06.10.2010
Sanctions siege turns into cyberwarfare
The Stuxnet virus is a new form of warfare. Instead of Iran being attacked by planes and missiles it has been USBs. Yassamine Mather reports
While Israel, the US and Britain keep up their rhetoric of ultimatums and threats against Iran, and escalate the siege warfare of economic sanctions, Hands Off the People of Iran has been warning of the very real and ominous danger of a so-called pre-emptive attack. Now things have taken an unexpected and dangerous turn. Throughout the last couple of months Iran’s nuclear plants as well as a number of major industrial complexes have been targeted by a sophisticated piece of malware: Stuxnet.
According to computer experts the virus’s complexity suggests it was written by a “nation state” and it is the first known worm designed to target not software, but real-world infrastructure such as power stations, water plants and industrial units. Last week, after many denials, Iran confirmed that 30,000 computers in the country’s power stations, including the nuclear reactor in Bushehr, had been attacked by the virus, blaming Israeli or American spies for infiltrating the plant.
A total of 40,000 computers worldwide are known to be affected by the virus. According to Liam Ó Murchú, manager of operations with Symantec’s security response team, “It’s amazing, really, the resources that went into this worm”. It is suggested that the virus was introduced to Iran not through the internet but on a memory stick, possibly by one of the Russian firms helping to build the Bushehr nuclear plant. The same firm has projects in other Asian countries, including India and Indonesia, which were also attacked. But Iran is thought to have suffered 60% of the attacks.
Stuxnet has already proven itself perhaps the most sophisticated piece of known malware to date, infecting computers through USB sticks, Windows file shares and other vectors. The virus exploits four known ‘zero-day’ vulnerabilities of the Microsoft operating system that until recently were unknown and unpatched. It spreads automatically without the computers user’s knowledge.
Machinery used in automated plants and high infrastructure industries is usually controlled by computers running the more reliable Linux operating system. Engineers and some computing experts have expressed surprise that Siemens used the bug-ridden Microsoft operating system for plant control. A photograph taken inside the Russian-built Bushehr plant shows a computer screen - configured to run a Siemens operating system - infected by Stuxnet and configured wrongly, making it vulnerable to bugs.
The virus was aimed at a popular process controller - the Siemens Simatic Programmable Logic Controller - and exploited a zero-day vulnerability in WINCC SQL database.
Industrial control systems (ICS) operate using a specialised software similar to an assembly code on programmable logic controllers (PLCs). The PLCs are often programmed from computers not connected to the internet or even internal local area networks. In addition, the industrial control systems themselves should not be connected to the internet. Reports from Iran suggest some of the recommendations about PLC security were not followed. The virus is autonomous - it requires no operator to direct its actions. Once it finds its target, it writes new code into the controller to change a process.
First, the attacker needs to obtain design documents. These could have been stolen by an insider, but it is likely that an earlier version of Stuxnet or another malicious program gave that information to the hackers. Once attackers had knowledge of the computing environment in the facility, they could develop the more dangerous version of Stuxnet. Each feature of Stuxnet was implemented for a specific reason and for the final goal of sabotaging the ICS.
Mahmoud Jafari, the director of Iran’s Bushehr reactor, was among those affected by the malware.
According to Ó Murchú, “The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it”.
An Israeli military unit responsible for cyberwarfare is accused of creating Stuxnet to cripple Iran’s state computer systems and stop work at Bushehr nuclear power station. No one knows if Natanz, where uranium is being processed and where the US, UK and Israel claim nuclear weapons are being developed, has been penetrated by Stuxnet. However the number of working centrifuges, the main enrichment devices, produced in Natanz, fell suddenly by 15 per cent - at the very time the virus was first thought to have hit Iran.
Apparently there is also a biblical reference embedded in the code of the computer worm that points to Israel as the origin of the cyber attack. The code contains the word “myrtus”, which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.
The Book of Esther tells how the queen pre-empted an attack on the country’s Jewish population and then persuaded her husband to launch a pre-emptive attack before being attacked themselves.
Ralf Langner, a German researcher, claims that Unit 8200, the signals intelligence arm of the Israeli defence forces, perpetrated the computer virus attack by infiltrating the software into the Bushehr nuclear power station. Langner said: “It would be an absolute no-brainer to leave an infected USB stick near one of these guys and there would be more than a 50 per cent chance of him picking it up and infecting his computer.” Of course no one can prove whether Israel is behind this, though huge resources have been poured into Unit 8200, its secret cyberwarfare operation. The US department of defence and national security agency, and the UK’s GCHQ have also been establishing elaborate cyberoffensive capabilities, and it is possible that they cooperated with Israel or acted alone.
This week the German daily Sueddeutsche Zeitung reported that 15 companies using Siemens equipment have been affected by the virus and have subsequently informed Siemens of the incidents. The clients were power stations, chemical plants and other industrial facilities.
A major supplier of industrial automated sorting systems based in Holland has reported two attacks by the Stuxnet worm, while separately, the Dutch nuclear power plant Borssele is on high alert.
Even though the worm has not yet been found in control systems in the United States, it could be only a matter of time before similar threats show up there. Some computer experts warn that the sophisticated worm designed to infiltrate industrial control systems could be used as a blueprint to sabotage systems critical to US power plants, electrical grids and other infrastructure.
The current version used in Iran stops computer operations. However, as Ó Murchú demonstrated in a computer exhibition in Canada, the real danger is if the worm originated or accelerated a computer operation rather than stopping it. Ó Murchú set up a basic air pump, controlled by a Siemens system similar to the one used in Iran. The pump delivered a timed burst of air into a balloon, which inflated moderately. Ó Murchú then infected the system with Stuxnet, pressed a button, and the pump continued to work, but did not stop. The balloon went on inflating till it burst. No one in the lecture room was left in any doubt: if the balloon was, in fact, an Iranian nuclear power station, the consequences would be unimaginable.
According to Michael Assante, former chief security officer at the North American Electric Reliability Corporation, an industry body that sets standards to ensure the electricity supply, “A copycat may decide to emulate it, maybe to cause a pressure valve to open or close at the wrong time. You could cause damage, and the damage could be catastrophic.” Joe Weiss, an industrial control system security specialist at Applied Control Solutions in Cupertino, California said, “the really scary part” about Stuxnet is its ability to determine what “physical process it wants to blow up”. It is “essentially a cyber weapon.”
The current fiasco in Iran’s nuclear industry should come as no surprise, if we remember that the Natanz nuclear plant is built irresponsibly close to an earthquake fault line. As far as the country’s nuclear industry is concerned, the cavalier attitude of the Islamic government and the nuclear agency towards basic safety and security issues shows the correctness of Hands Off the People of Iran’s opposition to nuclear proliferation.
We are only witnessing the first stages of this cyberwar. New versions are developing and spreading from the original worm. If it is true that the Israeli state is behind this worm, irrespective of the damage it does in Iran, Israel and its supporters might live to regret the monster they have created.