LAN propagation to unpatched machines via RPC.
    • SMB network share propagation: Stuxnet copied itself to accessible Windows shares, including ADMIN$ shares, using the credentials of the currently logged-in user.
    • WinCC/STEP 7 project file infection: Stuxnet injected itself into Siemens Step 7 project files (.s7p) so that when an engineer opened a project on any workstation, the worm was carried forward.
    • Hop count was capped at three per USB drive to limit uncontrolled spread beyond the target environment.
    Techniques
    T1210 · Exploitation of Remote ServicesT1021.002 · Remote Services: SMB/Windows Admin SharesT1080 · Taint Shared Content
    Sources
  6. Phase 06 · DiscoveryTA0007

    Stuxnet fingerprinted its environment with extreme precision — and only armed itself at one specific facility

    • Before activating any destructive payload, Stuxnet performed an exhaustive environmental check: it searched for Siemens S7-315-2 or S7-417 PLCs connected via a PROFIBUS network, specifically configured in cascades of 164 frequency converters — the exact geometry of Natanz's IR-1 centrifuge halls.
    • It additionally checked for frequency converters from specific vendors: Vacon NX (Finland) or Fararo Paya (Iran), operating in the 807–1210 Hz range characteristic of centrifuge drive motors.
    • If any of these conditions were not met, Stuxnet remained dormant and did not alter any PLC code — making it effectively inert on every other Siemens installation in the world.
    • This targeting logic is documented as the 'fingerprint' or 'configuration block' in the Symantec Dossier and is analyzed in depth by Langner.
    • Stuxnet also enumerated installed security products, Siemens WinCC database connection strings (to harvest credentials), and Windows domain information to map its environment.
    Techniques
    T1083 · File and Directory DiscoveryT1518 · Software DiscoveryT1057 · Process DiscoveryT1082 · System Information Discovery
    Sources
  7. Phase 07 · ImpactTA0040

    PLCs reprogrammed to destroy centrifuges; falsified SCADA telemetry kept operators blind for months

    • Stuxnet injected two malicious code blocks (OB1 and OB35 hooking code) into the Siemens S7-315 PLCs controlling IR-1 centrifuge rotor drives. The attack operated in a ~27-day cycle: it first drove centrifuge rotors to ~1,410 Hz (well above the ~1,064 Hz design speed) for approximately 15 minutes, then to ~2 Hz for long stretches — severe mechanical stress causing rotors to fail through metal fatigue and bearing wear over repeated cycles.
    • Simultaneously, the PLC rootkit intercepted all read requests from the STEP 7 SCADA console and replayed pre-recorded values showing normal ~1,064 Hz operation. Operators watching the control room screens saw green nominal readings while the machines were being physically destroyed — the first confirmed instance of a 'false data injection' attack against industrial safety monitoring.
    • Langner's analysis (2013) characterizes the attack as having two distinct payload sequences: 'Sequence A' targeted Vacon drives with high-frequency overspeeding; 'Sequence B' targeted Fararo Paya drives with a long underspeed/near-stop phase. Both were designed to remain below the threshold that would trigger automated safety shutoffs.
    • The IAEA reported that approximately 1,000 IR-1 centrifuges were replaced at the Natanz Fuel Enrichment Plant between November 2009 and late 2010 — the period overlapping with confirmed Stuxnet infection. Iran's enrichment capacity was set back by an estimated 1–2 years according to various technical assessments.
    • Stuxnet's kill date was June 24, 2012 — a hardcoded date after which it stopped spreading and activating payloads.
    Techniques
    T1485 · Data DestructionT0813 · Denial of Control (ICS)T0832 · Manipulation of View (ICS)T0831 · Manipulation of Control (ICS)
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Equation Group
Capability
  • T1091
  • T1199
  • T1203
  • T1059
  • T1068
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources