Iran has confirmed that more than 30,000 PCs have been infected by the Stuxnet worm in that country, including some at the Bushehr nuclear power plant. The nature of the Stuxnet worm and the infiltration of Iranian nuclear facilities has led to speculation about whether the worm was developed by the United States or its allies expressly for that purpose.
McAfee AVERT Labs has a thorough analysis of the Stuxnet worm which explains the threat in detail. “Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.”
Another interesting tidbit from McAfee supporting the speculation that Iran may have been the intended target of Stuxnet is that the initial discovery seemed to be primarily focused in the Middle East.
Speaking on the subject of whether the threat may have been specifically crafted for Iran, Randy Abrams, director of technical education at ESET said, “It appears that it is possible that Stuxnet may have been responsible for problems in Iran’s nuclear program over the past year, however that is speculation and it is unlikely that the Iranian government is going to say if that was the case. It is even possible that it was the case and they don’t know it.”
Abrams added, “It is entirely possible that Stuxnet was created by the United States working alone or in conjunction with allies. The fact that it is possible does not indicate it is true however. There have been a number of recent defections in Iran. It is also possible that this was an internal attack. There is still a legitimate question as to whether or not Iran was actually the target.”
Qualys CTO Wolfgang Kandek says that although we may not be able to identify the original author of the Stuxnet worm its intent seems clear: “to modify the behavior of Siemens PLCs in a way that cannot be detected by the operator.”
Kandek speculates, “The attackers are most likely a team of experts from different areas. A high level of competence in the area of Siemens PLCs is required to know what protocol section to manipulate and a high level of Windows knowledge was necessary to find and assemble the zero-day exploits. In addition, the choice of the existing Stuxnet as a carrier for the exploits was probably a conscious decision designed to delay its detection as well known Trojans receive less attention than new, unknown malware.”
Some other respected security experts I spoke with declined to speculate publicly, but gave a tacit “wink-wink” response indicating that they agree its possible–at least off the record. It is also possible that Stuxnet wasn’t created with Iran in mind, but that the United States or its allies seized an opportunity to put Stuxnet to use once it was discovered.
Odds are fair we’ll never know the real answer.