Surveillance Footage and Code Clues Indicate Stuxnet Hit Iran | Threat Level | Wired.com

Surveillance Footage and Code Clues Indicate Stuxnet Hit Iran

New clues about Stuxnet provide the strongest evidence yet that the superworm targeted a nuclear enrichment plant in Iran, according to a new report.

The clues come from surveillance cameras installed by international investigators at the Natanz enrichment plant in Iran, which show Iranian workers feverishly replacing damaged equipment during the time Stuxnet is believed to have attacked the plant. Other clues appear in the attack code itself, showing that the worm targeted a configuration that researchers now say match precisely the centrifuge setup at Natanz. And still more clues are found in a connection to five organizations that researchers say were first targeted by the worm before it hit Natanz.

The findings come in a report released Tuesday [.pdf] by the Institute for Science and International Security (ISIS), which says that while Stuxnet may have hit Natanz, its impact on Iran’s nuclear program was not detrimental.

Stuxnet was discovered last June by researchers at a security firm in Belarus, who found it on infected machines belonging to customers in Iran. Recent reports have indicated that the malware was developed by a U.S. government lab and tested in Israel before being unleashed.

Although researchers have believed for months that Natanz was the attack target, the belief has largely been based on circumstantial evidence and unreliable reports from Iranian officials that Natanz was hit by unspecified malware.

But the new clues are “the best evidence” that Stuxnet was aimed at Natanz, according to ISIS founder and former United Nations weapons inspector David Albright.

According to researchers, Stuxnet has two attack sequences, one that targets a Siemens S7-417 programmable logic controller (PLC) and one that attacks a Siemens S7-315 PLC. PLCs control functions in industrial facilities, such as the speed at which a rotor operates.

Previous research indicated that the so-called “315 attack code” changed the frequency of frequency converters. Because the frequencies specified in the code matched frequencies at which Natanz centrifuges are known to break, it was believed that Natanz’s centrifuges were the target.

But new analysis of the 417 code seems to solidify this. Back in December, ISIS revealed in a previous report that Natanz’s centrifuges are grouped into “cascades” consisting of 164 centrifuges each, and that six cascades appeared to have been affected by Stuxnet. German security researcher Ralph Langner saw the numbers and recognized them from the 417 attack code. The code is designed to control six groupings of 164 devices.

“This evidence is perhaps the strongest evidence that Stuxnet is aimed at Natanz,” Albright told Threat Level. “We were kind of stunned by it actually.”

The 417 attack-code is non-operational, however, and is missing key components that would tell researchers what exactly it’s supposed to do to the devices it’s targeting. Researchers believe the attackers were still developing the attack code. As the code currently stands, the attack, which involves turning something on or shutting it off, is designed to run for about seven minutes and repeat about every 35 days.

ISIS speculates in its report that the attack may involve fast-acting valves on the centrifuges that, if closed suddenly, could damage the centrifuges and cause gas pressure to build.

Although the 417 code wasn’t working in the malware that struck Iran, the 315 attack-code on its own was enough to cause damage at Natanz, Albright says. This appears to be reinforced by surveillance videos that investigators with the International Atomic Energy Agency viewed.

Nuclear experts with the IAEA previously determined that Iran experienced difficulties with about 1,000 centrifuges in November 2009, but the experts didn’t know the cause. Iran had tried to downplay the replacement of the centrifuges, suggesting they were removed before they were up and running, as if Iranian workers had simply discovered flaws in them before they were turned on. But it turns out that surveillance cameras that caught Iranian workers swapping out the equipment, suggests a different story.

In August 2009, Iran agreed to let the IAEA install surveillance cameras outside the enrichment facility to monitor any equipment that moved in or out. Suddenly, over a six-month period beginning late 2009, U.N. officials monitoring the surveillance images “watched in amazement” as Iranian workers “dismantled more than 10 percent of the plant’s 9,000 centrifuge machines used to enrich uranium,” according to the Washington Post. “Then, just as remarkably, hundreds of new machines arrived at the plant to replace the ones that were lost.”

Investigators described the effort as a feverish attempt to contain damage and replace broken parts, suggesting the centrifuges had indeed been operational when they broke.

“That it was 1,000 centrifuges and that it happened over a short period of time and the Iranians were upset about it” indicates the centrifuges were spinning or under vacuum – a preparation stage – when they broke, says Albright. “Because of the surprise and rapidity of all this happening, it indicates this.”

One other piece of information suggests Iran’s nuclear program was the target of Natanz. Last week security firm Symantec released a report revealing that the Stuxnet attack targeted five organizations in Iran that were infected first in an effort to spread the malware to Natanz.

Because Natanz’s PLCs are not connected to the internet, the best hope of attacking them – short of planting a mole inside Natanz – was infecting other computers that could serve as a gateway to the Natanz PLC. For example, infecting computers belonging to a contractor in charge of installing software at Natanz could help get the malware onto the Natanz system.

Symantec said the companies were hit in attacks in June and July 2009 and in March, April and May 2010. Symantec didn’t name the five organizations but said that they all “have a presence in Iran” and are involved in industrial processes.

Albright managed to glean from discussions with Symantec that some of the companies are involved in the acquisition and assembling of PLCs. What’s more, Symantec researchers told Albright that they found the names of some of the companies on suspect entity lists – lists of firms and organizations suspected of violating non-proliferation agreements by procuring parts for Iran’s nuclear program.

“They are companies that are involved probably in illegal smuggling operations to get this equipment for Natanz,” Albright told Threat Level. “We think they’re involved in acquiring the PLCs and then putting them together in a system with software that can work at Natanz.”

Though the work that went into creating Stuxnet was monumental, the ISIS report ultimately concludes that its effect on Iran’s nuclear program was moderate.

“While it has delayed the Iranian centrifuge program at the Natanz plant in 2010 and contributed to slowing its expansion, it did not stop it or even delay the continued buildup of [low-enriched uranium],” the report says.

Albright does say, though, that the attack has taxed Iran’s supply of raw materials to make centrifuges and therefore could have a longer-range effect.

Due to sanctions, Iran has had trouble obtaining materials to build centrifuges and can only build between 12,000-15,000. As of November 2009, it had deployed 10,000 centrifuges at Natanz, although 1,000 were damaged and replaced during routine operations. Another 1,000 were replaced in the November scramble believed to be caused by Stuxnet. Iran’s centrifuges are prone to breakage even under the best of circumstances, Albright says, but with the aid of Stuxnet, the end of the country’s supply grew a little closer.

Photo: A security man stands next to an anti-aircraft gun as he scans Iran’s nuclear enrichment facility in Natanz, 300 kilometers (186 miles) south of Tehran, Iran, in April 2007.
(Hasan Sarbakhshian/AP)

See also

Comments