Cyberwar

Cyberwar

The more I read about the Stuxnet worm the more interesting it gets. This clever weapon was designed to lurk in personal computers until someone, somewhere, incautiously took his work home and returned to the secure, net-isolated Iranian nuclear facility and plugged an infected USB back in. Then it attacked a Siemens Simatic WinCC supervisory control and data acquisition ("SCADA") system designed to manage pipelines, various utility and manufacturing equipment -- and nuclear plants. Specifically, it targeted frequency-converter drives that are used to control the speed of a device, such as a motor or centrifuge. But not just any centrifuge, says Liam O'Murchu, researcher with Symantec Security Response, which published the new information in an updated paper on Friday:

"You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”

“This is what nation-states build, if their only other option would be to go to war,” Joseph Wouk, an Israeli security expert wrote. The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was among the first to publicize the Stuxnet phenomenon. At Iran's Natanz nuclear facility, the worm operated stealthily for nearly a year and a half, altering the spin speed of the plant's centrifuges in brief erratic bursts, just enough to damage the converter and bearings and to corrupt the uranium fuel in the tubes. Throughout this time, however, Stuxnet hid the changes from the engineers' control panels so that computer checks continued to show all systems operational. This promoted a climate of fear and paranoia that subjected Iranian scientists to suspicion and possible sanctions by their own government.

The worm's designers took skillful measures to hide its tracks even after it was eventually discovered. While it operated, it continually reported back to two servers in Denmark and Malaysia. The moment it was discovered by VirusBlokAda, a Belarusian security company, both of the monitoring servers abruptly disappeared, and the alert sites carrying an emergency notice to global computer security experts were shut down for a full day, during which time all traces of the worm were eliminated.

A commenter at Wired.com asserts that the resulting damage may be even greater than Symantec's report indicates:

Symantic doesn’t understand centrifuges. This intermittent glitch will destroy the rotors. Like shifting into 1st at 80. With resonance. Finding the glitch in a rootkitted PLC will cost rotors for each debug.

More good news: Stuxnet may have been designed to infiltrate the North Korea nuclear program as well.