Quantcast
  

Thursday, April 24, 2014         

NEW YORK TIMES


 Print   Email   Comment | View 0 Comments   Most Popular   Save   Post   Retweet

Stuxnet software worm hit 5 industrial facilities in Iran

By John Markoff

New York Times

POSTED:



The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected.

Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points.

Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year.

The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company's privacy policies, they would not disclose the domain names.

"All of the domains are involved in industrial processing," O Murchu said in an interview.

It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz.

At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-held USB device that carried the attack code.

When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled part of the complex.

In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran.

The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled.

Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system.

The New York Times reported in January that Israel had built an elaborate test facility at a classified nuclear weapons site that contained a replica array of the Iranian uranium enrichment plant. Such a test site would have been necessary for the design of the attack software.

"We know the exact configuration of the system they were looking for," O Murchu said. "We know they were looking for a certain number of frequency converters. And each of those frequency converters controls a certain number of motors. And those numbers fit in with what you expect to see in an uranium enrichment facility."






 Print   Email   Comment | View 0 Comments   Most Popular   Save   Post   Retweet

COMMENTS
(0)
You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
IN OTHER NEWS
Blogs
Political Radar
Phased in

Political Radar
Palolo v. Pauoa

Political Radar
Palolo v. Pauoa

Career Changers
Must Sea TV

Political Radar
HB 1700 — Day 4

Political Radar
Pass

Warrior Beat
Hammer time