(2010-09-24) Stuxnext Industrial Attack Malware

CyberSecurity experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant... The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected Memory Stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems... "StuxNet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."... Langner zeroes in on Stuxnet's ability to "fingerprint" the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone... So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems.

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced CyberWar capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive CyberWar-fighting capability. Could Stuxnet's target be Iran's Bushehr Nuclear Power plant, a facility much of the world condemns as a nuclear weapons threat? Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

Sept25 update: Iran confirms damage. Iranian newspapers have reported on the computer worm hitting industries around the country in recent weeks, without giving details. Friday's report also did not mention Bushehr.

Forget StuxNet - the fact that Nuclear Power plants are running on MsWindows scares the crap out of me.

Oct10 update: Bruce Schneier clarifies what's known vs the speculation that fills the News Hole. None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the origina caveats.

Nov16 update: According to Eric Chien, one of three Symantec researchers who have dug into Stuxnet, the worm targets industrial systems that control very high speed electrical motors, such as those used to spin gas centrifuges, one of the ways uranium can be enriched into fissionable material... Symantec's latest analysis indicates that the (Bushehr) reactor was not the target. Instead, Stuxnet aimed to disrupt uranium enrichment efforts.