Expert: Stuxnet part of long-term effort to stop Iran nukes

Expert: Stuxnet part of long-term effort to stop Iran nukes

New evidence shows that the virus has been active in Iran's Natanz facility almost since the day it opened in 2007

Country distribution of Stuxnet 0.5, based on Symantec's research (Photo credit: Courtesy Symantec)
Country distribution of Stuxnet 0.5, based on Symantec's research (Photo credit: Courtesy Symantec)

Stuxnet, the virus that attacked Iran’s nuclear program and that may or may not have been developed by Israel and the US, was already doing its destructive work in 2007, two years earlier than previously thought.

And, said one expert on hacking in the Middle East, versions of Stuxnet, which are still plaguing Iran’s nuclear program, have apparently been a factor in preventing the Islamic Republic from achieving nuclear capability — one reason why predictions that Iran would soon achieve nuclear capability have not yet panned out.

In fact, said Dr. Tal Pavel, an expert on Internet usage and hacking in the Middle East, it’s safe to say that the Stuxnet attacks were planned out and executed as part of a deliberate policy to deny Iran nuclear weapons, as opposed to an idea that was executed in response to specific statements or actions by Tehran. “It’s likely there are other cyber aspects of this policy that we have not yet heard about,” Pavel said.

Researchers at antivirus company Symantec said they had gathered evidence that earlier versions of the code, which they called Stuxnet 0.5, was already seen “in the wild” as early as 2005, although it wasn’t yet operational as a virus. Stuxnet, said Symantec Tuesday, was the first virus known to attack national infrastructure projects, and according to the company, the groups behind Stuxnet were already seeking to compromise Iran’s nuclear program in 2007 — the year Iran’s Natanz nuclear facility, where much of the country’s uranium enrichment is taking place, went online,

Stuxnet was designed specifically to attack the PLC (programmable logic control) automation system, manufactured by German conglomerate Siemens, that runs the centrifuges used to enrich uranium at the Natanz facility, according to Symantec experts who analyzed the effects of the virus by reverse-engineering samples found on servers in countries around the world. Variants of Stuxnet have affected the centrifuges in various ways, mostly by changing the activity of valves controlled by the PLC software that feed the uranium to centrifuges at a specific rate required for enrichment.

The earlier version of Stuxnet, according to the antivirus researchers, contained a suite of cyber-weapons to affect the centrifuges, although it was missing the full range of remote control capabilities that the later versions included. In addition, there was a change in later versions of Stuxnet’s attack strategy, varying the speed instead of closing off feed valves to the centrifuges altogether.

Although Stuxnet 0.5 was less aggressive than the later versions, Symantec said, it appeared that the earlier virus was capable of doing as much damage to the nuclear enrichment systems. In 2009, Iran was forced to replace nearly 1,000 centrifuges after the later versions of Stuxnet were found to have compromised the Natanz plant. Symantec, quoting the Institute for Science and International Security, said there was evidence that earlier versions of Stuxnet had done significant damage to Iran’s program as well.

Symantec said it was not clear why the authors of Stuxnet changed their tactics, although it was likely that the controllers of the virus wanted more flexibility in their attacks, the researchers said. “Later versions of Stuxnet were developed using a different development framework, became more aggressive, and employed a different attack strategy that changed the speeds of the centrifuges, suggesting Stuxnet 0.5 did not completely fulfill the attacker’s goals,” Symantec said. Stuxnet 0.5 was preprogrammed to stop working on a specific date in 2009, after which newer versions of the virus took over, the company said.

Symantec did not speculate on how the virus reached the Natanz facility at least twice, considering that Internet connectivity at the site is said to be minimal.

But if one of the goals of Stuxnet was to significantly delay Iran’s nuclear development, the various generations of the virus have apparently been doing the job, said Pavel. “Iran itself has admitted on several occasions that viruses have slowed their nuclear progress, so we can certainly take them at their word on that,” he said. “If the research by Symantec is correct and the earlier version of Stuxnet did slow the program, then this is evidence for a long-standing policy by the people behind Stuxnet to impede Iran. And it does appear that the tool they used to execute this policy — Stuxnet — has been effective.”

With that, Pavel said, no one will ever know definitively who authored and distributed Stuxnet. “The nature of computer hacking is that it is anonymous, and even if you trace an attack to a server, you cannot know for sure that the owners of that server are behind the attack. In fact, it’s almost a sure thing that their server was hijacked by the hackers carrying out the attack,” since masking their internet address (IP spoofing) is a cardinal tenet of the hacker business. And while it makes sense that the Israel and/or the US would be seeking to prevent Iran from moving forward with its nuclear program, said Pavel, “we will probably never know definitively.”

read more: