The Stuxnet worm appeared to use contaminated hardware in an attempt to cripple Iran’s nuclear programme. Photograph: Matthew Baker/PA
The malware has so far infected as many as 45,000 computer systems around the world.
Siemens AG, the company that designed the system targeted by the worm, said it has infected 15 of the industrial control plants it was apparently intended to infiltrate.
Start of sidebar. Skip to end of sidebar.
End of sidebar. Return to start of sidebar.
One of them is Iran’s first nuclear power station at Bashehr, just weeks before the facility is to go online.
Stuxnet Worm Almost Certainly Coded By A Nation
The memory sticks were scattered in a washroom of a US military base in the Middle East that was providing support for the Iraq war.
The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec.
They were deliberately infected with a computer worm – the undisclosed foreign intelligence agency behind the operation was counting on the fallibility of human nature.
According to those familiar with the events, it calculated a soldier would pick up one of the memory sticks, pocket it and – against regulations – eventually plug it into a military laptop.
They were correct.
The result was the delivery of a self-propagating malicious worm into the secure computer system of the US military’s central command – Centcom – which would take 14 months to finally eradicate in an operation codenamed Buckshot Yankee.
That attack took place in 2008 and was only acknowledged by the Pentagon this August. It is strikingly similar to the recently disclosed cyber attack on Iran’s nuclear facilities with the Stuxnet worm, which also appears to have used contaminated hardware in an attempt to cripple Iran’s nuclear programme, rather than using bombs dropped from the air.
Where these two incidents differ from previous high profile cyber attacks, including some backed by states, is the fact that they have gone far beyond cyber annoyance – even on a grand scale – and pushed towards real cyberwar.
Like the attack on Centcom’s computers, the Stuxnet worm, which Iran admits has affected 30,000 of its computers, was a sophisticated attack almost certainly orchestrated by a state, a sabotage operation using computer code as a weapon. It appears intelligence operatives were used to deliver the worm to its goal.
Its primary target, computer security experts say, was an off-the-shelf Siemens-manufactured control system used widely by Iran – not least in its nuclear facilities.
Yesterday Iran confirmed that the worm had been found on laptops at the Bushehr nuclear reactor – which had been due to go online next month but has now been delayed. It denied the Stuxnet worm had infected the main operating system or been responsible for the problems.
“I say firmly that enemies have failed so far to damage our nuclear systems through computer worms despite all of their measures and we have cleaned our systems,” Ali Akbar Salehi, the head of Iran’s atomic energy agency, told the Iranian Students News Agency this week.
If the Stuxnet attack on Iran has suggested what a limited act of cyber sabotage might look like, on Tuesday the United States attempted to imagine what an all-out cyberwar might look like and whether it was equipped to deal with it.
In an exercise named Cyber Storm III involving government agencies and 60 private sector organisations including the US banking, chemical, nuclear energy and IT sectors, it presented a scenario where America was hit by a coordinated cyber shock and awe campaign, hitting 1,500 different targets. The results of the exercise have not been released.
One of those who believes that cyberwar has finally come of age is James Lewis of the Centre for Strategic and International Studies in Washington. Lewis says that while previous large scale hacking attacks including a Russian attack on Estonia were largely significant for their annoyance value, Stuxnet and the attack on CentCom represented the real use of malicious programmes as significant weapons.
“Cyberwar is already here,” says Lewis. “We are in the same place as we were after the invention of the airplane. It was inevitable someone would work out how to use planes to drop bombs.
“Militaries will now have a cyberwar capability in their arsenals. There are five already that have that capacity including Russia and China.”
Of those Lewis says he believes only three have both the motivation and organisational and technical capacity to mount the Stuxnet attack on Iran: the US, Israel and the UK.
Lewis says too that while the destructive potential of cyberwar was once seen as somewhat notional, that perception changed in the US in particular after a deliberately staged remote hack of an electric generator at the Idaho National Laboratory. The attack, which came via the internet, demonstrated that infrastructure – like power plants – could be persuaded to destroy itself.
“There is growing concern that there has already been hostile reconnaissance of the US electricity grid,” he said.
Last year the Wall Street Journal quoted US intelligence officials describing how cyber spies had charted the on-off controls for large sections of the US grid and its vulnerability to hacking.
The head of the Pentagon’s newly inaugurated US Cyber Command at Fort Meade, General Keith Alexander, has said in recent remarks that it is not a question of if but when America is attacked by something like the Stuxnet worm.
In recent testimony to Congress, Alexander underlined how the cyberwar threat has rapidly evolved in the last three years, describing two of the most high-profile attacks on nations – the 2007 assault on Estonian and the 2008 attack on Georgia during its war with Russia – which were both blamed on Mosow.
Those were both so-called “denial of service” attacks that briefly disabled computer networks. It is not that kind of cyberwar that is frightening America’s top cyber warrior. “What concerns me the most,” he told the House armed services committee, “are destructive attacks.” Like Stuxnet.
Alexander is one of those who favours binding agreements – similar to nuclear weapons treaties – with countries like Russia limiting the retention and use of cyberwar technology.
One the problems that will confront states in this new era, it has become increasingly clear, is identifying precisely who is behind any given attack.
Some analysts believe Israel is the most likely culprit in the Stuxnet attack on Iran – perhaps through its cyberwar Unit 8200, which has been increasingly heavily resourced.
They point to a reference in the worm’s code to Myrtus – an oblique refererence to the biblical Esther and Jewish pre-emption of a plot to kill them. Other analysts argue that writers of malicious computer code are now so sophisticated that they deliberately plant red herrings to put investigators off the scent.
Dave Clemente, a researcher into conflict and technology at the Royal United Services Institute at Chatham House, argues that where once the threat from cyberwar was “hyped … reality has quickly caught up”.
“You look at the Stuxnet worm. It is of such complexity it could only be a state behind it.”
Clemente points to the fact that the attack used four separate unpublicised flaws in the operating system of the Iranian nuclear plant at Bushehr to infect it. Other experts note that Stuxnet used genuine verification code stolen from a Taiwanese company and that the worm’s designers had built in safeguards to limit the amount of collateral damage it would cause.
“The US and the UK are now putting large amounts of resources into cyber warfare, in particular defence against it,” adds Clemente. “We have a cyber command now operating in the US and in the UK there is now a cyber security operations centre in GCHQ and a new office of cyber sWoecurity in the Cabinet Office.
“What I think you can say about Stuxnet is that cyberwar is now very real. This appears to be the first instance of a destructive use of a cyberwar weapon.”