September 25, 2010

‘Stuxnet’ Attack May Have Been Aimed At Iran: Experts

Computer security experts say a computer virus that has infected industrial control systems worldwide appears to have been aimed primarily at nuclear facilities in Iran.

The malicious software, dubbed Stuxnet, is a "trojan worm" that disguises itself as a safe application.  The virus spreads from USB "thumb drive" memory devices, exploiting a vulnerability in the Microsoft Windows operating system that has since been resolved. 

The virus attacks widely used industrial automation control systems made by Siemens AG, targeting programs that run Supervisory Control and Data Acquisition systems used to monitor automated plants.

The sophistication of Stuxnet suggests that a state may have been involved in its creation, Reuters reported on Friday citing Western cyber security firms. 

"Stuxnet is a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world," said the European Internet security firm Kaspersky Labs in a statement.

The attack could only be conducted "with nation-state support," the company said.

The Stuxnet worm is able to recognize a specific facility's control network and then destroy it, said Ralph Langner, a German computer security expert.

"Welcome to cyber war," he wrote in a posting on his Web site.

"This is sabotage."

Some 60 percent of the computers infected by the virus were in Iran, indicating that systems in that nation were the target, said Kevin Hogan, Senior Director of Security Response at Internet security firm Symantec.

"It's pretty clear that based on the infection behavior that installations in Iran are being targeted," Hogan told Reuters.

"The numbers (of infections in Iran) are off the charts," he added.

Hogan said that Symantec had located the IP addresses of the infected computers, and had traced the spread of the malicious code.

A number of experts are now speculating that Iran's first nuclear power station, at Bushehr, may have been targeted in a state-supported attempt at sabotage or espionage.

But an official with U.S. Homeland Security would not discuss whether or not they believed the Bushehr facility was the primary target of the attacks.

"It's very hard to understand what the code was developed for," said Sean McGurk, who runs the U.S. National Cybersecurity and Communications Integration Center.

The malware is capable of taking control of physical systems when a certain combination of Siemens software and hardware are present, Reuters quoted him as saying.

"We're not looking right now to try to attribute where it came from."

"What we're focusing on is how to mitigate and prevent the spread," he said, showing a blue USB thumb drive he said contained the malicious worm.

"Once it's in the operating system it no longer requires this to move around."

"It looks for a particular combination of a software code, or an application, and a hardware platform."

"If it finds it, then it starts manipulating some of the settings" of the programmable logic controllers, he said.  Such devices are used for a variety of purposes, such as moving robot arms that build cars, opening elevator doors and controlling HVAC systems.

The infected Siemens control systems were used in applications ranging from power generation to pharmaceutical and chemical manufacturing and water purification.

Some security sources and diplomats have said that Western governments and Israel see sabotage as one method of slowing Iran's nuclear program, Reuters reported.

Although Tehran has repeatedly insisted that its nuclear facilities are intended for peaceful energy purposes, many Western nations suspect Iran is using them to produce nuclear weapons.

Hogan said that major facilities such as oil refineries, factories, water works or sewage plants could be among the targets of the virus.

"We cannot rule out the possibility (of a state being behind it). Largely based on the resources, organization and in-depth knowledge across several fields ... it would have to be a state or a non-state actor with access to those kinds of (state) systems."

Siemens helped complete the original design of Iran's Bushehr reactor during the 1970s, when West Germany and France agreed to build the nuclear power station for the former Shah before he was overthrown in the 1979 Islamic revolution. Siemens says it has not provided Iran with any industrial control systems usable for nuclear facilities, but experts say such systems can be obtained on the open market.

Construction of two pressurized water nuclear reactors at Bushehr began in 1974.  After being shelved for many years, the plant started up last month after Iran received nuclear fuel from Russia.

Western nations have long criticized Russia's involvement in completing the plant, although Moscow maintains the facility is civilian and cannot be used to make weapons.

Israel has hinted that it could attack Iran's nuclear facilities if international diplomacy fails to stop Tehran's nuclear ambitions.

Last year Major-General Amos Yadlin, chief of Israel's military intelligence, said Israeli armed forces had the means to provide network security and launch cyber attacks.

Siemens, Microsoft and other security experts who have studied the worm have not yet identified who created it.

Speaking from Washington on Thursday, Vice Admiral Bernard McCullough, who leads the U.S. Navy's Fleet Cyber Command, told Reuters that the worm "has some capabilities we haven't seen before."

Langner said Bushehr might have been the target, with the attack exploiting the facility's use of unlicensed Windows software.

"This is sabotage. ... The attack involves heavy insider knowledge," he wrote in a blog post last week.

"It seems that the resources needed to stage this attack point to a nation state."

Stratfor vice president Fred Burton, a former U.S. counterterrorism agent, said he suspects the cyber attack is part of a covert action by a nation state's intelligence service to disrupt Iran's military or nuclear aims.

"Disinformation causes disruption and internal witchhunts lacing the seed of doubt as to who could have done this. The internal Security blowback will cause chaos. Brilliant if true."


On the Net: