Tuesday, October 5, 2010

Stuxnet virus attack on Iranian nuclear programme: the first strike by computer?


From the UK Telegraph:

On a Vancouver stage last Thursday, a young Irish computing expert gave a filmed presentation showing how the world could end with the pop of a balloon. The presentational qualities are, well, geek-like, the sound quality poor, and the whole experiment has the air of a Year 7 science project. Nevertheless, the YouTube video is spreading like wildfire from one software blog to the next.

In the past few days, the expert, Liam O Murchu, has become the new star of Geek Universe, quoted from PC World to the Washington Post. But unlike most such young men, his impenetrable analyses of computer coding have a frightening relevance to physical realities. Hence his experiment, performed at the Virus Bulletin 2010 conference in Canada.

Murchu was demonstrating how a computer worm called Stuxnet had effects that went beyond blowing up your computer screen. It could blow up real things, too. Stuxnet has infected operating systems on equipment manufactured by the German industrial giant Siemens and has, as he puts it, "real-world implications beyond any threat we have seen in the past". It could attack oil pipelines, power stations, even nuclear plants.

To prove the possibilities, Murchu set up a basic air pump, controlled by a Siemens system, on the stage in front of him. The pump delivered a timed burst of air into a balloon, which inflated moderately. O Murchu then infected the system with Stuxnet, pressed a button, and hey presto! The pump pumped, but did not stop. The balloon went on inflating till it burst.

Imagine if the balloon were, in fact, an Iranian nuclear power station. For that, in essence, is the possibility that has brought Murchu's name to public attention.

Stuxnet has been around since last year and its workings were first described four months ago. But such was the size and complexity of its coding that only more recently has its true nature become fully clear. What scores of analysts like O Murchu, who works for the anti-virus firm Symantec, have found is that it targets the industrial infrastructure that underlies our everyday lives. They have also found that the country worst affected is Iran, which by last week had reported around three in every five infections worldwide.

It has not taken long for the implications to be spelt out. Ralf Langner, a German analyst with detailed knowledge of Siemens systems, had this to say on his personal blog: "Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear programme. Strange – they are presently having some technical difficulties down there in Bushehr."

Bushehr is a nuclear power station which has been built by Russia for Iran and which, within a fortnight of Mr Langner's posting, confirmed that its opening had been delayed by two months, to January. Mr Langner even found a photograph taken inside the plant showing a computer screen – configured, he said, to run a Siemens operating system affected by Stuxnet and, moreover, configured wrongly so that it was vulnerable to bugs.

Iran has subsequently confirmed that computers run by Bushehr scientists have been infected, though it insists the plant itself is undamaged.

Another German analyst, Frank Rieger, went further. Bushehr is disliked by Iran's enemies, but not nearly as much as its separate uranium enrichment programme, which the West believes is part of a nuclear weapons programme. Since last year, mystery has surrounded its main facility at a place called Natanz, where the number of working centrifuges, the main enrichment devices, suddenly fell by 15 per cent – at the very time Stuxnet is first thought to have hit Iran.

As analysts reverse-engineering the code commented to Mr Rieger: "This is what nation states build, if their only other option would be to go to war."

Israeli officials, governed by security laws, rarely reveal military secrets but are skilled at alluding to them in veiled ways. In July last year, Mr Rieger noted, a few days before Natanz's problems were leaked, a retired member of the Israeli security cabinet and a veteran of Shin Bet, the Israeli secret service, briefed the Reuters news agency on what an Israeli cyber-warfare attack might look like.

Following a security drill that had revealed how a hacker could explode an Israeli fuel depot, the Shin Bet veteran said, cyber-warfare teams set about developing technologies that could employ this knowledge.

The briefing made clear that they had succeeded. "In retrospect, the piece sounds like an indirect announcement of a covert victory to allies and enemies," Mr Rieger said.

In the past week, attention has focused on O Murchu's discovery of a trace of a keyword in Stuxnet's instructions: Myrtus. Myrtus, or Myrtle, in Hebrew becomes Hadassah, and Hadassah was the birth-name of Esther, the Jewish biblical heroine married to a king of Persia. Esther discovered that a courtier was plotting the murder of all of Persia's Jews, and persuaded her husband to allow them to rise up pre-emptively to slaughter their assailants.

Could this be a further clue as to Stuxnet's origins? It is already thought that defective parts have been deliberately fed into Natanz through imports of "dual-use" technologies slipped past the international sanctions imposed on Iran.

"This is a technology war that has gravitated into a cyber attack," says Theodore Karasik, research director at the Institute of Near East and Gulf Military Analysis. "It's not new but it's getting more ferocious."

Some analysts poo-poo the theory. One commentator points out that Myrtus could simply stand for My Remote Terminal Units.

A blog on the website of Forbes magazine refers to the diplomatic struggle between China and India. In July a glitch on a satellite used by most of India's satellite television stations blacked them out, forcing operators to turn to a Chinese competitor. The Indian space programme uses Siemens operating systems.

We may never know for sure. The odd thing is that Stuxnet, so far, hasn't actually been proved to have done anything. Stuxnet contains a "switch" believed to target one very specific, tailored Siemens system – but no one knows which one, or what the switch is intended to do.

Stuxnet "master controllers" have been traced to computer servers in Malaysia and Denmark, and the two security certificates that allowed the worm to infect systems were stolen from Taiwan. Thereafter the trail goes cold.

Israel has little to gain from denying or confirming anything. It cannot own up to what some see as a monumental act of irresponsibility – the creation of a worm that could attack any sensitive system anywhere in the world. On the other hand, its struggle with Iran is also psychological, and it does it no harm to be thought capable of disarming a nuclear programme without launching a missile.

Truth is the first casualty of war, but in a real war, the battlefield can only be obscured for so long. In Second World War prisoner-of-war camps, inmates traced on hand-drawn maps the overwhelming victories claimed by Japanese radio broadcasts and watched gleefully how
the "victories" took place ever closer to the Japanese mainland.

In cold wars, the process of deduction runs in an opposite direction. Spy agencies reveal the failures – the defecting Philbys – and only when they become more insignificant do we know victory is approaching.

Who knows the names of the spies who triumphed? Iran will never admit, and Israel may never say, if it was Stuxnet that damaged Natanz. There is one further hint, though. When Stuxnet does triumph, it leaves a number imprinted on its new host: 19790509. That number, Mr O Murchu says, seems to be a date – May 9, 1979.

Many things could have happened on May 9, 1979: it may just be someone's birthday. But newspaper archives also tell us it was the day Habib Elghanian died. Who was Mr Elghanian? He was the first Iranian Jew to be hanged for spying by the new Islamic Republic. And as we all know, revenge is a dish best served cold.

No comments:

Post a Comment