Computer Worm Delays Nuke Plant in Iran

computer worm mpg.jpg

By: Ken Timmerman

Iran has stated that the "Stuxnet" worm that has affected thousands of computers in Iran is a Western plot aimed at sabotaging Iran’s nuclear program.

"Western states are trying to stop Iran's [nuclear] activities by embarking on psychological warfare and aggrandizing, but Iran would by no means give up its rights by such measure,” according to a printed summary of comments made yesterday in Tehran by foreign ministry spokesman Ramin Mehrmanparast.

“It is hard for the Western states to tolerate the progress of Iran’s peaceful nuclear program,” he said. “Nothing would cause a delay in Iran’s nuclear activities,” he added.

Other Iranian officials have blamed Israel for introducing the computer malware into Iran.

Stuxnet is unlike previously-known cyber worms, says Babak Namdar, a computer programmer in Los Angeles and member of the Iranian opposition Marze Por Gohar party (MPG).

“Traditional worms try to infect as many hosts as possible, whereas Stuxnet was written for a specific target that actually controls physical services like controlling pumps, motors, etc.,” he told Newsmax in an e-mail.

“This new type of cyber-weapon is the equivalent of a missile looking for a specific heat signature,” he added. It was design to target the Siemens WinCC/Step 7 industrial control system, “but only if it matches a particular configuration.”

Iranian officials have acknowledged that Stuxnet has infected over 30,000 computers in Iran, including the Siemens process control systems at the Busheir nuclear power plant, which was slated to go on-line this month.

Last weekend, intelligence minister Heydar Moslehi blamed “enemy spy services” for introducing Stuxnet, and said Iran’s security services had arrested a number of foreign agents involved in the plot.

Computer analysts agree that the worm was introduced by someone inserting a USB “thumb” drive into the computers, not over the Internet. That means that an individual or individuals with physical access to the Busheir nuclear power plant infected the computers.

Siemens SCADA process control software is running Iranian industrial facilities from water sanitation to oil pipelines and nuclear plants, according to The Washington Post. Siemens has acknowledged that its process control software has been infected by Stuxnet.

In January 2010, Siemens announced that it would not fulfill any further requests for products from Iran, but that it would complete existing conracts and participate in bids submitted by its subsidiaries to Iran before October 2009.

Last week, Mark Wallace, a former U.S. ambassador to the United Nations who now runs the non-profit United Against a Nuclear Iran, wrote to the head of Nokia-Siemens, a joint venture with the Finnish cellphone manufacturer, calling on them to comply with U.S. law and end their business in Iran.

“The technologies that you have provided, and continue to provide, are being used by the Iranian regime to oppress the Iranian people and permit the regime to engage in egregious human rights violations,” Wallace wrote.

Iran has been hit by several unexplained explosions at oil and gas pipelines around the country in recent months, which computer experts are now attributing to the Stuxnet worm.

Stuxnet is “the most complex piece of malware we’ve seen in the last five years or more,” Nicolas Falliere, a code analyst at the security firm Symantec, told Wired.com.

“It’s the first known time that malware is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped,” he said.

German computer analyst Ralph Langner has been analyzing Stuxnet since it was first discovered in June by a Belarus security company with clients in Iran.

In an early analysis, Langner called the malware a cyberattack that “involves heavy insider knowledge.”

The malware “was assembled by a highly-qualified team of experts . . . the resources needed to stage this attack point to a nation state.”

Some computer analysts claim to have discovered hidden text in the worm’s code that points to an Israeli hand.

Langner told the Daily Telegraph last week he thought it had been designed by a super-secret Israeli military cyber warfare team known as “Unit 8200.”

According to the Daily Telegraph account, computer analysts discovered the Latin word “myrtus” embedded into the Stuxnet code.

“Myrtus is Latin for the myrtle tree. “The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia,” according to the London daily.

But not everyone believes that Israel is behind the attack.

Elinor Millis covers Internet security and privacy for CNET News.

In a blog posting entitled, Stuxnet: Fact versus theory,” she notes that the “myrtus” code and other references ostensibly indicating an Israeli design are just as likely to be “red herrings designed to divert attention away from the actual source.”

Millis also speculated that Stuxnet may have been introduced first into a Siemens process controller at the Natanz uranium enrichment plant causing a previously unexplained industrial accident last year that led to a significant decrease in the number of operating enrichment centrifuges and to the sudden resignation of the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh.

Iranian opposition activist Roozbeh Farahanipour, who works with Namdar at MPG, tells Newsmax that Stuxnet may have been designed by Iranians.

“No one outside of Busheir had access to those computers,” he said. “I don’t believe it was Israelis who did this. But we have to wait and see what the regime says when they bring the people they have arrested to court.”

Farahanipour’s MPG claims to have hacked a number of Iranian government websites in recent weeks, including those of president Mahmoud Ahmadinejad, the Agricultural Bank, a power company, and a website controlled by the intelligence ministry.

He said his group’s efforts were a response to claims by the Iranian regime that its own “Iranian Cyber Army” had played a determinant role in preventing exiled opposition groups from directing demonstrations inside Iran earlier this year.

“If the regime can’t control its own websites, how can they claim to control our websites?” Farahanipour said.