Iran's bombExperts: Israel used cyber weapon to disrupt Iran's nuclear reactor

Published 23 September 2010

The Stuxnet malware has infiltrated industrial computer systems worldwide in July and August; now, cyber security experts say that the worm was, in fact, is a search-and-destroy cyber weapon meant to hit a single target — Iran’s Bushehr reactor; Stuxnet amazed — and stunned — computer security experts: too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick; in Stuxnet, the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide — Internet link not required

Stuxnet - a seek-and-destroy worm // Source: zmetech.com

In September 2007 Israeli planes destroyed a nuclear reactor deep inside Syria, days before weapon-grade uranium from North Korea was to arrive there and be loaded for processing. The planes released deep-burrowing bombs – and the bombs were guided to their targets by Israeli commandos who beamed the buildings targeted for destruction with infrared pointers.

The reason the Israeli planes, commandos, and several rescue helicopters were able to enter Syria, accomplish their mission, and retreat without notice was that Israel opened a new chapter in warfare: it used sophisticated software attacks on Syria’s electrical grid – made more effective by Israeli-designed microchips with “back doors” planted in Syria’s radar and command-and-control computers – completely to blind the Syrian military and government for about an hour an half.

In order to let the Syrians know who was behind the attack on the reactor, Israel left its business card behind: two Israeli planes dropped their extra fuel tanks, with Hebrew lettering on them, near the destroyed site on the flight out of Syria.

It was the first use of a combined software-hardware cyberattack to blind a nation during a military operation.

Israel is at it again, offering something blindingly new: a cyber weapon created to cross from the digital realm to the physical world — to destroy something.

A highly sophisticated computer worm that has burrowed into industrial systems worldwide over the past year may have been a “search-and-destroy weapon” built to take out Iran’s Bushehr nuclear reactor, according to news reports published on Tuesday.

The articles from IDG News and The Christian Science Monitor said the Stuxnet worm was programmed to probe the hosts it infected for extremely specific settings. Unless it identified the hardware fingerprint it was looking for in industrial software systems made by Siemens, it remained largely dormant (for more on Stuxnet, see “Worry: Hackers can take over power plants,” 5 August 2010 HSNW; and “Siemens: Removing SCADA trojan may disrupt power plants,” 26 July 2010 HSNW).

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.

Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.

Dan Goodin writes that it was only after a unique configuration on a Programmable Logic Controller device was detected that Stuxnet took action. Under those circumstances, the worm made changes to a piece of Siemens code called Operational Block 35, which monitors critical factory operations, according to IDG, which cited Eric Byres, CTO of security firm Byres Security.

IDG reported that “By messing with Operational Block 35, Stuxnet could easily cause a refinery’s centrifuge to malfunction, but it could be used to hit other targets too, Byres said.”

“Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance — a target still unknown,” the Christian Science Monitor said. It went on to say that the digital fingerprinting capability “shows Stuxnet to be not spyware, but rather attackware meant to destroy.”

Both reports said the sophistication of Stuxnet suggests Israel or some other nation state is behind the worm and both articles cited speculation by Ralph Langner that the intended target may have been Iran’s Bushehr reactor, located about 750 miles from Tehran. Langner is a well-respected German expert on industrial systems security. “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,” Langner said. The Iranian project faced reported delays around the same time Stuxnet is believed to have propagated, and the plant is believed to use the Windows-based Siemens software targeted in the attacks, IDG said.

The Christian Science Monitor said Stuxnet may already have exacted damage on Bushehr and noted the facility’s expected opening in late August has been delayed for unknown reasons.