Stuxnet worm heralds new era of global cyberwar

Attack aimed at Iran nuclear plant and recently revealed 2008 incident at US base show spread of cyber weapons

• Peter Beaumont
• guardian.co.uk,
  
• Thursday 30 September 2010 16.46 BST
• Article history

The Stuxnet worm appeared to use contaminated hardware in an attempt to cripple Iran’s nuclear programme. Photograph: Matthew Baker/PA

The memory sticks were scattered in a washroom at a US military base in the Middle East that was providing support for the Iraq war.

They were deliberately infected with a computer worm, and the undisclosed foreign intelligence agency behind the operation was counting on the fallibility of human nature. According to those familiar with the events, it calculated that a soldier would pick up one of the memory sticks, pocket it and – against regulations – eventually plug it into a military laptop.

It was correct.

The result was the delivery of a self-propagating malicious worm into the computer system of the US military's central command – Centcom – which would take 14 months to eradicate.

That attack took place in 2008 and was acknowledged by the Pentagon only this August. It was strikingly similar to the recently disclosed cyber attack on Iran's nuclear facilities using the Stuxnet worm, which also appears to have used contaminated hardware in an attempt to cripple Iran's nuclear programme.

Like the attack on Centcom's computers, the Stuxnet worm, which Iran admits has affected 30,000 of its computers, was a sophisticated attack almost certainly orchestrated by a state. It also appears that intelligence operatives were used to deliver the worm to its goal.

Its primary target, computer security experts say, was a control system manufactured by Siemens and used widely by Iran, not least in its nuclear facilities.

Yesterday, Iran confirmed that the worm had been found on laptops at the Bushehr nuclear reactor, which had been due to go online next month but has now been delayed. It denied the worm had infected the main operating system or caused the delay.

"I say firmly that enemies have failed so far to damage our nuclear systems through computer worms, despite all of their measures, and we have cleaned our systems," Ali Akbar Salehi, the head of Iran's atomic energy agency, told the Iranian Students News Agency.

If the Stuxnet attack on Iran was a limited act of cyber sabotage, on Tuesday the US attempted to imagine what an all-out cyber war might look like and whether it was equipped to deal with it.

In an exercise named Cyber Storm III, involving government agencies and 60 private sector organisations including the banking, chemical, nuclear energy and IT sectors, it presented a scenario where America was hit by a co-ordinated cyber shock-and-awe campaign, hitting 1,500 different targets. The results of the exercise have not been released.

One of those who believes that cyber war has finally come of age is James Lewis of the Centre for Strategic and International Studies in Washington. Lewis said that while previous large-scale hacking attacks had been an annoyance, Stuxnet and the attack on Centcom represented the use of malicious programmes as significant weapons. "Cyber war is already here," said Lewis. "We are in the same place as we were after the invention of the aeroplane. It was inevitable someone would work out how to use planes to drop bombs. Militaries will now have a cyber-war capability in their arsenals. There are five already that have that capacity, including Russia and China."

Of those, Lewis said he believed only three had the motivation and capability to mount the Stuxnet attack on Iran: the US, Israel and the UK.

He added that a deliberate hack of an electric generator at the Idaho National Laboratory, via the internet, had previously demonstrated that infrastructure could be persuaded to destroy itself.

"There is growing concern that there has already been hostile reconnaissance of the US electricity grid," he said.

Last year, the Wall Street Journal quoted US intelligence officials describing how cyber spies had charted the on-off controls for large sections of the US grid and its vulnerability to hacking.

The head of the Pentagon's newly inaugurated US Cyber Command, General Keith Alexander, has recently said that it is only a matter of time before America is attacked by something like the Stuxnet worm.

In recent testimony to Congress, Alexander underlined how the cyber war threat had rapidly evolved in the past three years, describing two of the most high-profile attacks on countries: a 2007 assault on Estonia, and a 2008 attack on Georgia during its war with Russia, both blamed on Moscow.

Those were "denial of service" attacks that disabled computer networks. But it is destructive attacks such as Stuxnet that frighten Alexander the most.

He favours agreements similar to nuclear weapons treaties with countries such as Russia to limit the retention and use of cyber-war technology.

One of the problems that will confront states in this new era is identifying who is behind an attack. Some analysts believe Israel is the most likely culprit in the Stuxnet attack on Iran – perhaps through its cyber war "unit 8200", which has been given greater resources. They point to a file in the worm called Myrtus – perhaps an oblique reference to the book of Esther and Jewish pre-emption of a plot to kill them. But it could also be a red herring designed to put investigators off the scent.

Dave Clemente, a researcher into conflict and technology at the International Security Programme at Chatham House in London, argues that where once the threat from cyber war was "hyped … reality has quickly caught up".

"You look at the Stuxnet worm. It is of such complexity it could only be a state behind it," he said.

Clemente points to the fact that the attack used four separate, unpublicised flaws in the operating system of the Bushehr plant to infect it. Other experts note that Stuxnet used genuine verification code stolen from a Taiwanese company, and that the worm's designers built in safeguards to limit the amount of collateral damage it would cause.

"The US and the UK are now putting large amounts of resources into cyber warfare, in particular defence against it," said Clemente, pointing out that there is now a cyber security operations centre in GCHQ and a new office of cyber security in the Cabinet Office. He added: "What I think you can say about Stuxnet is that cyber war is now very real. This appears to be the first instance of a destructive use of a cyber war weapon."