Iranian nuclear facilities under "massive attack" by Stuxnet worm


Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.

The Iranian government agency that oversees the country's nuclear facilities reported today that engineers are attempting to defend against "Stuxnet," a Windows-specific worm attacking industrial plants throughout the nation. The malware exploits a Windows vulnerability to seek out and compromise industrial systems made by Siemens. It has also been spotted in other countries, but Iranian targets appear to be the most frequently compromised, by far. Affected nuclear sites in Iran include those the US believes are part of a nuclear weapons program.

But the announcement raised suspicions, and new questions, about the origins and target of the worm, Stuxnet, which computer experts say is a far cry from common computer malware that has affected the Internet for years. A worm is a self-replicating malware computer program. A virus is malware that infects its target by attaching itself to programs or documents.

Stuxnet, which was first publicly identified some time ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

More: New York Times, BBC, NYT Bits Blog, Al Jazeera. Stuxnet was discovered this June and has been the topic of discussion in security circles since; a Symantec advisory is here.

Symantec plans to release more technical analysis of Stuxnet in a paper to be released at the Virus Bulletin Conference on September 29th.

German security researcher Ralph Langner has conducted some interesting work on Stuxnet. Note the "analysis" and "theory" provided here. The punchline: "Welcome to cyberwar."

Not a word about this on the English-language website for Iran's official news agency, not yet anyway.