The Stuxnet worm is mutating and wreaking further havoc on computerised industrial equipment in Iran where about 30,000 IP addresses have already been infected, IRNA news agency reported on Monday.
“The attack is still ongoing and new versions of this virus are spreading,” Hamid Alipour, deputy head of Iran’s Information Technology Company, was quoted as saying by IRNA, Iran’s official news agency.
Stuxnet, which was publicly identified in June, was tailored for Siemens supervisory control and data acquisition, or SCADA, systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.
The self-replicating malware has been found lurking on Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, according to researchers.
The hackers, who enjoyed “huge investments” from a series of foreign countries or organisations, designed the worm to exploit five different security vulnerabilities, Alipour said while insisting that Stuxnet was not a “normal” worm.
He said his company had begun the cleanup process at Iran’s “sensitive centres and organisations,” the report said.
This virus has not caused any damage to the main systems of the Bushehr power plant,” Bushehr project manager Mahmoud Jafari said on Sunday.
He, however, added the worm had infected some “personal computers of the plant’s personnel.”
Alipour, whose company is tasked with planning and developing networks in Iran, said personal computers were also being targeted by the malware.
“Although the main objective of the Stuxnet virus is to destroy industrial systems, its threat to home computer users is serious,” Alipour said.
Iran’s nuclear ambitions are at the heart of a conflict between Tehran and the West, which suspects the Islamic republic is seeking to develop atomic weapons under the cover of a civilian drive.
While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.
Stuxnet sped up thousands of Iranian centrifuges to the point that they’d break down. But at the same time, the virus made it appear to any Iranian technician that things were working swimmingly.
Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran;
Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran.
The virus, which infected computers at Iran’s Bushehr nuclear power plant, was discovered over the summer. Security research Symantec said that it detected the highest concentration of the virus on computer systems in Iran, though it was also spotted in Indonesia, India, the United States, Australia, Britain, Malaysia and Pakistan.
Siemens stated on 29 November that the worm has not caused any damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.
In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said, “we’re glad they [the Iranians] are having trouble with their centrifuge machine and that we – the US and its allies – are doing everything we can to make sure that we complicate matters for them”, offering “winking acknowledgement” of US involvement in Stuxnet.
According to the British Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defence Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.
Iran said on Nov. 13 that it had detected the Duqu computer virus that experts say is based on Stuxnet, the so-called “cyber-weapon” discovered last year and believed to be aimed at sabotaging the Islamic Republic’s nuclear sites.
The head of Iran’s civil defense organisation told the official IRNA news agency that computers at all main sites at risk were being checked and that Iran had developed software to combat the virus.
“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organisations the virus has spread to and what its impacts are has not been completed yet.
“All the organisations and centres that could be susceptible to being contaminated are being controlled,” he said.
News of Duqu first surfaced on Oct. 18 when Symantec said in a report that a research lab with international connections had alerted it to a mysterious computer virus that “appeared to be very similar to Stuxnet,” a piece of malicious software believed to have wreaked havoc on Iran’s nuclear program.
While Stuxnet was aimed at crippling industrial control systems and may have destroyed some of the centrifuges Iran uses to enrich uranium, experts say Duqu appeared designed to gather data to make it easier to launch future cyber attacks.
Symantec said: “Duqu is essentially the precursor to a future Stuxnet-like attack.” Instead of being designed to sabotage an industrial control system, the new virus is designed to gain remote access capabilities, it said in a report issued last month.
Iran said in April it had been targeted by a second computer virus which it identified as “Stars”. It was not immediately clear if Stars and Duqu were related but Jalali described Duqu as the third virus to hit Iran.
Stuxnet’s commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.
Stuxnet’s operators started doing reconnaissance in 2007, using Duqu, which spied on makers of components used in Iran’s nuclear and critical infrastructure facilities.
Conficker was created by the authors of Stuxnet.
The two pieces of malware were both written with unprecedented sophistication. Infection rates for both were far higher in Iran than the United States and that both spread by exploiting the same vulnerability in Windows.
Comparing date and time stamps on different versions of Conficker and Stuxnet, revealed a correlation — key dates related to their development and deployment overlapped. April Fool’s Day, April 1, 2009, was the launch date for the attack.
The attackers picked that date to send a message to Iran’s leaders. It marked the 30th anniversary of the declaration of an Islamic republic by Ayatollah Khomeini after a national referendum.
Also identified were two other signals hidden in the Stuxnet code, based on the dates when key modules were compiled, or translated from programming text into a piece of software that could run on a computer.
The operators communicated with Stuxnet-infected computers over the Internet through servers using fake soccer websites that they built as a front for their operation: http://www.mypremierfutbol.com and http://www.todaysfutbol.com.
If Iranian authorities noticed that traffic, they would be deceived into assuming it was from soccer fans, rather than suspect that something was awry, Bumgarner said.
Once Conficker had pulled Stuxnet into computers in Iran there was still one big hurdle, he said. Those infected computers weren’t yet in the target – the underground uranium enrichment facility at Natanz.
Getting the virus in there was one of the trickiest parts of the operation.
Computers controlling the rapidly rotating gas centrifuges were cut off from the Internet. The best way to attack was to put the malware on a device like a USB thumb drive, and then get somebody to connect that drive to the system controlling the centrifuges.
Stuxnet was programmed to automatically jump from an infected PC to a USB drive as soon as it was put into a computer. That was the easy part. Getting somebody to be a human “mule” by bringing that USB drive to Natanz and plugging it into the right machine was a logistical nightmare.
It was impossible to predict when somebody with an infected USB drive would visit the plant. It could take a week or it might be six months.
The hackers behind the Duqu Trojan horse virus, a sibling of Stuxnet, have shut down their operation and wiped all of their command and control servers, leaving very little for security experts to investigate further.
Kaspersky Labs analysed a number of Duqu command and control servers and discovered that the virus was in operation from as early as November 2009, despite it having only been discovered in October of this year.
This is a worrying revelation, as it means that computers and servers might have been infected for years with malware that still has yet to be discovered.
The researchers also found that a global cleanup took place earlier this year on 20 October, a day or two after it was revealed to the world that the virus existed. All of the command and control servers were wiped clean, right back until the 2009 infection, leaving little trace that anything had ever happened.
This is interesting, as it means that the hackers behind the virus were particularly intent on keeping it a secret and effectively pulled the plug as soon as a whisper of it got out to the public.
The fact that the people behind Duqu could do this so quickly and effectively raises questions about how powerful they are and how much money and how many personnel they have at their disposal.
Kaspersky Labs said in a blog post that the primary command and control server for Duqu remains a mystery, as are the identities of the hackers.
Some things the researchers did find, however, include the likelihood that the servers were hacked through brute-forcing the root password, as opposed to the OpenSSH 4.3 zero-day theory, and the hackers upgraded OpenSSH 4.3 to version 5 immediately after gaining control of the servers, suggesting there is some importance in the newer version of the software.
“One of our hardest jobs is attribution and intent,” Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC), told reporters in Washington.
Attacks like Stuxnet are so complex that very few organizations in the world are able to set them up, said Gordon Muehl, chief security officer at Germany’s SAP, but it was still too simple to attack industries over the internet.