Stuxnet "most likely" to have originated from Israel

The cyber security world is alive with gossip about Stuxnet.

The virus has been described as one of the most sophisticated yet created, containing an unprecedented four zero-day vulnerabilities in one package.

The level of sophistication and its apparent targeting of Iran’s nuclear infrastructure have led many experts to believe it is backed by a nation state and an example of the sort of cyber warfare threat we may increasingly experience.

I’ve just finished chairing a panel discussion at the Global Economic Symposium 2010 in Istanbul on cyber crime and cyber security – more of which in a later blog post. One of the panellists was Mikko Hypponen, chief research officer of security software specialist F-Secure, and I grabbed a few minutes with him to find out the latest on Stuxnet.

Hypponen has few doubts that Stuxnet was backed by the resources of a country. He described the virus as the “most important” he’d seen in 10 years, written by people with serious financial and technical resources at their disposal. 

The malware targets Scada systems – Scada is the standard interface for process control systems, effectively the way that factory and industrial equipment is monitored and controlled. What’s more, it targets a specific Scada system built by Siemens, one of the most widely used in the world.

Hypponen says that analysis of the virus shows it is looking for a very specific configuration within the systems it infects, but nobody yet knows what system contains that configuration. It checks various parameters within those systems – and no doubt to the delight of scriptwriters everywhere, it does open up the possibility of a virus that would allow a Hollywood movie-style attack on a facility with a hacker opening doors and switching off security systems to allow physical infiltration of a building, a real-life Mission Impossible.

Hypponen believes Israel is the most likely source of Stuxnet, although he also mentions Egypt, Saudi Arabia and the US as possible creators. The virus signature gives no clues, other than compile dates for the code.

Interestingly, Stuxnet has been in the wild for nearly a year. Hypponen speculates that it seems to have been in existence for roughly the same time as Iran apparently scaled back its nuclear programme.

He says that the most vulnerable target is likely to be Iran’s nuclear centrifuge site used for enriching uranium, rather than its reactor site, because the former has a more closely controlled environment and therefore more likely to be seriously affected by a virus capable of changing settings such as temperature controls.

Hypponen was leaving Istanbul on route for Vancouver and VB2010, the annual Virus Bulletin International Conference and predicted that on Thursday this week there would be one or two significant announcements about Stuxnet likely to grab more headlines worldwide.

It’s all speculation at this stage of course, but a scenario previously imagined only by novelists and conspiracy theorists now becomes a genuinely realistic prospect: a computer virus, from an unidentifiable – and hence legally unprovable – source causes a catastrophic explosion at an Iranian nuclear processing plant. Perhaps it may even be impossible to prove that the virus was responsible, and Western governments would point to shoddy manufacture and the dangers of developing countries over-reaching themselves by trying to keep up with the nuclear community. Of course fingers would be pointed, and in a worst case scenario violent reprisals could ensue, but few governments or legal jurisdictions would be able to prove a case for sure.

Could Stuxnet be a foretaste of the software equivalent of IEDs? It’s a scary prospect.

Data Center
Data Management