Monday, September 27, 2010

Stuxnet Update: Iran Confirms Infections

Via -

The head of the Bushehr nuclear plant has confirmed that Stuxnet did infect the plant in Southern Iran, but that staff personal computers were primarily affected. An IT security team is reported to be in place checking computers and removing the malware. Mahmoud Jafari told the Iranian IRNA news agency, "We have not had any problems with the computer system which have affected work in the plant itself."

A day earlier, an IT expert at the Ministry for Industries and Mines had stated that thousands of computers in industrial facilities in Iran were infected by the malware. According to experts at the Iranian Mehr agency, a total of 30,000 computers are affected. Many of the control systems used in Iranian industrial plant are manufactured by German company Siemens.


In recent days, there have been repeated reports that the Stuxnet malware is specifically targeted at the Iranian nuclear programme, although this remains unconfirmed. The Tehran based ISNA agency has reported that the Iranian nuclear authorities are looking for ways to remove the trojan. Other Iranian media sources report that a number of ministries have formed a joint working group to fight the virus.


Stuxnet Infection of Step 7 Projects

Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.


Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.


NYTimes - A Silent Attack, But Not a Subtle One

One big question is why its creators let the software spread widely, giving up many of its secrets in the process.

One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.

While much has been made in the news media of the sophistication of Stuxnet, it is likely that there have been many other attacks of similar or even greater sophistication by intelligence agencies from many countries in the past. What sets this one apart is that it became highly visible.

Security specialists contrast Stuxnet with an intrusion discovered in the Greek cellphone network in March 2005. It also displayed a level of skill that only the intelligence agency of some foreign power would have.

No comments:

Post a Comment