Iran admits Stuxnet worm infected PCs at nuclear reactor
But denies that 'groundbreaking' malware infiltrated control systems or caused major damage
Computerworld - Although some computers at Iran's Bushehr nuclear reactor were infected by the Stuxnet worm, none of the facility's crucial control systems were affected, Iranian officials claimed Sunday.
The news followed Saturday's admission by Iran that Stuxnet had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the most sophisticated malware ever, targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility companies.
Those control systems, called SCADA, for "supervisory control and data acquisition," manage and monitor machinery in power plants, factories, pipelines and military installations.
"The studies show that few PCs of Bushehr nuclear power plant workers are infected with the virus," Mahmoud Jafari, the facility's project manager, told Iran's state-run Islamic Republic News Agency on Sunday.
Jafari denied that the worm had caused major damage to SCADA systems or that Stuxnet had delayed the reactor's completion.
Bushehr is slated to go online in the next few months. In late August, workers began loading the reactor with nuclear fuel.
Stuxnet has attracted as much attention for its presumed target as for its technical expertise. Shortly after a Belarus antivirus firm reported finding the worm, U.S.-based security company Symantec noted that Iran was hit hardest, with approximately 60% of all infections traced to that country's computers.
Since then, experts have amassed evidence that Stuxnet has been attacking industrial control systems since at least January 2010, while others have speculated that the worm was developed by a state-sponsored team of programmers and was designed to cripple the Bushehr reactor.
The reactor, located in southwestern Iran near the Persian Gulf, has been one of the flash points of tension between Iran and the West, including the U.S., which believes that spent fuel from the reactor could be reprocessed elsewhere in the country to produce weapons-grade plutonium for use in nuclear warheads.
Liam O Murchu, manager of operations on Symantec's security response team, and one of the researchers who has been analyzing Stuxnet since it popped into public view, said there was not enough evidence to conclude that the worm was aimed at Bushehr.
"I've also seen reports [from Iranian officials] that the Bushehr reactor doesn't use Siemens software," said O Murchu, referring to the German electronics giant's control program that Stuxnet specifically targets. "So if it doesn't use Siemens software, the Windows machines may have been infected but not the SCADA software."
At the same time, O Murchu said that in plants that do use Siemens SCADA software, the likelihood of Stuxnet spreading from an infected Windows computer to the facility's industrial control systems was "quite high."
"Stuxnet can spread using several vectors," O Murchu said. "It's quite likely that it would be able to crawl the network and infect the Siemens software."
Later Sunday a different Iranian official also denied that Stuxnet had caused any problems at Bushehr. About four hours after quoting Jafari, the Islamic Republic News Agency published another story, citing Asghar Zarean, deputy head of Iran's Atomic Energy Organization in charge of safety and security, who reiterated that Stuxnet had not impacted the plant's control systems.
Zarean claimed that "no penetration by the virus had been observed" in the agency's nuclear facilities. He also said that precautions had been taken to stymie Stuxnet from further infection.
Stuxnet, called "groundbreaking" by another researcher actively analyzing the worm, used multiple unpatched, or "zero-day," vulnerabilities in Windows; relied on stolen digital certificates to disguise the malware; hid its code by using a rootkit; and reprogrammed PLC (programmable logic control) software to give new instructions to machinery that software managed.
Microsoft has patched two of the four vulnerabilities exploited by Stuxnet and has promised to fix the remaining flaws at some unspecified future date.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts