CyberwarIran's control systems attacked by another virus

Published 26 April 2011

Iran admitted it has been attacked by another virus aiming to disrupt its industrial control systems; the commander of Iran civil defense said, though, that the virus has been caught in time and neutralized by Iran’s “young experts”; Gholamreza Jalali described the virus as “congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations”; in the summer, nearly 42,000 computers and servers in Iran’s industrial control systems — many of them in Iran’s nuclear weapons program — were infected; the damage to uranium enrichment centrifuges was especially great, causing Iran in mid-November to halt enrichment operations; Stuxnet has also infected the Bushehr nuclear reactor; the reactor was supposed to come on line in August, but it is still not operational, and has missed several start-up deadlines

Gholamreza Jalali at a press conference // Source: iraniandefence.com

Iran’s civil defense commander, Gholamreza Jalali said Iran has been under sustained cyber attack, saying on Monday that yet another piece of malware — called “Stars” – was about to infect computers and servers used in Iran’s industrial control systems.

Haaretz reports that Jalali was quoted as saying that “Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations.” He did not specify the target of Stars or its intended impact. “The particular characteristics of the Stars virus have been discovered,” Jalali told Mehr, the semi-official Iranian news agency. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations.”

EWeek reports – based on analysis by Graham Cluley, senior technology consultant at Sophos, on the Naked Security blog — that this description by Jalali suggests the attack was disguised as a legitimate Word, PDF, or other similar document types in order to trick unsuspecting victims into infecting government computers. EWeek notes that several organizations, including federal research facility Oak Ridge National Laboratory, have disclosed that attackers breached their systems by tricking employees into opening a malicious Word or Excel document.

Cluley said that there is no proof at this point whether Stars is “really specifically targeting Iranian systems,” said, noting that Sophos researchers see over 100,000 new unique malware samples every day, and many of them are designed to spy on victims’ computers.

“Presumably the Iranian authorities have reason to believe that the Stars virus they have intercepted was specifically written to steal information from their computers and is not just yet another piece of spyware,” Cluley said.

Stars is the second known virus to have targeted Iran’s industrial control systems. During the early early summer months of last year, the malware Stuxnet, widely believed to have been created by Israeli military programmers with the assistance of the United States, infected around 42,000 computers and servers used in Iran’s nuclear weapons program. The infection disabled about 20 percent of Iran’s uranium enrichment centrifuges, leading Iran, in mid-November last year, to halt enrichment activities (Iran said that enrichment has been resumed since then).

The Stuxnet virus also infected the Bushehr nuclear reactor, which was supposed to go on line in August. A Russian delegate to NATO said the Stuxnet created a situation in which if the Bushehr reactor were to go on line, it would become “another Chernobyl.”

This assertion may have been an exaggeration, but the fact remains that Bushehr is still not operational, having missed several start-up deadlines.

Haaretz quoted Jalali to say that Stuxnet might still pose a risk. “We should know that fighting the Stuxnet virus does not mean the threat has been completely tackled, because viruses have a certain life span and they might continue their activities in another way.”

Jalali expressed his frustration with what he described as foot-dragging by the Iranian government in the face of the continuing cyber attacks on Iran. “Perhaps the Foreign Ministry had overlooked the options to legally pursue the case, and it seems our diplomatic apparatus should pay more attention to follow up the cyber wars staged against Iran,” Jalali said.

“The country should prepare itself to tackle future worms since future worms, which may infect our systems, could be more dangerous than the first ones,” the Mehr news agency quoted Jalali as saying.