It’s a plot straight out of Hollywood: Mysterious hackers create a malicious computer code designed to seize control of critical equipment worldwide. It turns out it really happened. In June a computer security firm in Belarus found a sophisticated, aggressive, self-replicating program, or worm, on a client’s computers in Iran. The program was designed to attack and sabotage control systems used in manufacturing facilities, power grids, pipelines, and nuclear plants.
No one knows where the worm was created or what it was targeting. Researchers know only that it was capable of causing physical damage; for instance, it could make a motor rev too quickly and even blow up. “Using something in the cyberworld to control something in the physical world is something we’ve never seen before,” says Liam O Murchu of the computer security company Symantec. “We’ve never seen any industrial control system being attacked before, and we’ve never seen such an advanced threat that needed so many different skills to come together.”
Since first reported in June, the Stuxnet worm—which some call the world’s first “cyberweapon”—has spread to 100,000 machines in more than 155 countries, though most are in Iran. Only a few machines in the United States have been infected. The worm spreads via infected usb flash drives and other means. Once loaded onto a computer, Stuxnet searches for industrial control software made by Siemens, called Simatic WinCC/Step 7. If Simatic software is not on the machine, the worm looks for vulnerable computers on the network to which it could spread. But if the software is present and configured a certain way, the worm begins its dirty task, intercepting legitimate commands that control devices such as valves and pressure gauges and substituting potentially destructive ones in their place.
Computer and control system security professionals like Ralph Langner, who is based in Germany, believe the Stuxnet worm was targeting Iran’s Bushehr nuclear power plant, its uranium enrichment facility at Natanz, or both. Iran has acknowledged that personal computers belonging to employees at Bushehr were infected by the worm but has insisted that computers running the nuclear facility itself remained unharmed. Those reports cannot be verified, however. Langner and other security experts believe that if the worm successfully hits its target, its victim would most likely never admit as much. The attackers who created and launched the malicious software also remain unknown. Langner and others say the malware’s sophistication points to one or more well-financed nation-states such as Israel or the United States, two countries with motive and the ability to conduct the attack. (Neither country has officially commented on the Stuxnet attack.)
Those unknowns hint at the magnitude of the dangers that may follow in Stuxnet’s wake, Langner says. Now that Stuxnet has shown it is possible for a targeted piece of software to take command of an industrial control system, and now that the malware has been released on the Internet for other hackers to study, the bar has been lowered for destructive attacks on other control systems—whether at critical infrastructure or an industrial factory. “The clock is ticking,” Langner says. “We are going to see copycats by the beginning of 2011.”