Stuxnet worm mystery: What's the cyber weapon after?
Stuxnet worm attack has been centered on Iran, studies show. Experts offer dueling theories as to the cyber weapon's target: Iran's Bushehr nuclear power plant or the nuclear fuel centrifuge facility at Natanz?
(Page 2 of 3)
• Iran is the epicenter of the Stuxnet infection. Geographic studies by Microsoft, Symantec, and others show the majority of infections to be in Iran, making it a likely location for Stuxnet's presumed target.Skip to next paragraph
Subscribe Today to the Monitor
• Bushehr is a high-value target. Damaging the nuclear power plant would deal a blow to Iran – a blow that would be worth the considerable time and money a government would expend to develop such as sophisticated cyberweapon.
• Concern about Bushehr is high among nations with cyberwar capability. The imminent completion of the nuclear plant has roiled the international community. Dismayed parties include the US and Israel, in particular. But China, Russia, and France also are presumed to have sophisticated cyberwarfare capabilities.
• Bushehr uses Siemens software and equipment. Stuxnet appears to target Siemens SCADA systems. Bushehr was built largely with equipment from Siemens, the German industrial giant that began the reactors in the 1970s but later pulled out of the project. The plant still uses industrial control software created by Siemens, but it has been installed by Russian contractors.
• Stuxnet spreads via USB memory sticks. A steady flow of Russian contractors to the Bushehr construction site ensured outside access to the plant's computer system. USB memory sticks are an invaluable tool for engineers during construction of sophisticated computer-intensive projects. Contractors building the plant would likely have made wide use of them – giving Stuxnet a way to move into the plant without having to rely on the Internet.
• Bushehr's cyberdefenses are dubious. A journalist's photo from inside the Bushehr plant in early 2009, which Langner found on a public news website, shows a computer-screen schematic diagram of a process control system – but also a small dialog box on the screen with a red warning symbol. Langner says the image on the computer screen is of a Siemens supervisory control and data acquisition (SCADA) industrial software control system called Simatic WinCC – and the little warning box reveals that the software was not installed or configured correctly, and was not licensed. That photo was a red flag that the nuclear plant was vulnerable to a cyberattack, he says.
"Bushehr has all kinds of missiles around it to protect it from an airstrike," Langner says. "But this little screen showed anyone that understood what that picture meant ... that these guys were just simply begging to be [cyber]attacked."
The picture was reportedly taken on Feb. 25, 2009, by which time the reactor should have had its cybersystems up and running and bulletproof, Langner says. The photo strongly suggests that they were not, he says. That increases the likelihood that Russian contractors unwittingly spread Stuxnet via their USB drives to Bushehr, he says.
"The attackers realized they could not get to the target simply through the Internet – a nuclear plant is not reachable that way," he says. "But the engineers who commission such plants work very much with USBs like those Stuxnet exploited to spread itself. They're using notebook computers and using the USBs to connect to one machine, then maybe going 20 yards away to another machine."