Stuxnet worm mystery: What's the cyber weapon after?
Stuxnet worm attack has been centered on Iran, studies show. Experts offer dueling theories as to the cyber weapon's target: Iran's Bushehr nuclear power plant or the nuclear fuel centrifuge facility at Natanz?
Top industrial control systems experts have now gleaned enough about the Stuxnet worm to classify it as a cyber superweapon. But the mystery of what its target is – or was – remains unsolved, though guesswork about its mission is intensifying among those who have studied Stuxnet's complicated code.
Educated guesses about what Stuxnet, described as the world's first cyber guided missile, is programmed to destroy include the reactor for Iran's new Bushehr nuclear power plant, as well as Iran's nuclear fuel centrifuge plant in Natanz. Both facilities are part of Tehran's nuclear program, which Iranian officials say is for peaceful purposes but that many other countries, including the United States, suspect are part of an atom-bombmaking apparatus.
The Bushehr power plant was supposed to be humming by now, but is not – a possible sign that Stuxnet impaired one of its vital systems, says one computer security expert. But another analyst who has also been assisting on the Stuxnet case says the worm's internal order makes that scenario unlikely. The nuclear fuel centrifuge plant in the Iranian town of Natanz is a better fit and a larger nuclear threat, he says.
There is no independent confirmation that Bushehr or Natanz or anyplace else has been attacked by a directed cyberweapon. But competing theories are emerging about Stuxnet's target. Here are two from a cybersecurity duo from Germany who have worked, separately, on deconstructing Stuxnet – and why they think what they do.
Ralph Langner is no Middle East policy wonk or former diplomat privy to insider information. He is a German software security engineer with a particular expertise in industrial control system software created by industrial giant Siemens for use in factories, refineries, and power plants worldwide.
This week, Mr. Langner became the first person to detail Stuxnet's peculiar attack features. He explained, for example, how Stuxnet "fingerprints" each industrial network it infiltrates to determine if it has identified the right system to destroy. Stuxnet was developed to attack just one target in the world, Langner says and other experts confirm. His best guess as to the target?
During an interview with the Monitor about Stuxnet's technical capabilities, Langner pointed at the Bushehr nuclear power plant. He cites shards of information he has gleaned from open sources, including news accounts, as well as his technical understanding of the attack software. Here are his main arguments for his case.
• Iran is the epicenter of the Stuxnet infection. Geographic studies by Microsoft, Symantec, and others show the majority of infections to be in Iran, making it a likely location for Stuxnet's presumed target.
• Bushehr is a high-value target. Damaging the nuclear power plant would deal a blow to Iran – a blow that would be worth the considerable time and money a government would expend to develop such as sophisticated cyberweapon.
• Concern about Bushehr is high among nations with cyberwar capability. The imminent completion of the nuclear plant has roiled the international community. Dismayed parties include the US and Israel, in particular. But China, Russia, and France also are presumed to have sophisticated cyberwarfare capabilities.
• Bushehr uses Siemens software and equipment. Stuxnet appears to target Siemens SCADA systems. Bushehr was built largely with equipment from Siemens, the German industrial giant that began the reactors in the 1970s but later pulled out of the project. The plant still uses industrial control software created by Siemens, but it has been installed by Russian contractors.
• Stuxnet spreads via USB memory sticks. A steady flow of Russian contractors to the Bushehr construction site ensured outside access to the plant's computer system. USB memory sticks are an invaluable tool for engineers during construction of sophisticated computer-intensive projects. Contractors building the plant would likely have made wide use of them – giving Stuxnet a way to move into the plant without having to rely on the Internet.
• Bushehr's cyberdefenses are dubious. A journalist's photo from inside the Bushehr plant in early 2009, which Langner found on a public news website, shows a computer-screen schematic diagram of a process control system – but also a small dialog box on the screen with a red warning symbol. Langner says the image on the computer screen is of a Siemens supervisory control and data acquisition (SCADA) industrial software control system called Simatic WinCC – and the little warning box reveals that the software was not installed or configured correctly, and was not licensed. That photo was a red flag that the nuclear plant was vulnerable to a cyberattack, he says.
"Bushehr has all kinds of missiles around it to protect it from an airstrike," Langner says. "But this little screen showed anyone that understood what that picture meant ... that these guys were just simply begging to be [cyber]attacked."
The picture was reportedly taken on Feb. 25, 2009, by which time the reactor should have had its cybersystems up and running and bulletproof, Langner says. The photo strongly suggests that they were not, he says. That increases the likelihood that Russian contractors unwittingly spread Stuxnet via their USB drives to Bushehr, he says.
"The attackers realized they could not get to the target simply through the Internet – a nuclear plant is not reachable that way," he says. "But the engineers who commission such plants work very much with USBs like those Stuxnet exploited to spread itself. They're using notebook computers and using the USBs to connect to one machine, then maybe going 20 yards away to another machine."
In the end, the evidence pointing most strongly toward Bushehr is Bushehr itself, Langner says. "What would be the one prime target that would be worth the whole scenario – all the money, the teams of experts needed to develop Stuxnet? Bushehr is the one target that might be worth the cost."
Not so fast, says Frank Rieger, a German researcher with GSMK, a Berlin encryption firm that has been helping governments on the Stuxnet case, who is familiar with the internal architecture of Stuxnet. His theory is that Stuxnet's target is a different facility in Iran: Natanz.
The Natanz nuclear centrifuge facility is widely condemned as a nuclear weapons threat. It currently produces low-enriched uranium for power plants, but nonproliferation experts it could be converted to produce highly enriched uranium fuel for use in nuclear weapons.
Two things in particular may make Natanz a more likely Stuxnet target, Mr. Rieger says.
• Stuxnet had a halt date. Internal time signatures in Stuxnet appear to prevent it from spreading across computer systems after July 2009. That probably means the attack had to be conducted by then – though such time signatures are not certain.
• Stuxnet appears designed to take over centrifuges' programmable logic controllers. Natanz has thousands of identical centrifuges and identical programmable logic controllers (PLCs), tiny computers for each centrifuge that oversee the centrifuge's temperature, control valves, operating speed, and flow of cooling water. Stuxnet's internal design would allow the malware to take over PLCs one after another, in a cookie-cutter fashion.
"It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once – which makes it fit well with a centrifuge plant like Natanz," Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he says.
Natanz also may have been hit by Stuxnet in mid-2009, Rieger says. He notes that "a serious, recent, nuclear accident" was reported at that time on WikiLeaks, the same organization that recently revealed US Afghanistan-war documents. About the same time, the BBC reported that the head of Iran's nuclear agency had resigned.
Lending some credence to the notion that Stuxnet attacked more than a year ago, he says, is the International Atomic Energy Agency's finding of a sudden 15 percent drop in the number of working centrifuges at the Natanz site. Rieger posted that data on his blog.
"Bushehr didn't present the immediate threat that Natanz and the other centrifuge plants did at that time and still do," Rieger says. "What is clear is that there was an enormous amount of effort spent to do Stuxnet in this way, and it all points [to a target with] a high level of priority assigned to it by the people who did it."