Cyber attack – Stuxnet worm hits Iranian nuclear plant

27 Sep 2010

Iran’s first nuclear power plant has been attacked by a sophisticated computer worm designed to disrupt power grids and other industrial facilities using SCADA systems. The worm, however, hasn’t caused any damage but did succeed in infecting computers.

It has been suggested that the worm, which hit the Bushehr nuclear power plant, is the work of Israeli hackers.

The Stuxnet worm, described as one of the most refined pieces of malware ever discovered, has hit thousands of computers worldwide but has been most active in Iran. It specifically targets computers running Siemens’ SCADA technology.

Security experts say the worm is effectively targeted at industrial and energy locations in specific countries and is more sophisticated than previous, similar attacks. So sophisticated, they say, that the culprits may never be identified.

Sixty per cent of the computers hit by the worm are in Iran, according to Symantec.

Sophisticated malware

“Stuxnet is a highly sophisticated piece of malware, which used a number of techniques which hadn’t been seen before (for instance, exploiting zero day vulnerabilities in Microsoft’s code),” said Sophos security expert Graham Cluley.

“Stuxnet was also a highly targeted attack – clearly focusing on messing with SCADA systems (often used by power plants and other infrastructure).”

However, Cluley isn’t entirely convinced the worm could be the work of a national government.

“Although there’s been lots of speculation in the papers, the truth is that we don’t know if Stuxnet was created by, say, Israel. It’s very hard to prove 100pc who created a piece of malware, and even more so to prove that it was done with the blessing of a government, army or secret service.

“Israel has certainly been accused of hacking into other country’s computers before with military intentions (remember the story of how Mossad allegedly hacked a Syrian laptop and bombed a nuclear facility as a result?).

“It’s also tricky to positively confirm that Iran was the target of Stuxnet, either. It was, after all, seen in a number of other countries.”

Siemens’ response

Cluley says another issue that has been largely ignored by the media is the response of Siemens, who developed the SCADA software that Stuxnet targets.

“Stuxnet knows the default password used by the Siemens SCADA software, but – astonishingly – Siemens advised power plants and manufacturing facilities not to change their default password. That’s despite it being public knowledge on the web for some years.

“I think we need to be careful about pointing fingers without proof. I also reckon it’s more appropriate (if the claims are true) to call this a state-sponsored cyber attack rather than cyber terrorism. Of course, we shouldn’t be naive. Countries will use every dirty trick in the book to spy upon each other, disrupt activities, and grasp an advantage.

“We shouldn’t be surprised if military and intelligence agencies are engaged in this kind of behaviour, and we mustn’t fool ourselves into thinking that our own nations aren’t above using the internet to further their own ends, too.

“I think we will see more and more attacks which will be blamed on state-sponsored cyber attacks in the future. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student,” Cluley said.

It is understood the worm exploited three holes in Windows – one of which is understood to have been patched – but specifically computers running Siemens SCADA software used in industrial control systems.

According to reports, the worm has infected several staff members’ computers at the Bushehr plan. However, officials in Iran are adamant it will not affect plans to open the nuclear plant in October.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com