Event flow

The worm attacked in three phases:

• Phase 1: Targeted Microsoft Windows machines and networks.
• Phase 2: Checked whether the ICS was controlled by Siemens Step7, a Windows-based application used to control centrifuges in Iranian nuclear plants. If the system was not a target, Stuxnet did nothing except spy on its sensitive information.
• Phase 3: It attacked PLCs that controlled the centrifuges.

The Stuxnet worm was unusually smart and exploited four zero-day vulnerabilities, namely:

• The LNK vulnerability: LNK is a file shortcut in Microsoft Windows
• Shared printer-spooler vulnerability: Used to spread in shared printers in a LAN
• Privilege escalation vulnerability: To gain system-level privileges even in thoroughly locked down computers

After infecting the controller system, the worm would relay false feedback information to upstream controllers to evade threat detection until it was too late. The Stuxnet worm was estimated to have destroyed 984 uranium enriching centrifuges, which is estimated to have contributed to a 30% decrease in enrichment efficiency (STN-REP).