Stuxnet Worm Was Weapon, Report Says

The Stuxnet worm that disrupted Iran's ability to enrich uranium into bomb-grade nuclear fuel was jointly created by Israel and the U.S., the New York Times said Saturday.

Citing confidential sources, the U.S. newspaper claimed that Israel's covert nuclear facility at Dimona was used to test the worm's effectiveness on centrifuges like the ones Iran employs at its Natanz complex, which has been plagued by technical problems.

Graphic: Diego Aguirre
The Times also spelled out other clues it said "suggest[ed] that the virus was designed as an American-Israeli project to sabotage the Iranian program."

Stuxnet, which first came to light in June 2010 but may have been aimed at Iran as early as mid-2009, has been extensively analyzed by security researchers, most notably a three-man team at Symantec, and by Ralph Langner of the German firm Langner Communications GmbH.

According to both Symantec and Langner, Stuxnet was most likely designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its facilities, then force gas centrifuge motors to spin at unsafe speeds . Gas centrifuges, which are used to enrich uranium, can fly apart if spun too fast.

Symantec's analysis gained credence last November after the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, reported that Iran had stopped feeding uranium hexafluoride gas to its centrifuges at Natanz for about a week. Speculation quickly focused on Stuxnet as the reason for the shutdown.

On Nov. 29, Iran President Mahmoud Ahmadinejad admitted that a "limited" number of centrifuges had been affected by software he claimed had been installed by the country's enemies. It was the first time that an Iranian official had acknowledged the worm had struck its enrichment machinery.

Ahmadinejad has frequently blamed Israel and the U.S. for trying to destabilize his regime.

The New York Times' story amassed other circumstantial evidence that Stuxnet was a joint Israeli-U.S. creation.

According to the newspaper, Siemens -- the German maker of the SCADA systems purportedly used by Iran -- cooperated in 2008 with the Idaho National Laboratory (INL) to help experts there identify vulnerabilities in the control systems. The lab -- located about 30 miles east of Idaho Falls, Idaho -- is the U.S. Department of Energy's lead nuclear research facility.

Also in 2008, Siemens asked the Department of Homeland Security to conduct a security assessment on its popular PCS 7 control systems, a fact highlighted in a conference hosted by the IHL and Siemens that year in Chicago.

Stuxnet targeted Siemens' PCS 7 control systems and its Step 7 software.

Israel, meanwhile, set up an unknown number of gas centrifuges at its top-secret Dimona complex, then tested Stuxnet on the machines and their control systems, according to the New York Times. The centrifuges were virtually identical to the ones used by Iran.

Dubbed "P-1" centrifuges because they were Pakistan's first-generation design, the machines are notoriously unpredictable, and often fail at rates much higher than more sophisticated designs. Iran's centrifuges are knock-offs of the P-1, and are usually identified as "IR-1" models.

But the Israelis, and perhaps the Americans at their own Oak Ridge National Laboratory in Tennessee, succeeded in getting several P-1 centrifuges up and running, the New York Times said. The publication cited an anonymous American expert in nuclear intelligence, who told the paper that the Israelis had used the P-1 centrifuges at Dimona to test Stuxnet's effectiveness.

An Israeli link to Stuxnet has been long suspected, both because Israel has been vocal about the danger posed by a nuclear-armed Iran and because of several obscure clues buried in the worm's code. Rather than launch a military strike, as it did against an unfinished Iraqi nuclear reactor in 1981, the scenario goes, the country decided to wage cyber warfare.

Other hints came from security researchers, who unanimously agreed that Stuxnet's complexity pointed to a state-sponsored project, probably one that involved a large team of programmers, SCADA experts and intelligence analysts.

Langner, who has spent months pulling the worm apart, said earlier this week that Stuxnet was a natural weapon for opponents of Iran's nuclear program to unsheathe.

"If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would," Langner said Jan. 10 on his blog , where he has spelled out his findings and speculations. Langner believes that Stuxnet's creators had access to what he called a "mockup test system" to try out their worm on actual centrifuges.

Although Stuxnet has apparently not crippled Iran's nuclear program, it seems to have seriously hindered it, perhaps more than some have thought. Just last week, for example, the outgoing head of Israel's Mossad intelligence service said setbacks meant Iran wouldn't be able to create a bomb before 2015.

Langner was more skeptical about Iran's chances of solving the problems created by Stuxnet.

"In the moment when they will have cleaned up all systems, a new dropper exploiting new Windows zero-day vulnerabilities will likely be underway already," Langner asserted last week, echoing research last September that said systems scrubbed of Stuxnet could be easily re-infected s.

"The cyberwar nightmare for Tehran may have only just begun," said Langner.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Subscribe to the Security Watch Newsletter

Comments