Stuxnet: Cyber Attack on Iranian Nuclear Reactors?

In a July presentation for members of the computer media, Roel Schouwenberg, a senior anti-virus researcher for Kaspersky Lab, laid out details about the Stuxnet worm. This worm exploits an unusual number of different security weak spots and it seems in particular to attack SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to manage large facilities such as oil rigs, factories, and nuclear reactors. Schouwenberg noted that SCADA computers often run older operating systems without security protection or regular updates.

The presentation included a map of the worm's prevalence. Most of the world's countries displayed a peaceful green, meaning low prevalence, but Iran and Indonesia glowed a bright, warning red. Schouwenberg observed that the worm is so polished and complex it must have required a lot of resources, suggesting it was created by a nation-state.

More recently Ralph Langner, a security researcher and expert in SCADA systems, performed a forensic analysis of the worm in action. He concluded that the worm's purpose is sabotage and suggested that the sabotage may have already taken place at Iran's Bushehr reactor. Given the nature of the attack and the multiple vulnerabilities it exploits, Langner concluded it must have been released by a nation-state.

Stu Sjouwerman, a consultant with Sunbelt Software, raised the stakes, stating in the company's newsletter that the worm must have been created by the United States or Israel to attack Iran's nuclear infrastructure. "Governments have cyberwar capability and this is the equivalent of artillery," said Sjouwerman. "It looks like Iran is completely pwned."

Malware experts at Symantec and F-Secure, among others, have confirmed many facts about Stuxnet. The worm is vastly more prevalent in Iran than in the rest of the world, with additional "hot spots" in Pakistan and Indonesia. It definitely targets SCADA systems. It hides from view using rootkit techniques. And it exploits an unprecedented number of vulnerabilities to reach its target systems.

The world's news agencies are taking note. A ComputerWorld reporter called it "the best malware ever." BBC News on Thursday reported as fact that the Stuxnet worm "targeted high-value Iranian assets."

Is this the first salvo of a cyber war against Iran? Is the attack already over? Certainly once the Stuxnet worm is fully analyzed its effectiveness will be diminished. Symantec researcher Liam O'Murchu won't draw firm conclusions yet but O'Murchu and researchers from Kaspersky Lab plan presentations on Stuxnet at the Virus Bulletin 2010 conference in Vancouver next week.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio