Stuxnet story is high-profile but still out of reach
After six months of analysis, the celebrity worm remains a mystery
- By William Jackson
- Dec 23, 2010
One of the most popular geek games in 2010 has been speculating about Stuxnet, that wonderfully complex worm that apparently was created with a specific target in mind. We still don’t know what the target was or if it has been hit, but that doesn’t stop speculation.
The most common theory, based on the worm’s functionality and its pattern of infection, is that Stuxnet is intended to halt Iran's uranium enrichment efforts with an eye toward disrupting that country’s alleged nuclear weapons program. The most likely developer, based on the assumed target and the worm’s sophistication, would be a government opposed to Iran’s nuclear aspirations. The United States and/or Israel come to mind.
All of this makes a good story, which is none the worse for being plausible. And it raises the question: Did it work? We know that Stuxnet is most prevalent in Iran, and Iranian President Mahmoud Ahmadinejad has admitted that the nuclear program has been infected. So, did the worm damage or destroy the centrifuges used to enrich uranium by interfering with their speed, as it apparently was designed to do? That’s among the many things we still don’t know.
Stuxnet reveals vulnerabilities in industrial controls
In cyberspace, a good offense is NOT always the best defense
There have been reports that Stuxnet did, indeed, work. The Jerusalem Post reported earlier this month that Stuxnet had set the Iranian program back two years, apparently not because of damage to the hardware but because the software infections are requiring the shutdown, cleaning and possibly replacement of a lot of the program’s computers. That is mere speculation, however, based on what is known about the persistence of this particular malware and what is assumed about the sophistication of Iran’s cybersecurity.
That speculation followed an earlier Associated Press report that Iran had shut down its nuclear enrichment program. AP's article was based on a leaked report from the United Nations' International Atomic Energy Agency that did not specify the seriousness or the reason for the apparent shutdown. Of course, there was speculation that the cause was Stuxnet.
But when asked about the impact of Stuxnet, IAEA Director General Yukiya Amano said during a Nov. 9 interview with the Council on Foreign Relations that inspectors had not found irregularities that would point to a malware infection.
“The pace is not always the same,” he said. “But I [have not received a] report from our inspectors that [the] pace has slowed down or things are different.”
That does not mean that everything is going well for Iran's nuclear program. Tehran reportedly has taken hundreds of centrifuges off-line in the past 18 months, feeding speculation that the program was hampered by technical issues. But we don’t know what those issues are, and if they extend back 18 months, at least some of them predate Stuxnet.
Of course, none of that means that Stuxnet has not succeeded in smashing critical centrifuges, scoring a great military victory for somebody without a shot being fired. That would make Stuxnet a successful bit of sabotage, if not the first real crossover to cyber war. But it might also be an experiment gone wrong or just another piece of malware being circulated for future use that happens to be more complex than most.
The public might never know for sure. It’s a pretty safe bet that if Stuxnet was developed by a government and specifically targeted Iranian facilities, its creators know whether or not it worked. It apparently required considerable knowledge of Iranian plants to specifically target the equipment believed to be installed there, so the creators probably have the intelligence capabilities to determine its success.
For the rest of us, Stuxnet provides an object lesson about the threats and capabilities of malware when combined with diplomacy and politics. Perhaps hacking is too important to be left to the generals.
William Jackson is freelance writer and the author of the CyberEye blog.