There has been much speculation in the press as to whether the U.S. or Israel would go so far as to bomb Iranian facilities in an attempt to halt or delay that country's attempts to go nuclear. But what if the U.S., Israel, or some other country had dealt a similarly crippling blow to Iran and almost no one noticed?
According to the New York Times, the Iranian news service ISNA reported yesterday that "officials from Iran’s atomic energy agency had been meeting in recent days" to discuss how to deal with a particularly sophisticated piece of computer malware, the Stuxnet worm. Stuxnet, discovered in June 2010 and a subject of fascination in the computer security industry, is the first worm that specifically targets industrial systems. It uses known vulnerabilities in Windows to attack Siemens' WinCC SCADA (supervisory control and data acquisition) software - code used to control industrial processes, including those of nuclear power plants.
Although the Stuxnet worm has been discovered in a number of countries, including Pakistan, Germany, and even the U.S., it appears to have infected a disproportionate number of machines (some 60% of the infections) in Iran, according to the NYT:
Mahmud Liai of the Ministry of Industry and Mines, was quoted as saying that 30,000 computers had been affected, and that the virus was “part of the electronic warfare against Iran.”
And according to the BBC, Iranian officials are "racing" to stop the spread of the worm.
In his analysis, later expanded upon in a presentation alongside Siemens officials, German security researcher Ralph Langner notes:
The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
Symantec security analysts describe how the exploit would work:
Once within a network — initially delivered via an infected USB device — Stuxnet used the EoP [elevation of privilege] vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.
A Christian Science Monitor article on the attack describes how the virus was seemingly programmed to attack a single target, despite infecting thousands of computers in dozens of countries:
"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."
...
Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down.
What security researchers will probably never know is what Stuxnet's target actually was. A further CSM article lays out opposing arguments that the target may have been Iran's Bushehr power plant, or its centrifuge facility at Natanz. Of course, it also could have been neither.
The source of the attack also remains a mystery, although the U.S. and Israel would seem to be prime suspects because of their antipathy towards Iran and its nuclear program. According to the New York Times, in 2009, "President George W. Bush had authorized new efforts, including some that were experimental, to undermine electrical systems, computer systems and other networks that serve Iran’s nuclear program." However, the French, Germans, Russians and Chinese all also have capabilities to achieve such an attack.
And as recently as last year, Reuters reported that Israel was actively contemplating such an attack against Iran.
The appeal of cyber attacks was boosted, Israeli sources say, by the limited feasibility of conventional air strikes on the distant and fortified Iranian atomic facilities, and by US reluctance to countenance another open war in the Middle East.
...
Such attacks could be immediate, he said. Or they might be latent, with the malware loitering unseen and awaiting an external trigger, or pre-set to strike automatically when the infected facility reaches a more critical level of activity.
As Iran's nuclear assets would probably be isolated from outside computers, hackers would be unable to access them directly, Borg said. Israeli agents would have to conceal the malware in software used by the Iranians or discreetly plant it on portable hardware brought in, unknowingly, by technicians.
"A contaminated USB stick would be enough," Borg said.