Evidence suggests Stuxnet worm set Iran’s nuclear program back

Stuxnet, the computer worm that spread among industrial machinery, is commonly believed to have been created by Israeli and American intelligence forces to take down the nuclear weapons machinery in Iran.

The New York Times delved into that topic today in a long story that examines the evidence and reveals new details about the computer worm, which is among the most sophisticated ever created. The story includes some interesting technology details that show just how clever it was and how much damage it may have done to Iran’s centrifuges, the critical equipment that is used to make fuel for the nuclear facilities in Natanz, Iran. Iranian officials acknowledged that the start-up of the country’s Bushehr Nuclear Power Plant has been delayed in part because of Stuxnet.

While it may have done damage to Iran’s nuclear program, Stuxnet is also like a genie out of the bottle. Now that it exists, other cybercriminals will seek to take advantage of its techniques in attacking other targets.

Stuxnet is a Windows-based computer worm first described by security researchers in Belarus in June 2010. It was unusual in that it targeted industrial systems that use Siemens’ software. Russian security firm Kaspersky Labs said that Stuxnet is a “prototype of a cyber weapon that will lead to the creation of a new arms race in the world.” Kaspersky believes that the worm could only have been created with “nation-state support.”

One of the purposes of Stuxnet was to send Iran’s nuclear centrifuges “spinning wildly out of control,” causing irreparable damage. Another clever feature was to record what normal operations at the plant sounded like and then to play the readings back to the plant operators, like a pre-recorded security tape in a bank robbery, so that it would appear “that everything was operating normally while the centrifuges were actually tearing themselves apart.” The ruse prevented a safety system from shutting down the machines.

The attacks were only partially successful, but it is possible the worm contains the seeds for more attacks. Stuxnet also faked digital security certificates, something that suggested a sophisticated creator. Digital signatures are certificates for web sites that verify that they are who they say they are and are malware free. Antivirus software tends to give a free pass to any software that shows it has a digital signature certificate

The worm was also evidently transmitted through shared universal serial bus (USB) memory modules, since the centrifuge machines are not connected to the internet.

The story suggests that the U.S. government had a hand in identifying the weaknesses of the Siemens software. In 2008, the German company worked with the U.S. Idaho National Library, part of the Energy Department, to identify the holes in Siemens systems. Those holes were exploited by Stuxnet. American and Israeli officials have declined comment on whether they collaborated in creating Stuxnet.

The Department of Homeland Security teamed up with the Idaho National Laboratory to study a widely used Siemens industrial controller, known as Process Control System 7, which can control lots of instruments, machines and sensors at the same time. The lab acknowledges it created a report on the cyber-vulnerabilities but did not detail specific flaws.

According to WikiLeaks disclosures, the State Department described urgent efforts in April 2009 to stop a shipment of Siemens controllers, contained in 111 boxes at the port of Dubai, from getting to Iran. The United Arab Emirates blocked the transfer of the Siemens computers. Shortly after that, Stuxnet struck. Symantec found it did a lot of damage in Iran but also struck in countries such as India and Indonesia. Symantec’s Kevin Hogan, a security expert, said that 60 percent of computers infected by Stuxnet at one point were in Iran.

A German security researcher, Ralph Langner, discovered that the worm kicked into gear when it detected the presence of a specific configuration of controllers, running a set of processes that appear to exist only in a centrifuge plant. One piece of the code sent commands to 984 linked machines, Langner found. And nuclear inspectors visiting Natanz in late 2009 found that the Iranians had taken out of service exactly 984 machines that were running the previous summer.

The New York Times said that Israel likely tested Stuxnet on rows of centrifuge machines running at the secret Dimona complex where Israel makes its fuel for nuclear weapons, in the midst of the Negev desert. In November, Iranian president Mahmoud Ahmadinejad said a cyberattack had “caused minor problems with some of our centrifuges.” Two Iranian scientists believed to be part of the nuclear program were hit with car bombs in Iran in late November, which killed one of them and seriously injured the other.

The whole point of the Stuxnet worm was to disrupt the Iranian program, setting it back a few years, without triggering a war between Israel and Iran. But McAfee said that “Stuxnet has infected thousands of computers of unintended victims from all over the globe.”

[stuxnet map: UMBC ebiquity]