Saturday, October 2, 2010

More on Stuxnet

Stuxnet is a malicious software code that is attacking industrial control systems, altering their codes, and allowing the attacker(s) to gain control of the physical machinery and equipment within a plant. Microsoft has estimated that Stuxnet has infected 45,000 computers by August.

The worm specifically targets an industrial controller made by Germany’s Siemens and used in nuclear reactors. The researchers at Symantec, a leading IT company, estimate that 60 percent of all infected computers are located in Iran, causing suspicion that the attackers are targeting Iran’s nuclear facilities (Financial Times, 3 October).

A project manager at Bushehr nuclear reactor had confirmed last week that Stuxnet had infected some of the computers at the facility, although he had emphasized that no serious damage was done. But Iran’s Bushehr nuclear reactor as well as Natanz uranium enrichment plant is detached from the Internet. The attackers are suspected to place infected USB sticks at Bushehr through Russian engineers building the plant.

The Financial Times quotes Hamid Alipour of Iran’s state-owned Information Technology Company that the attack is still ongoing and new versions are spreading.

There are some clues linking the attackers to Israel. Researchers have found references buried inside the Stuxnet code, such as the word “Myrtus,” used in the Old Testament in a story on Jewish-Persian relations. Also within the cryptic messages is the date 9 May 1979, that could point to the day the Islamic Republic executed the famous Jewish Iranian businessman Habib Elghanian. The Financial Times reports that some point the finger at Israel’s Unit 8200, its secretive cyberwarfare operations.


WMD said...

A hacker's casting version of the Book of Esther would be:

Haman played by Ahmedinejad ?
Ahasuerus played by "the Green movement" ?

...and extra's

Nader Uskowi said...

Thanks so much for the link. Intersting reading!

In previous comments you had discounted the possibility of the direct involvement by the Israeli government agencies, believing more that a student or a small private group might be at work here. With the new info, do you still think it is not the work of agencies like Unit 8200?

WMD said...

State actor still unlikely.
The worm was able to exchange info with "Command & Conrol" servers which could upload (updated) malware to it. The strange thing is that at the point of infection it already contained a big piece of malware so there was no immediate need for exchange while all this traffic only made it more conspicuous.

IMO it was meant to create the current media frenzy and embarrassment, ideally after having inflicted a lot of (nuclear) damage which I don't think it did fortunately.

Now this sophisticated piece of software is in the "public domain" and not very useful anymore to state actors. Maybe someone "borrowed" it from these guys for his own private purposes.

Anonymous said...

Sites like DebkaFile have been pushing the Israeli angle on this big time. I think it's most likely BS.

According to reliable info India (a close Israeli/US ally) actually had the highest case of infections along with other states like Indonesia. My view is that thus is part of a typical pro Israli PR campaign. I think Iranian authority figures are going along with it just to have something else to blame on Israel. In other words they're fighting PR fire with PR fire. If Israel is trying to take credit for this then let them take the blame.

WMD said...

@ anon./October 2, 2010 8:52 AM

As of Aug.22 the Iranians appear to have cut off all traffic to the Command & Control servers so , yes, after that date another country leaped to the top of the list.

It's a bit of an embarrassment (their own fault IMO), but the good news is that it could have been much worse and the worm is in the "public domain" now so the more secretive state actor versions will have a harder time to stay hidden.

Nader Uskowi said...

Thanks to WMD for valuable insight, as always.

On the PR front, referred to by Anon 8:52 AM, the Israelis have not said a thing directly as of yet. The Iranians have fumbled the ball, as usual: two days ago the foreign ministry spokesman denied any cyber attack on the country's nuclear facilities, calling the reports "propaganda by the enemies." Today, the intelligence minister confirms the cyberattack reports. Unless Moslehi is part of the "propaganda" efforts against Iran, this shows a total lack of coordination between the Iranian agencies. This is how one loses PR war.

Solidus said...

I seriously doubt that Israel is responsible for the Stuxnet worm. This worm is described as highly sophisticated and therefore would not be within the capability of Israel's minor league programming capabilities. More likely it is an Iranian ruse, which is designed to distract attention from their steady progress toward developing various nuclear applications. One must not forget that Iranians are far more clever than other "enemies" we've taken on. What the U.S. taken on were countries already completely weakened and still, after eight years, the resistance fighters of Afghanistan persevere. Iran, on the other hand, is a vibrant country with a highly intelligent population, and bristling with military equipment and manpower. This is why the U.S. or Israel won't dare attack them.

Another thing to remember is that two or more can play the computer-worm game.

Anonymous said...

You should never underscore your enemies no matter who they are. If Israel has anything to do with this then they would most certainly want amadinejad to believe that it wasn't them. Your brainwashed and delusional. Look at the facts, if India or Indonesia had the highest case of infections, then why is only Iran suffering major consequences from this bug. By all accounts, this is looking more and more like a targeted group effort from possibly several countries united. Now amadinejad is looking for outside help to stop the destructive virus because by trying to stop it themselves, they have only made it worse because the virus hits back harder if you irritate it. Now if amadinejad is looking for payback, I would hope he would do it openly himself instead of hiding like a coward behind Hamas or Syria to fight his battles.