Stuxnet cyberweapon set to stop operating

Stuxnet infected some 130,000 computers worldwide, most of them related to Iran's nuclear fuel enrichment program. It's programmed to shut down just after midnight Sunday, but there likely are other cyber espionage systems out there.

|
Ebrahim Norouzi/IIPA/AP
In this 2010 photo, released by the International Iran Photo Agency, Iranian technicians work at the Bushehr nuclear power plant, outside the southern city of Bushehr, Iran.

Goodbye Stuxnet. And Iranian officials would doubtless hasten to add: "Good riddance."

At one second past midnight Sunday, the world's most powerful known cyber weapon, reportedly created by the US with Israeli support to clandestinely infiltrate and then wreck Iran's nuclear fuel enrichment program, will cease to operate.

At present, the program still wakes up, goes through various check functions, looking for a target to destroy. But deep inside Stuxnet's labyrinth of software code are a few lines that will soon order the program to stop working altogether in a pre-programmed, belated and ultimately unsuccessful bid to prevent it from being detected and deciphered, say computer forensic experts who have examined the program's code.

RECOMMENDED: From the man who discovered Stuxnet, dire warnings one year later

As a practical matter, Stuxnet's departure is likely to be an invisible non-event as far as the wider world is concerned. All but a few hundred of the more than 130,000 computers globally – about two-thirds in Iran – that were identified in summer 2010 as infected with the computer worm have already had their software patched and cleaned up.

But the final deactivation of that powerful destructive digital code isn't likely to give much enduring relief to anyone. Not to Iran, which on June 21 announced it was still worried about another imminent "massive" cyber attack against it should negotiations with the US and other nations over its controversial nuclear program fail.

Certainly relief won't come soon for President Obama and his national security team, which approved in spring 2010 unleashing a particularly potent version of Stuxnet, the New York Times reported this month. Called "the bug" inside the White House, Stuxnet was targeted to destroy a key group of 1,000 nuclear centrifuges Iran was believed using to make bomb grade uranium fuel, the Times reported.

Lawmakers in Congress now are calling for an investigation into the leaking of the top-secret US operation code-named "Olympic Games" in which Stuxnet, a name that was given "the bug" by anti-virus firms that found it spreading on networks in 2010.

There's no relief either for worried cyber security experts, some of whom have called Stuxnet the digital equivalent of the first nuclear attack on Hiroshima. They warn that Stuxnet's code provides a template and conceptual model for a far more destructive "son of Stuxnet" cyber weapon that could be deployed by other nation states or hacktivists for cyber attacks against power grids and other civilian infrastructure.

A prime target, they say, would be Stuxnet's own presumed creator – the US, which is to a far greater degree than its potential adversaries, including nations like North Korea and Iran, reliant on cyber-physical industrial control systems of the kind Stuxnet was specifically designed to infiltrate and destroy.

"It can be argued that the time was ripe for history's first cyber weapon, and having it come from China or Russia would have created another unpleasant Sputnik experience," wrote Ralph Langner, the Hamburg, Germany-based cyber security expert in a recent opinion article in the New York Times. "On the other hand it is evident that the United States is not prepared to defend against such sophisticated cyber-physical attacks that they chose to experiment with in the open, with the actual weapon eventually being downloadable from the Internet."

Mr. Langner's discovery that Stuxnet was not just another piece of criminal malware, but was actually the world's first nation state-built cyber super-weapon and apparently targeting Iran's nuclear program, was verified and first published by the Monitor on Sept. 21, 2010.

Ever since, the hunt has been on for who built and unleashed Stuxnet – and the fragments of other digital weapons that keep popping up. That hunt has yielded a drumbeat of surprises. First, has come the discovery of at least two other highly sophisticated cyber espionage systems that also appear to target Iran's nuclear program – and also show clear signs that they are directly related siblings of Stuxnet – and developed by the same source, according to forensic analysis and recent news media reports.

"Whoever was running this operation needed these programs to conduct a large number of highly targeted and clandestine operations against Iran and its allies," says John Bumgarner, a former Army intelligence officer now research director for the US Cyber Consequences Unit, a nonprofit security think tank.

As it turns out, Stuxnet was probably the last piece of the puzzle, the digital muscle deployed to take out Iran's nuclear centrifuge systems. In fact, it had two other siblings – espionage programs that gathered intelligence and prepared the cyber battlefield.

"Flame," a highly sophisticated espionage program was in essence a giant vacuum cleaner – sucking up information from wireless sources, turning on computer microphones, stealing files, Mr. Bumgarner says. Discovered just last month, Flame is believed to have been on the loose since at least late 2007 and was likely created earlier that year, according Kaspersky, the Moscow-based anti-virus company.

Meanwhile, "Duqu," another espionage program was deployed to infiltrate specific computers within key companies that had programs related to Iran's nuclear program. It was far more highly targeted than Flame and came later, according to Symantec, the big anti-virus company that did a comprehensive analyses of Stuxnet. Duqu and Stuxnet shared a common programming platform apparent in their code, linking them to the same team of programmers, Symantec found.

By the time Stuxnet was created sometime between January-June 2009, Flame was already in existence – created probably no later than summer 2008, Kaspersky reported this month. Meanwhile, Stuxnet's 2009 version used a fragment of code based on Flame, Kaspersky says. Thus, Stuxnet, Duqu, and Flame all share key components.

The trio was created, Kaspersky argues, by two independent developer teams – one for Flame, and the other for Stuxnet and Duqu, each "developing its own platform since 2007-2008 at the latest." In 2009, part of the code from the Flame platform was used in Stuxnet. That cross-linking means all three programs now are tied together.

Journalistic accounts appear to have tied that group of malware together and laid them at the feet of the White House. Flame, which came to light last month after Iran spotted infiltration of its oil networks, was part of a larger cyber assault, according to anonymous "western officials," cited by the Washington Post June 19.

“This is about preparing the battlefield for another type of covert action,” one former high-ranking US intelligence official told the Post, adding that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”

That dovetails with the findings of cyber researchers that have dissected the code of the trio of miscreant malware: Stuxnet, Flame, and Duqu.

"We have no doubt they were all developed by the same people," says Liam Ó Murchú, manager of operations for Symantec Security Response, in a phone interview. "It's clear to us that there are enough similarities, and in some cases completely copied code, to relate them all together."

There's something else that links everything together, too: major efforts to cover their tracks. After Flame was discovered, a special module was activated on computers in Iran and elsewhere – in Syria, Sudan and Libya – to delete them. Duqu's operators also systematically deleted it off computers after its discovery.

Symantec's Ó Murchú, however, notes that update features in Flame, Duqu, and Stuxnet all allow their handlers to extend their lives. It also suggests that new versions of Flame and Duqu, and perhaps even Stuxnet – that the anti-virus companies and Iran have not yet detected – are still operational, he and others say.

Internet domains that controlled Flame shut down about an hour after news of the operation broke worldwide, but at least three infected machines in Iran, Iraq, and Lebanon received malware upgrades – essentially new versions of Flame, Kaspersky researchers told Wired.com.

Indeed, the self-destruct mechanisms themselves suggest some larger geopolitical themes. With Flame and Duqu, deletions occurred after discovery.     But there would never be that option for Stuxnet, which was designed to penetrate the inner networks of Iran's Natanz nuclear centrifuge plant – far from any internet connection.

Stuxnet's mission was to destroy centrifuges, then itself. It is programmed to terminate June 24, 2012 – seven years to the day after Iranian President Mahmoud Ahmadinejad was elected president – a matter likely viewed by the Bush Administration and others around the world with trepidation given his strident views on nuclear matters.

If Stuxnet had succeeded, Iran might be out of the nuclear fuel refining game. It's not. So, is Iran rightly concerned about further cyber intrusions?

"It's just my opinion, but I think Stuxnet and other cyber espionage programs were all about trying to prevent another Mideast war," Mr. Bumgarner says. "We've seen these programs deleted, or like Stuxnet, shutting itself down. But I'm guessing that the story isn't over yet."

RECOMMENDED: From the man who discovered Stuxnet, dire warnings one year later

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Stuxnet cyberweapon set to stop operating
Read this article in
https://www.csmonitor.com/USA/2012/0623/Stuxnet-cyberweapon-set-to-stop-operating
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe