Iran Creating Counter to Stuxnet

Tuesday, September 13, 2011 @ 04:09 PM gHale

By Richard Sale and Gregory Hale
Iran is now in the process of working on a counter to the Stuxnet worm that hit their nuclear enrichment facility causing serious damage over the past few years, said a former CIA official and current Middle East security consultant close to the situation.

Additionally, while the worm still exists in Iran’s nuclear system, cyber experts have found a way to bypass it, said the source who spoke on the condition of anonymity.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work
Siemens Faces Music at Black Hat
Stuxnet Effect: Iran Still Reeling
Feds Fear New Stuxnet Threats

The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.

A separate source from the Defense Intelligence Agency (DIA) confirmed Stuxnet was a U.S.-Israel program attacking Siemens’ hardware. An additional senior official at DIA said Stuxnet could now be considered a potential weapon of mass destruction (WMD). Both DIA officials requested anonymity.

Whether the Iranians are working on a counter to strike the various governments they feel are involved or are planning a similar attack on industrial control system are unknown at this time, the sources said.

The goal of Stuxnet was to attack hit Iran’s uranium enrichment facility at Natanz, 160 miles south of Tehran. That plan worked as the virus worked its way through the Siemens system and manipulated the arrays of centrifuges, which do the enriching, to self-destruct.

The attack hurt Iran’s nuclear program, which Israel and the United States say is to produce nuclear weapons. Tehran denies that.

While the political issues continue to volley back and forth, one of the key lessons from the attack is if someone remains focused and dedicated to get into your system, an attack will happen. It is just a matter of how well a manufacturer can defend that system.

Stuxnet was pure sabotage, security experts have said.

As mentioned, Stuxnet infected systems by exploiting vulnerabilities on Microsoft Windows. Uploaded to the computer through, among other things, a USB drive, shared network files, or SQL databases, Stuxnet targeted Siemens SIMATIC WinCC and PCS 7 control systems.

If this software is running, Stuxnet looked for a particular configuration of industrial equipment and then launched an attack designed to manipulate certain microcontrollers to perform erratically while reporting normal functioning to operators of the system.

Among the zero-day vulnerabilities, it exploited the AutoRun functionality on Windows to infect computers from USB drives. It then used a hardcoded default password for Siemens management application to compromise the machine before taking over the specialized industrial-control computers that ran a proprietary operating system from Siemens.

The worm also hijacked the facility’s monitoring system to falsely show the machines were functioning normally, preventing officials from catching on to what was really happening.

From an industrial control system standpoint, Stuxnet showed just how complex and interconnected a typical control system is. Potential pathways exist right from the outside world, through the Enterprise Control Network and down to the process controllers.

Because of this complexity, Stuxnet had many possible pathways to get to its target process.

In one attack vector, an infected USB storage drive could have first compromised one of the Support Stations and gained direct entrance to Perimeter or Process Control networks. (Support Stations connecting via the Back-Firewall will have a trusted connection to the Process Control Network, whereas the Support Stations connecting via the Front-Firewall typically only get access to the semi-trusted Perimeter Network.) Alternatively, a PLC programming laptop, used and infected at another site, might have gone directly into the Control Network and used to program the target PLCs. In these situations, the worm would have completely circumvented quite a few of the security controls proposed by the Siemens’ Security Concept documents.

While the worm remains persistent and Iranians are finding it difficult to eradicate it, cyber experts there have found a way to bypass it, one source said.

The end result of the Stuxnet attack, though, as reported in an August dispatch, Iran is still replacing thousands of expensive damaged centrifuges.

One report by the news organization, DEBKAfile, had Iran replacing an estimated 5,000 centrifuges to remove the threat.

Iran may have had 8,700 centrifuges in operation at the Natanz facility when Stuxnet hit sometime in 2009. International Atomic Energy Agency officials said up to 25 percent of those centrifuges were inoperable as of January 2010.

The Institute for Science and International Security released a report in February that said there was limited damage caused to Iran’s uranium enrichment program. Sources told DEBKAfile the opposite. The source said Iran’s nuclear operations will never return to “normal operation.”

In following the worm’s path, security experts believe Stuxnet came about to target and then disable Iran’s nuclear enrichment facilities.

When asked directly in a CNBC documentary that aired May 26 whether the United States was involved with creating Stuxnet, Deputy Defense Secretary William Lynn declined to deny or confirm the charge. “And this is not something that we’re going to be able to answer at this point,” Lynn said.

While it was not the first attack against an industrial control system, the sophistication and power of the attack means manufacturing automation companies, not to mention countries around the world, need to beef up their cyber security capabilities.

While Stuxnet specifically targeted Siemens industrial process control computers used in nuclear centrifuge operations, other industrial process automation and control systems are open for attack. That means network operators have to assess their threat exposure level and how to mitigate it.

Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Gregory Hale is the editor and founder of

Leave a Reply

You must be logged in to post a comment.