Stuxnet cyberweapon set to stop operating
Stuxnet infected some 130,000 computers worldwide, most of them related to Iran's nuclear fuel enrichment program. It's programmed to shut down just after midnight Sunday, but there likely are other cyber espionage systems out there.
(Page 3 of 3)
Journalistic accounts appear to have tied that group of malware together and laid them at the feet of the White House. Flame, which came to light last month after Iran spotted infiltration of its oil networks, was part of a larger cyber assault, according to anonymous "western officials," cited by the Washington Post June 19.Skip to next paragraph
Subscribe Today to the Monitor
“This is about preparing the battlefield for another type of covert action,” one former high-ranking US intelligence official told the Post, adding that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”
That dovetails with the findings of cyber researchers that have dissected the code of the trio of miscreant malware: Stuxnet, Flame, and Duqu.
"We have no doubt they were all developed by the same people," says Liam Ó Murchú, manager of operations for Symantec Security Response, in a phone interview. "It's clear to us that there are enough similarities, and in some cases completely copied code, to relate them all together."
There's something else that links everything together, too: major efforts to cover their tracks. After Flame was discovered, a special module was activated on computers in Iran and elsewhere – in Syria, Sudan and Libya – to delete them. Duqu's operators also systematically deleted it off computers after its discovery.
Symantec's Ó Murchú, however, notes that update features in Flame, Duqu, and Stuxnet all allow their handlers to extend their lives. It also suggests that new versions of Flame and Duqu, and perhaps even Stuxnet – that the anti-virus companies and Iran have not yet detected – are still operational, he and others say.
Internet domains that controlled Flame shut down about an hour after news of the operation broke worldwide, but at least three infected machines in Iran, Iraq, and Lebanon received malware upgrades – essentially new versions of Flame, Kaspersky researchers told Wired.com.
Indeed, the self-destruct mechanisms themselves suggest some larger geopolitical themes. With Flame and Duqu, deletions occurred after discovery. But there would never be that option for Stuxnet, which was designed to penetrate the inner networks of Iran's Natanz nuclear centrifuge plant – far from any internet connection.
Stuxnet's mission was to destroy centrifuges, then itself. It is programmed to terminate June 24, 2012 – seven years to the day after Iranian President Mahmoud Ahmadinejad was elected president – a matter likely viewed by the Bush Administration and others around the world with trepidation given his strident views on nuclear matters.
If Stuxnet had succeeded, Iran might be out of the nuclear fuel refining game. It's not. So, is Iran rightly concerned about further cyber intrusions?
"It's just my opinion, but I think Stuxnet and other cyber espionage programs were all about trying to prevent another Mideast war," Mr. Bumgarner says. "We've seen these programs deleted, or like Stuxnet, shutting itself down. But I'm guessing that the story isn't over yet."