Was Stuxnet, a sophisticated piece of malware designed to attack industrial control systems (ICS), secretly invented by Israel to attack Iran's industrial controls systems?
Though the idea is pure conjecture at this point, some odd technical design in Stuxnet and how it works, as discovered by Symantec researchers, suggests it might be possible for someone to think that Jewish enemies of Iran, and Israel would be the obvious country to speculate about in this regard, as being behind Stuxnet.
Stuxnet clearly appears to be a cyberwar-grade piece of malware designed to sabotage an enemy's energy-distribution resources — but the Symantec report is careful not to name names, but just cite some peculiar clues that may be buried in Stuxnet code.
The Symantec report "W.32 Stuxnet Dossier" is about the malware known about since about mid-June that has made many working in the energy-distribution business very nervous. Because it's been clear it's out to get ICS by exploiting vulnerabilities in Windows-based computers, among other means.
In Symantec's extensive analysis of the Stuxnet code, which is being published tomorrow, Symantec says "Stuxnet is a threat targeting a specific industrial control system in Iran, such as a gas pipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers to operate as attackers intend them to, most likely out of their specified boundaries."
Stuxnet, a topic of fascination for weeks since it is so sophisticated and apparently not intended to perform the usual malware stunts, is increasingly regarded as cyberwar-caliber malware that one state might use against another to disable energy-distribution systems. Iran this week acknowledged it has been hit by Stuxnet.
The Symantec report is careful not to name Israel as Stuxnet's creator in any way. But the report does point to a specific malware loading function that Stuxnet uses as part of its larger command-and-control structure that looks for an infection marker and "checks that the configuration data is valid, after that it checks the value 'NTVDM TRACE' in the following registry key," says the Symantec report. "If this value is equal to 19790509, the threat will exit. This is thought to be an infection marker or a 'don’t infect' marker. If this is set correctly, infection will not occur. The value appears to be the date May, 9, 1979."
In its search for some meaning to attach to this, Symantec says it has found a Wikipedia reference to Habib Elghanian, "who was executed by a firing squad in Tehran, sending shock waves through the closely knit Iranian-Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000-member strong Jewish community of Iran which continues to this day."
In citing this reference to Elghanian, however, Symantec immediately "cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate any party." That means the creators of Stuxnet might be leaving a few false clues to make the world think Israel created it while the truth might lie elsewhere. Nothing's known for sure.
In the report, Symantec goes no further in its statements on this issue. And in sticking to sheer technical detail, Symantec notes that programmable logic controllers "are often programmed from Windows computers not connected to the Internet or even the internal network."
In addition, the PLCs themselves are unlikely to be connected to the Internet, the report says. And in presenting what it acknowledges is a "possible attack scenario" that is "speculative," Symantec notes, "As each ICS is quite custom, the attackers will first need design documents. These design documents may have been stolen by an insider or even retrieved by an early version of Stuxnet or other malicious binary."
How successful has Stuxnet been in spreading? As of Sept. 29, 2010, there have been about 100,000 infected hosts, according to Symantec's estimate,. About 60% of these are in Iran, with the remaining in Indonesia, India and Azerbaijan, with the rest of the world seeing only small numbers.
"On August 22, we observed that Iran was no longer reporting new infections," says Symantec. "This was most likely due to Iran blocking outward connections to the command-and-control server, rather than a drop-off in infections."