That’s the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they have broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker — possibly a nation-state — and it was designed to destroy something big.
Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company found the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers, who say they have never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran’s nukes.
Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.
Experts had first thought that Stuxnet was written to steal industrial secrets — factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific programmable logic controller (PLC) device — and then it injects its own code into that system.
Because of the complexity of the attack, the target “must be of extremely high value to the attacker,” Langner wrote in his analysis.
Langner is set to present his findings at a closed-door security conference in Maryland this week, which will also feature a technical discussion from Siemens engineers. Langner said he wasn’t yet ready to speak to a reporter at length. (“The fact of the matter is this stuff is so bizarre that I have to make up my mind how to explain this to the public,” he said via e-mail.) But others who have examined his data say that it shows that whoever wrote Stuxnet clearly had a specific target in mind. “It’s looking for specific things in specific places in these PLC devices. And that would really mean that it’s designed to look for a specific plant,” said Dale Peterson, CEO of Digital Bond, a control system security research firm.
This specific target may well have been Iran’s Bushehr reactor, now under construction, Langner said in a blog post. Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and, according to screenshots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.