6 mysteries about Stuxnet

By now, you’ve probably heard of Stuxnet, the mysterious computer worm that infects Windows computers running software designed by Siemens, the German industrial giant. The software, Simatic WinCC, is what’s known as a SCADA system — "supervisory control and data acquisition" — and it’s used to help run everything from traffic systems and pipelines to nuclear plants.

Siemens has known about Stuxnet for some time, and has been tracing the worm’s spread on its website. In July 2010, the company knew of only one industrial facility affected. By September 7, it was reporting that 15 systems had been hit worldwide. (The worm was first discovered in June by VirusBlokAda, a little-known Belarussian security firm.)

For months, the discussion about the virus stayed within the cybersecurity community, but once speculation began to mount that it was aimed at Iran’s nuclear facilities, the news went, er, viral. Amid the uproar last week, Iranian officials admitted that their facilities had indeed been hit, though they didn’t specify which ones.

Even with all the media attention, much remains mysterious about Stuxnet. We know it’s a sophisticated piece of malware, one that experts say could only be produced by a high-powered team with insider knowledge of industrial software. We know it was spread using USB thumb drives. But there’s a lot we don’t know. Here’s my attempt to lay out some of the big open questions.

1. What was the target? Although the worm has affected computers in Indonesia, India, Pakistan, and elsewhere in addition to Iran, security researchers who have been pouring over Stuxnet for months say it appears aimed at a very specific target. According to Siemens, "The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process." Two German experts, Ralph Langner and Frank Rieger, have offered competing theories as to what that target might be, both of them in Iran, where most of the affected machines are.

Langner guesses that Stuxnet is aimed at Bushehr, Iran’s civilian nuclear power plant, which is slated to go online this fall. Langner’s case rests largely on the fact that Bushehr runs Siemens software and that Russian contractors would have had access to the facility — and that they would have used USB drives to set up the system.

Rieger counters that Natanz, Iran’s uranium enrichment plant, is a more likely target. Not only is it more of a proliferation threat, there’s suggestive evidence that it actually may have been affected by sabotage. (More on this later.) He also points out that Natanz is more likely to have the kinds of identical nodes, in this case "cascades" or groups of centrifuges, that would be susceptible to an attack.

2. Who did it? The obvious culprit is Israel, which has both the sophisticated technology and the motive to sabotage Iran’s nuclear program, which it deems a mortal threat. An eerily prescient Reuters article published in July 2009 quotes Scott Borg, a U.S. cybersecurity expert, speculating that Israel might want to do so, adding that "a contaminated USB stick would be enough" to cause real damage to Iranian facilities.

Other countries, such as the United States, China, and Russia, probably have the capability, but only one — the United States — has a clear motive (some might add France and Germany to this list). One could spin complicated theories as to why Russia would want to sabotage its own facility, but Occam’s Razor probably applies here — and other reporting has indicated that the United States and Israel have, in fact, approved a covert sabotage campaign that may include a cyber component.

3. Did it work? Who knows? Outside analysts have been speculating for years that Western intelligence agencies have been sabotaging Iranian enrichment efforts, but they’re usually talking about false-flag operations to sell Iran damaged centrifuge components. They point to signs that the number of centrifuges Iran is operating dropped precipitously last year, or unconfirmed reports of nuclear accidents, or the sudden and unexplained resignation last year of Gholam Reza Aghazadeh, the head of the Iranian nuclear program. For what it’s worth, Iran denies encountering any problems as a result of Stuxnet, and there’s little evidence to the contrary. But there could be hidden issues that pop up later on, or Iran could simply be lying.

4. What does it do? The reporting on this question has been maddeningly vague. Siemens says that Stuxnet "can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data," though it has been unable to verify that finding in testing. Supposedly, the worm was designed to send data to a server in Malaysia, which may or may not have been a "command center" that could seize control of PLCs or Programmable Logic Controllers, components used to operate and monitor industrial machinery. The consensus among people who’ve studied the code seems to be that its aim is sabotage, not simply espionage. But exactly how that was supposed to work remains unclear.

5. Why did it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes on this question in today’s paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings," he writes. "The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment." He only offers one theory, however: "One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise."

A couple points here. One is that Stuxnet does not seem to have had an "impact" on all those systems, for the reason noted in #1 above: It wasn’t aimed at them. Second, it may be that the worm’s designers needed it to spread within Iran to be effective — i.e. from one computer to another within the same facility, or between facilities — but that there was no way to prevent it from propagating further. Finally, there’s some debate among researchers as to whether the virus was programmed to "expire" on a certain date, supposedly in January 2009. In other words, it wasn’t supposed to spread, but somehow it did anyway, possibly through Russian contractors.

6. Why would anyone run a nuclear plant using Windows? I’ve got no answer for this one.