Experts: Computer attacks on industrial facilities created by well-funded group or nation

By Lolita C. Baldor, AP
Sunday, September 26, 2010

Computer attacks linked to wealthy group or nation

WASHINGTON — A cyber worm burrowing into computers linked to Iran’s nuclear program has yet to trigger any signs of major damage, but it was likely spawned either by a government or a well-funded private group, according to a new analysis.

The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec Corp. Government experts and outside analysts say they haven’t been able to determine who developed the malware or why.

Stuxnet, which is attacking industrial facilities around the world, was designed to go after several “high-value targets,” said Liam O Murchu, manager of security response operations at Symantec. But both O Murchu and U.S. government experts say there’s no proof it was specifically developed to target nuclear plants in Iran, despite recent speculation from some researchers.

A number of governments with sophisticated computer skills would have the ability to create such a code. They include China, Russia, Israel, Britain, Germany and the United States. But O Murchu said no clues have been found within the code to point to a country of origin.

The Stuxnet worm infected the personal computers of staff working at Iran’s first nuclear power station just weeks before the facility is to go online, the official Iranian news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it “has not caused any damage to major systems of the plant,” the IRNA news agency reported.

It was the first clear sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has affected equipment linked to the country’s controversial nuclear program. The U.S. has been pressing international partners to threaten stiff financial sanctions against Tehran goes ahead with its nuclear program.

Symantec’s analysis of the Stuxnet code, O Murchu said, shows that nearly 60 percent of the computers infected are in Iran. An additional 18 percent are in Indonesia. Less than 2 percent are in the U.S.

“This would not be easy for a normal group to put together,” said O Murchu. He said “it was either a well-funded private entity” or it “was a government agency or state sponsored project” created by people familiar with industrial control systems.

The malware has infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said Stuxnet has infected 15 of the industrial control plants it was apparently intended to infiltrate. It’s not clear what sites were infected, but they could include water filtration, oil delivery, electrical and nuclear plants.

Alexander Machowetz, a spokesman for Siemens’ corporate industry business, said Monday that the company is “not involved in Iran’s nuclear program either directly or indirectly” and that the Siemens ended all business relations with civilian companies in Iran in January.

The software is available and is bought and sold by resellers, so it could be in use at the plant in Iran.

Machowetz also said that the worm has been cleaned off all 15 of the infected plants, and none of those infections adversely affected the industrial systems.

U.S. officials said last month that the Stuxnet was the first malicious computer code specifically created to take over systems that control the inner workings of industrial plants.

The Energy Department has warned that a successful attack against critical control systems “may result in catastrophic physical or property damage and loss.”

German security researcher Ralph Langner told a computer conference in Maryland this month that his theory is that Stuxnet was created to go after the nuclear program in Iran. He acknowledged, though, that the idea is “completely speculative.”

O Murchu said there are a number of other possibilities for targets, including oil pipelines. He said Symantec soon will release details of its study in the hope that industrial companies or experts will recognize the specific system configuration being targeted by the code and know what type of plant uses it.

Machowetz said none of the 15 infected plants had the system configuration the worm was seeking, so they have not been able to tell yet exactly what the worm is designed to do.

Experts in Germany discovered the worm, and German officials transmitted the malware to the U.S. through a secure network. The two computer servers controlling the malware were in Malaysia and Denmark, O Murchu said, but both were shut down after they were discovered by computer security experts earlier this summer.

Unlike a virus, which is created to attack computer code, a worm is designed to take over systems, such as those that open doors or turn physical processes on or off.

AP Broadcast Correspondent Sagar Meghani and AP writer Nasser Karimi in Tehran, Iran, contributed to this report.

will not be displayed