Stuxnet 'virus' could be altered to attack US facilities, report warns

Stuxnet, a computer worm that hit and may have severely damaged Iranian nuclear facilities, is the type of cyberweapon that could broadly harm the United States, undermining both society and government ability to defend the nation, says a strongly worded report to Congress.

A successful broad-based attack on the US, using new variants of the Stuxnet weapon, could do enough widespread damage to critical infrastructure – including water, power, transportation, and other services – that it "threatens to cause harm to many activities deemed critical to the basic functioning of modern society," said the little-noticed report issued by the Congressional Research Service (CRS) Dec. 9.

If retooled slightly, Stuxnet could be directed to target a wide swath of critical infrastructure facilities, rather than a narrow target such as Iran's nuclear fuel-enrichment facilities and nuclear power plant, the eight-page CRS synopsis warns, quoting researchers and other analysts.

"Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time," the study's summary states. "The resulting damage to the nation’s critical infrastructure could threaten many aspects of life, including the government’s ability to safeguard national security interests."

Terrorist groups, previously deemed not to have much independent ability to launch damaging cyberattacks, could potentially purchase or even rent a Stuxnet-based variant from organized crime groups to launch an infrastructure attack on the US, the report warns.

While some experts say the "cyber threat to critical infrastructure is exaggerated, regardless of the perpetrators’ capabilities," most such skepticism has been general in nature and does not factor in the new Stuxnet cyberweapon, the report says.

The report quotes Dr. Udo Helmbrecht, executive director of the European Network and Information Security Agency, as saying in October that “Stuxnet is really a paradigm shift, as Stuxnet is a new class and dimension of malware." He went on to call it a "first strike" weapon that is "one of the first organized, well prepared attacks against major industrial resources. This has tremendous effect on how to protect national (critical infrastructure) in the future.”

Stuxnet news continues to ripple outward. On Dec. 4, a senior Iranian official blamed United Nations spies for helping to undermine Iran's nuclear program, the Associated Press reported. Intelligence Minister Heidar Moslehi said International Atomic Energy Agency staffers had used spying, as part of a broader Western campaign against Iran's nuclear facilities that included the Stuxnet attack, the AP report said.

Ralph Langner, an industrial control system expert who first detailed Stuxnet's role as the world's first cyberweapon able to destroy physical infrastructure, noted the damage to Iran's facilities in an interview with the Jerusalem Post published Wednesday.

“It will take two years for Iran to get back on track,” he said. “This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success.”