The Stuxnet conspiracy

Iranian authorities made an unprecedented admission at the weekend - the country has a serious problem with the Stuxnet worm.

The admission, from several different government agencies skirted around a few of the central questions about Stuxnet, and is likely to have been a serious underestimate, but authorities claimed that around 30,000 Windows-based PCs are infected in the country, and various groups, including the Atomic Energy Organisation of Iran, have met to discuss a response to the malware.

The news sent the rumour mill into overdrive, with Stuxnet, already surrounded in suggestions of shadowy conspiracy and sinister motives now being heralded as a cyber-weapon designed with the aim of taking down Iran's fledgling nuclear industry.

To recap on Stuxnet - the worm came to light in June this year, and while initial research by different companies suggested a few conflicting aspects to the worm, it soon became clear that it was very sophisticated, and that it was designed to attack industrial control systems (ICS).

The level of sophistication had yet to be fully appreciated, but the target systems - industrial control systems, which manage anything from power plants, to oil refineries, to traffic light systems - was a first, and a disturbing development. The implication was, that Stuxnet had been designed to sabotage industrial plants.

Initial research showed a few core elements to Stuxnet:

• It targeted industrial control systems from German company Siemens
• It spread via infected USB drives, through a security hole in Windows PCs that controlled the Siemens software systems
• It was disguised using genuine digital certificates stolen from two Taiwanese chip makers, to make the code appear to be genuine and safe (how these were stolen is another mystery)
• It was designed to steal details of ICS, and then send them back to a central server, leading to the assumption that Stuxnet was meant for industrial espionage.

Throughout August and September however, as more security researchers got to grips with Stuxnet, more worrying aspects of the malware came to light.

Stuxnet does not just spread through USB drives, but through other vulnerabilities in Windows operating systems - either two or four vulnerabilities, depending on which company you talk to. Not all of these vulnerabilities have been patched yet. It also has peer-to-peer component to update itself, which enables infected machines to spread changes to the code.

Stuxnet is also capable of introducing its own code to the programmable logic control (PLC) software which controls the industrial systems, and from hiding that code from programmers - effectively allowing it to take control of industrial systems and remain hidden from IT staff that are attempting to remove it.

It also appears that Stuxnet targets a specific Programmable Logic Controller (PLC) device in the Siemens software, and would injects its own code into that system, leading to the assumption that it is aimed at a very specific system. The worm is also believed to have been in circulation since at least January of this year.

The picture being created of the worm was that it is highly sophisticated, quite possibly the most sophisticated malware seen so far, and that it would have taken considerable expertise and funding to create.

And then there was the apparent target, as data showed that by far the largest concentration of infections was in Iran. According to Symantec, as of 6th August, Iran had 62,867 infected computers, Indonesia 13,336, India 6,552, the United States 2,913, Australia 2,436, Britain 1,038, Malaysia 1,013 and Pakistan with 993.

While there is no evidence unveiled yet as to the origin of Stuxnet, rumour and speculation have drawn one conclusion - Stuxnet was made by a government entity or agency, controlled either by the USA or Israel, to disrupt Iran's nuclear power program, specifically the Bushehr reactor, Iran's first nuclear power plant that is due to come online in October, and that is rumoured to be experiencing delays. The Russian contractor that is building the reactor, AtomStroyExport, had its Web site hacked earlier in the year, and some of its web pages are still hosting malware.

Now Iran has said that it has got a problem with Stuxnet, citing 30,000 infected PCs. Iranian news agencies quote sources as saying that Iran has the IT security expertise to remove the worm, but many commentators agree that the figure of 30,000 infected PCs is likely to have been under-reported.

Iran also denies that the Bushehr plant has been affected or delayed by Stuxnet, although it admitted that some PCs at the site had been infected and Siemens itself says that its control systems are not in use at the plant, leading to the possibility that Windows control PCs had been hit but not spread the worm to the industrial control systems, although Siemens was involved in industrial projects in the country 30 years ago, and some have also speculated that old pirated software could be in use.

There is also the question as to why the Atomic Energy Organisation of Iran would be involved in fighting Stuxnet if there was no danger of infection, and why other experts in Iran have said they wouldn't use Siemens own tools for Stuxnet removal in case it was yet more malware in disguise.

The origins and impact of Stuxnet may never be fully known, at least publically, but in terms of the sheer complexity and expertise of the malware, its represents a dramatic development in the field of information security.

In the words of Eugene Kaspersky, co-founder and CEO of Kaspersky Lab: "I think that this is the turning point, this is the time when we got to a really new world, because in the past there were just cyber-criminals, now I am afraid it is the time of cyber-terrorism, cyber-weapons and cyber-wars."