Computer malware

Stuxnet: UK and US nuclear plants at risk as malware spreads outside Russia

Security experts have warned the notorious Stuxnet malware has likely infected numerous power plants outside of Russia and Iran.

V3.co.uk,

11 November, 2013

Experts from FireEye and F-Secure told V3 the nature of Stuxnet means it is likely many power plants have fallen victim to the malware, when asked about comments made by security expert Eugene Kaspersky claiming at least one Russian nuclear plant has already been infected.

"[The member of staff told us] their nuclear plant network, which was disconnected from the internet [...] was badly infected by Stuxnet," Kaspersky said during a speech at Press Club 2013.

Stuxnet is sabotage-focused malware that was originally caught targeting Windows systems in Iranian nuclear facilities in 2011. The malware is believed to originally have been designed to target only the Iranian nuclear industry, but subsequently managed to spread itself in unforeseen ways.

F-Secure security analyst Sean Sullivan told V3 Stuxnet's unpredictable nature means it has likely spread to other facilities outside of the plant mentioned by Kaspersky.

"It didn't spread via the internet. It spread outside of its target due to a bug and so it started traveling via USB. Given the community targeted, I would not be surprised if other countries had nuclear plants with infected PCs," he said.

Director of security strategy at FireEye, Jason Steer, mirrored Sullivan's sentiment, adding the insecure nature of most critical infrastructure systems would make them an ideal breeding ground for Stuxnet.

"Stuxnet has mostly spread by USB and CD rom using removable drive vulnerabilities in Windows to date and continues to spread using remote calls to talk to and infect other computers on the network," Steer told V3.

"Many of these control systems are not connected to the internet, because they are so old and delicate that they cannot withstand any serious probing and examination, and frankly are not designed to connect to the internet as they are so insecure. Getting a vulnerability to a network not connected is not so difficult anymore if it's important enough."

Steer added the atypical way Stuxnet spreads and behaves, means traditional defences are ill equipped to stop, or even accurately track the malware's movements.

"It's highly likely that other plants globally are infected and will continue to be infected as it's in the wild and we will see on a weekly basis businesses trying to figure out how to secure the risk of infected USB flash drives," he said.

"When a PC is infected, the malware does many clever things, including not showing all the things that are on the USB so it's impossible to know if the USB is to be trusted or not and, as we know, using AV signatures doesn't solve some of these issues either."

Critical infrastructure networks' poor security and their use of outdated Windows XP and SCADA systems - industrial control software designed to monitor and control processes in power plants and factories - have been an ongoing concern for industry and governments.

Prior to Kaspersky's claims, experts Bluecoat Systems and the Jericho forum argued at the London 2012 Cybergeddon conference that critical infrastructure providers opened themselves up to cyber attacks by prematurely moving key systems online.

The US Department of Defense (DoD) said the premature move online is doubly dangerous as Chinese hackers are skilled enough to mount Stuxnet-level cyber attacks on critical infrastructure.

The use of XP in power plants is set to become even more dangerous as Microsoft has confirmed it will officially cut support for the 12-year-old OS in less than a year. The lack of support means XP systems will no longer receive critical security updates from Microsoft.