Cyber sleuths unravel Stuxnet mysteries

Feb. 28, 2013 at 1:20 PM
share with facebook
share with twitter

BEIRUT, Lebanon, Feb. 28 (UPI) -- Cyber detectives unraveling mysteries surrounding the Stuxnet computer virus that infected Iran's nuclear program say the worm was active four years earlier than thought.

And the verdict appears to be that in a series of cyberattacks on Iran's uranium enrichment process, the vital element in producing weapons-grade material, the virus set Tehran's nuclear project back several years and likely averted threatened pre-emptive attacks by Israel.

Researchers at the leading security company Symantec say they've discovered an early version of Stuxnet, what they call a "missing link," that was active as early as 2005.

"The new finding ... resolves a number of long-standing mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet, but was incomplete in those variants and had been disabled by the attackers," said Kim Zetter of the website that specializes in defense and security affairs.

The first the world heard of Stuxnet was in June 2009 after it destroyed around 1,000 centrifuges, machines used to enrich uranium, at the underground uranium enrichment facility at Natanz in central Iran.

There were further strikes against clusters of centrifuges by variants of Stuxnet in March and April 2010.

The June 2009 variant was labeled 1.001. The one used in March 2010 was tagged 1.100 and the April 2010 version was 1.101.

"The gaps in version numbers suggested that other versions of Stuxnet were developed, even if they were not released into the wild," Zetter wrote.

"That theory bore out when the researchers discovered the 2007 variant, which turned out to be version 0.5."

Symantec, which reverse-engineered the 2010 version of Stuxnet and uncovered the latest variant, discovered the 2007 version a few months ago during a routine search of its malware database while looking for files that matched patterns of known malware.

The company's report said the discoveries indicated that the developers of Stuxnet, generally believed to be the United States and Israel, had been working on the project as early as November 2005.

That meant the plan to sabotage Iran's nuclear program with a destructive computer virus had been hatched during the administration of U.S. President George W. Bush, rather than during President Barack Obama's first term as had been thought.

Stuxnet 0.5 could have been "in the wild ... as early as November 2005," Symantec observed, although it may not have been operational as a virus at that time.

As far as is known, centrifuge cascades weren't installed in Natanz until 2007.

"It's long been suspected by some experts that Stuxnet was already sabotaging cascades at Natanz sometime between late 2008 and mid-2009," Zetter said. "The new findings from Symantec support that theory."

Stuxnet 0.5, which perhaps "did not completely fulfill the attackers' goals," was programmed to stop working on a specific date in 2009 after which newer versions of the virus took over, Symantec said.

The 2009 and 2010 versions contained attack sequences that targeted the programmable logic control automation systems manufactured by Germany's Siemens -- the Siemens S7-316 and S7-417 models -- that ran the centrifuge cascades.

The 1.0 version of Stuxnet is believed to have penetrated Iranian computers after being copied onto USB sticks that were left in computers in India and Iran known to have been used by Iranian nuclear scientists and their associates.

The effects of the various Stuxnet variants used to disrupt the secret Iranian program caused immense damage at the Natanz facility.

"The success of Stuxnet -- in both forms -- is reckoned to have averted a planned military strike by Israel against Iran's reprocessing efforts in 2011," observed Charles Arthur, technology editor of the British daily the Guardian.

"During 2010 it had seemed increasingly likely that Israel might target the heavily armored plant to thwart Iran's nuclear ambitions.

"But the computer virus, one of the most visible forms of a cyberwar that is increasingly raging between nation states, made that unnecessary, and is reckoned to have put Iran's plans back for years."

Related UPI Stories
Latest Headlines
Trending Stories