See update below.
A computer virus (or worm) hits the front pages: Stuxnet. The piece of “hypersophisticated malware” has apparently targeted the Iranian nuclear program; and might have been successful already. The sharp drop in the number of fed, spinning centrifuges at Natanz since June 2009 may in fact be a result of sabotage (as has been speculated for some time). With 60% of all infected computers in Iran the country seems to be the main target, although also computers in India and Indonesia are heavily affected. As the Iranian news agency MehrNews reported yesterday, Stuxnet has infected in Iran 30’000 industrial computers.
Stuxnet, a piece of malware so complex that it can be ruled out that it has been developed by individual hackers or nerds, attacks software in industrial equipment control provided by Siemens, the company which provided much of Iranian first nuclear power plant’s software and hardware in Bushehr. Interestingly, a German software security engineer, Ralph Langner, with an expertise in industrial control system software created by Siemens for worldwide use in factories, refineries and power plants has recently successfully analyzed the malware. He concludes:
“1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills — just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process — and to the attackers. The attackers must know this. My conclusion is, they don’t care. They don’t fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won’t work any more. It’s a one-shot weapon. So we can conclude that the planned time of attack isn’t somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let’s check where something blew up recently.”
In an interview with CSMonitor, Langner mentions that a possible target might be the Bushehr reactor which is about to go online right now. Langner points to a picture (by Mohammad Kheirkhah) which he had found on a public news website. It had apparently been taken in the Bushehr power plant on February 25, 2009, i.e., around 18 months before fuel was about to be fed into the reactor. The screen shows a schematic diagram of a process control system, a “Siemens supervisory control and data acquisition (SCADA) industrial software control system called Simatic WinCC.” Concerning is the error message in the dialogue box:
“WinCC runtime licence: Your software licence has expired. Please obtain a valid licence.”
If it is true that Stuxnet targets SCADA, the picture seems to be an invitation for a cyber attack. While the Bushehr reactor is not of so much international concern, another site is Natanz, Iran’s main fuel enrichment plant (FEP). Decreasing numbers of spinning centrifuges for uranium enrichment have been reported since June 2009 by the International Atomic Energy Agency (IAEA). Technical problems have been mentioned for some time, and sabotage has been regarded possible. Frank Rieger at the Knowledge Brings Fear blog points to a number of ominous coincidences. As WikiLeaks has revealed an accident at the FEP in Natanz had occurred early in July 2009. At about the same time, the BBC had reported on the resignation of Gholam Reza Aghazadeh, then head of Iran’s Atomic Energy Organization, in June 2009.
It will be interesting to follow-up Iran’s efforts to battle this semiofficially admitted first cyber attack of which we got to know. And, of course, which government can be held accountable: the U.S., the U.K., Israel, or Russia? They might be considered as candidate for the 2011 Peace Nobel Prize.
Update September 30, 2010. A file name inside the code of the Stuxnet worm program contains “Myrtus” (see pp. 13f), alluding to the book of Esther in the Old Testament (Esther was born has Hadassah, similar to hadas in Hebrew for myrtle). The New York Times today speculates that this might hint at the creators of the worm which apparently had targeted Iranian nuclear facilities. Apparently sucessfully. Bushehr power plant’s supply of energy has been delayed to early 2011 . The tale of Esther describes how Jews in ancient Persia preempted a plot of genocide but committed genocide of the Persians later on.