Information Warfare: Iran Admits That Stuxnet Bit Them


December 2, 2010: As more engineers and Internet security experts dig into Stuxnet, the more it is obvious that this computer worm (a computer program that constantly tries to copy itself to other computers) was designed as a weapons grade cyber weapon. But weapons like Stuxnet are nothing new. For nearly a decade, cyberwar and criminal hackers have planted programs ("malware") in computer networks belonging to corporations or government agencies. These programs, called "Trojan horses" or "zombies", are under the control of the people who plant them, and can later be used to steal, modify or destroy, data or shut down the computer systems the zombies are on. You get the zombies secretly placed using freshly discovered, and exploitable, defects in software that runs on the Internet. These flaws enable a hacker to get into other peoples networks. Called "Zero Day Exploits" (ZDEs), in the right hands, these flaws can enable criminals to pull off a large online heist, or simply maintain secret control over someone's computer. Stuxnet contained four ZDEs, two of them that were unknown, indicating that whoever built Stuxnet had considerable resources. The fact that Stuxnet was built to sabotage an industrial facility, spotlights another growing problem; the vulnerability of industrial facilities. The developers of systems control software have been warned about the increased attempts to penetrate their defenses. In addition to terrorists, there is the threat of criminals trying to extort money from utilities or factories with compromised systems, or simply sniff around and sell data on vulnerabilities to Cyber War organizations. But in the case of Stuxnet, the target was Iran's nuclear weapons operation.

Last month, Iran insisted the delay (until next year) in starting up the Bushehr nuclear plant had nothing to do with the Stuxnet computer worm. Now it appears they were right, and that Stuxnet was designed to shut down other parts of Iran's nuclear weapons program.

Stuxnet is being blamed on Israel or the United States. It was only discovered four months ago. It was believed to have been released in late 2009, and millions of computers have been infected as the worm sought out its Iranian target. At first, the target was believed to be the Iranian nuclear power plant at Bushehr. Iran says they have cleaned the worm out of the Bushehr plant, but no one is sure about that, and now Bushehr is not going to start producing electricity this year, as scheduled. Iran says the delay was caused by a leak.

Work on Bushehr has definitely been disrupted by Iranian paranoia, as security agents swarm the place, making the staff nervous, and causing many Russians to flee the country out of fear of arrest. Iran has already announced that several "spies" were arrested for getting Stuxnet into Bushehr. It was believed that some of those arrested were Russian technicians working at Bushehr, as many of them quickly left Iran after Iran began looking for traitors.

Stuxnet was designed to interrupt the operation of the control software used in various types of industrial and utility (power, water, sanitation) plants. But further analysis has revealed that Stuxnet was programmed to subtly disrupt the operation of gas centrifuges, which are used to enrich uranium to the point where it can be used as fuel for a nuclear warhead. Messing with the centrifuges would seriously delay Iranian efforts to build an atomic bomb. Moreover, Stuxnet's dense and complex code appears to conceal even more surprises.

The Stuxnet "malware" was designed to hide itself in the control software of an industrial plant, making it very difficult to be sure you have cleaned all the malware out. This is the scariest aspect of Stuxnet, and is making Iranian officials nervous about other Stuxnet-type attacks having been made on them. Iran eventually admitted that Stuxnet did damage some of their centrifuges, but not too many. Iran is not revealing details of when Stuxnet got to the centrifuges, and how long the malware was doing its thing before it was discovered to exist. This accounts for the unexplained slowdown in Iran getting new centrifuges working. Whoever created Stuxnet probably knows the extent of the damage, because Stuxnet also had a "call home" capability.

The U.S. and Israel have been successful with "software attacks" in the past. This stuff doesn't get reported much in the general media, partly because it's so geeky, and because there are no visuals. It's computer code and arcane geekery that gets it to its target. But the stuff is real, and the pros are impressed by Stuxnet, even if the rest of us have not got much of a clue.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close