Stuxnet

Symantec discovers 2005 US computer virus attack on Iran nuclear plants

Internet security firm finds early 'Stuxnet O.5' version revealing espionage and sabotage virus released under George W Bush

The Guardian,

26 January, 2013

Researchers at the security company Symantec have discovered an early version of the "Stuxnet" computer virus that was used to attack nuclear reprocessing plants in Iran, in what they say is a "missing link" dating back to 2005.

The discovery means that the US and Israel, who are believed to have jointly developed the software in order to carry out an almost undetectable attack on Iran's nuclear bomb-making ambitions, were working on the scheme long before it came to public notice – and that development of Stuxnet, and its forerunner, began under the presidency of George W Bush, rather than being a scheme hatched during Barack Obama's first term.

The older version of the virus, dubbed "Stuxnet 0.5" – to distinguish it from the "1.0" version – also targeted control systems in Iran's Natanz enrichment facility, the researchers said.

"Stuxnet 0.5 was submitted to a malware scanning service in November 2007 and could have begun operation as early as November 2005," Symantec notes in a report. It may have been submitted to see whether Symantec's defences would recognise it as malware – in which case it would have been useless. One key to Stuxnet's success was that it was not detected by conventional antivirus systems used in corporate and state computer systems.

The success of Stuxnet – in both forms – is reckoned to have averted a planned military strike by Israel against Iran's reprocessing efforts in 2011. During 2010 it had seemed increasingly likely that Israeli jets might target the heavily-armoured plant to thwart Iran's nuclear ambitions.

But the computer virus, one of the most visible forms of a cyberwar that is increasingly raging between nation states, made that unnecessary, and is reckoned to have put Iran's plans back by years.

The 1.0 version of Stuxnet is reckoned to have infected Iranian computers after being copied onto USB sticks which were left in locations in India and Iran known to be used by Iranian nuclear scientists and their contacts. It then spread into computer systems and took over the connected Siemens control systems, spinning centrifuges to dangerous speeds in order to damage the systems.

The 0.5 version, by contrast, was transmitted as part of an infected control archive for specific Siemens systems used for uranium enrichment. Once active, it infected the network and control systems and closed off valves, a move that would cause serious damage to the centrifuges and the enrichment system. It also recorded data about the system it was on, which it would send back over the internet to a set of "command and control" servers – which at the time had been faked to look like a group of internet advertising agencies created in 2005, with names such as smartclick.org and best-advertising.net, and all bearing the same phrase on the front: "Believe What the Mind Can Dream." (They have since been adopted by other companies, or closed.)

"The 0.5 version was a mixture of sabotage and espionage – affecting the valves and reporting back," said Sian John, Symantec's director of security strategy for UK and Ireland Enterprise. "This really goes to show that with the right impact and amount of research, these groups can create very targeted attacks."