One enduring mystery about Stuxnet, the first cyberweapon the world has known, is this: Just how did that “digital missile” infiltrate Iran’s secret Natanz nuclear fuel-enrichment facility in the first place?
A new thesis about that, to be outlined Tuesday at a security conference in San Francisco, points to a vulnerability in the Iranian facility's supply chain – and may hold lessons for owners of critical infrastructure in the US concerning how to guard their own industrial equipment against cyberattack.
Presented by Critical Intelligence, a cyber security firm based in Idaho Falls, Idaho, the tale of cyber infiltration comes nearly four years after the covert operation was discovered. It’s already been fairly well documented that the United States and Israel created the Stuxnet worm, which ultimately infected and destroyed about 1,000 fuel-refining centrifuges at Natanz. The surreptitious attack sowed confusion within Iran’s uranium-fuel-enrichment program, which the US suspects is aimed at creating a nuclear bomb, and delayed it for years.
But how did Stuxnet get in there? As early as 2004, US intelligence agencies identified an Iranian company, NEDA Industrial Group, that had oversight of the Natanz facility’s computerized industrial control systems, says the Critical Intelligence report, citing documents gleaned from federal court cases, leaked State Department cables, and nuclear proliferation reports.
Documents suggest that the US was monitoring NEDA’s efforts to procure components that may be needed for a nuclear weapons program, says Sean McBride, lead author of the report and director of analysis for Critical Intelligence. The report is the first to name NEDA in connection with Stuxnet.
The US, he maintains, had identified NEDA as Iran's leading expert in Siemens Step7 software used throughout Iran’s nuclear program, including its centrifuge fuel-refining system. Then, probably in 2008, the US targeted industrial control systems equipment that NEDA had ordered from suppliers overseas.
Leaked State Department cables posted on the WikiLeaks website show the US at that time to have been seeking to intercept shipments of equipment headed to Iran.
“It’s my contention that the evidence shows the US targeted the leading Siemens control systems integrator for Natanz – and that was NEDA,” Mr. McBride says in a phone interview. “NEDA would have had all the plans for just how the Natanz system was going to be set up, the proper centrifuge speeds, when they would be turned on and off. The company had all the key information the US needed to write Stuxnet – and then a way to get the worm into Natanz.”
Sometime around 2008, computerized industrial control system equipment bound for Iran was intercepted, and Stuxnet or other malware was installed on it before it was sent on its way, McBride posits.
His thesis runs contrary to prevailing theories that a spy used a memory stick, or “thumb drive,” to introduce Stuxnet into the network. Rather, NEDA engineers unwittingly installed infected work stations or other equipment, which then proceeded to infect all of Natanz’s systems, McBride says.
Among the report’s findings are online documents showing that NEDA was involved in industrial control systems work in Iran. They include archived files in which an Iranian control systems engineer, identified only as “Behrooz,” asks during an online Siemens support forum for help dealing with an unspecified virus that he says had infected all the machines in his company’s network.
Other online documents show that person was probably Mohammad Rez, an engineer with NEDA. By September 2008, the US Department of Commerce had added NEDA to a watch list of companies thought to be assisting Iran’s nuclear program. Finally, in December 2012 NEDA and a handful of other companies were placed on a US Treasury Department list of firms banned from doing business with the US because of alleged involvement in Iran’s nuclear program. E-mail requests to NEDA seeking comment on the new report were not returned.
McBride says his findings are not conclusive, and he notes that gaps in documentation remain. But they do dovetail with recent media reports based on top-secret National Security Agency documents leaked by Edward Snowden, a former NSA contractor. One such report reveals aggressive NSA efforts to “interdict” computer equipment in transit and to install surveillance software and hardware before the equipment reaches an intended surveillance target.
Some security experts say McBride's hypothesis makes sense given what is now known about the frequent cyber vulnerability of corporate suppliers – and is a warning shot across the bow of critical infrastructure operators in the US that use them.
“It’s certainly a plausible theory,” says Jen Weedon, a manager in the threat intelligence division at Mandiant, a firm specializing in mitigating cyber espionage attacks on US corporations. “We’ve seen a lot of targeting of supply chains and partner companies in the US by the Chinese. For a difficult target like Natanz, infiltrating the supply chain would make a lot of sense – and it could work that way in the US, too, if companies aren’t careful.”
Worldwide, even large companies with excellent cyber defenses are facing the fact that smaller business partners may have less robust security and may be vulnerable to attacks, she and others note.
“It highlights an infection vector – contractors – that almost definitely would be used against hard targets in the US,” writes Ralph Langner, the cyber security expert who first identified Stuxnet as a cyber weapon, in an e-mail interview. “A sophisticated attacker wouldn't bother to try directly attacking a power utility, for example. They would go after the several hundred contractors with access to critical distribution systems [such as] electrical substations.”
Did US intelligence agencies score one of their biggest cyber attack victories using clandestine supply-chain infiltration to get Stuxnet into Natanz?
“I’m not saying other theories about how Stuxnet got into Natanz aren’t true,” McBride says. “They could be. But there’s plenty of evidence that what I’m suggesting happened was what actually did happen.”