Worm in Iran marks new era of cyberwarfare
By GEOFF ZIEZULEWICZ | STARS AND STRIPES Published: October 4, 2010
A sophisticated computer worm that infested Iran’s nuclear facilities marks a new phase in cyberwarfare: the first time a cyberweapon has targeted a country’s infrastructure.
Analysts are still determining the origin and ultimate mission of the worm, known as Stuxnet. Iran’s official news outlet, the Islamic Republic News Agency, said the worm appeared in the computer network of Iran’s nuclear industrial complex earlier this year, but maintained it had not reached the main system.
While the majority of the worm’s activity appears to be taking place inside Iran, media reports noted that Stuxnet also infected millions of computers in China.
Iran’s nuclear activities have been a source of concern for the West, but any conventional attack against its nuclear facilities carries risks. A cyberattack, as opposed to dropping a 500-pound bomb, is more surgical and less prone to collateral damage.
Even as security experts work to dissect the intricate Stuxnet, one thing is becoming clear: this is a game-changer — a development far beyond past efforts, which generally involved hacking for information or unleashing worms targeting personal computers.
“[Stuxnet] was designed for sabotage, rather than espionage,” said Dave Clemente, a cyberanalyst with the London-based Chatham House think tank. “That’s where it turns a corner into something that looks a bit new.”
Among the Iranian nuclear sites that could have been targeted by Stuxnet are Natanz, an underground enrichment site that has been the main target of American and Israeli covert programs, according to The New York Times.
“The sheer complexity of this worm seems to suggest it had quite a handful to deal with. The Iranians were up against something very difficult,” Clemente said. “It’s a wake-up call in terms of what can be done when a very well-resourced adversary puts its mind to the task.”
And unlike previous attacks, where viruses or worms infected computer networks via the Internet, Stuxnet was uploaded into the Iranian nuclear network via a USB device, according to Clemente.
Once inside, experts suspect the worm hunted for a particular system and triggered a self-destruct sequence when it found what it was looking for, blowing out essential machinery in the process.
Analysts say Stuxnet is so sophisticated that only a well-funded government effort could be responsible. That it was delivered by hand suggests the work of a nation state and not some lone hacker or independent group, Clemente said. A handful of countries, including the U.S., Israel and Russia, are believed to have the ability to craft such a weapon.
While not yet fully operational, U.S. Cyber Command officially came online Friday in an effort to coordinate defense of American military networks while uniting the services’ various cyber components.
Deputy Defense Secretary William Lynn, speaking Thursday night about U.S. cyberwar plans, said he did not know where Stuxnet came from, according to an NPR report. Asked about the U.S. military’s own offensive arsenal, Lynn refused to comment.
The Stuxnet worm exploits vulnerabilities in Microsoft Windows and is engineered to target systems made by the Germany-based industrial giant Siemens, which are commonly used to run power plants, water utilities and other industrial operations.
“The fact that it’s out in the wild does mean that people will pick it up and use it,” potentially inciting “an arms race between those trying to shut it out and those trying to evolve it,” according to Dr. Ian Ferguson, a cybercrime expert at Abertay University’s School of Computing and Engineering Systems in Scotland.
Pinpointing where a cyberattack originated is a primary challenge, and it may never be clear who deployed Stuxnet, or how much damage it really caused, Ferguson said.
When banks or other institutions have been attacked, they tend to clam up for fear of a perceived loss of confidence, he said. The same applies in this case.
Stuxnet will also serve as a wake-up call for those in charge of critical networks in countries around the world, those computer systems that run power plants and other essential cogs of modern society.
“They have to now wake up to the fact that they are targets,” Ferguson said.
Suddenly, he said, those who run critical systems are witnessing the kind of threat they may face.
The same scanning techniques used to keep computers clean could be applied to infrastructural networks, known as “embedded systems”, but so far many industries have not adapted these tactics, he said.
“It’s fundamentally changed our job, to be honest,” Eric Chien, technical director at Symantec’s Security Response Unit, told a cyber security conference this week, according to an NPR report. “It changes the urgency at which we have to analyze these threats and understand them.”
According to The Associated Press, state television reported Saturday that Iran’s intelligence minister said the country has learned how to fight the worm.
Heidar Moslehi was also quoted as saying authorities have arrested several nuclear spies, but he gave no details and it wasn’t clear if the developments were related.
While the Stuxnet saga has yet to fully play out, it is already clear that in the cyber world, things will never be the same.
“People have been talking about this in theory for a long time, and we’ve had movies that have demonstrated this kind of thing, but it’s never been done,” Chien said in the NPR report. “And now, it’s been done.”