Stuxnet worm mystery: What's the cyber weapon after?

In the end, the evidence pointing most strongly toward Bushehr is Bushehr itself, Langner says. "What would be the one prime target that would be worth the whole scenario – all the money, the teams of experts needed to develop Stuxnet? Bushehr is the one target that might be worth the cost."

Not so fast, says Frank Rieger, a German researcher with GSMK, a Berlin encryption firm that has been helping governments on the Stuxnet case, who is familiar with the internal architecture of Stuxnet. His theory is that Stuxnet's target is a different facility in Iran: Natanz.

The Natanz nuclear centrifuge facility is widely condemned as a nuclear weapons threat. It currently produces low-enriched uranium for power plants, but nonproliferation experts it could be converted to produce highly enriched uranium fuel for use in nuclear weapons.

Two things in particular may make Natanz a more likely Stuxnet target, Mr. Rieger says.

• Stuxnet had a halt date. Internal time signatures in Stuxnet appear to prevent it from spreading across computer systems after July 2009. That probably means the attack had to be conducted by then – though such time signatures are not certain.

• Stuxnet appears designed to take over centrifuges' programmable logic controllers. Natanz has thousands of identical centrifuges and identical programmable logic controllers (PLCs), tiny computers for each centrifuge that oversee the centrifuge's temperature, control valves, operating speed, and flow of cooling water. Stuxnet's internal design would allow the malware to take over PLCs one after another, in a cookie-cutter fashion.

"It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once – which makes it fit well with a centrifuge plant like Natanz," Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he says.

Natanz also may have been hit by Stuxnet in mid-2009, Rieger says. He notes that "a serious, recent, nuclear accident" was reported at that time on WikiLeaks, the same organization that recently revealed US Afghanistan-war documents. About the same time, the BBC reported that the head of Iran's nuclear agency had resigned.

Lending some credence to the notion that Stuxnet attacked more than a year ago, he says, is the International Atomic Energy Agency's finding of a sudden 15 percent drop in the number of working centrifuges at the Natanz site. Rieger posted that data on his blog.

"Bushehr didn't present the immediate threat that Natanz and the other centrifuge plants did at that time and still do," Rieger says. "What is clear is that there was an enormous amount of effort spent to do Stuxnet in this way, and it all points [to a target with] a high level of priority assigned to it by the people who did it."

Previous

1 | 2 | 3