Iran admits Stuxnet worm infected PCs at nuclear reactor

But denies that 'groundbreaking' malware infiltrated control systems or caused major damage

Although some computers at Iran's Bushehr nuclear reactor were infected by the Stuxnet worm, none of the facility's crucial control systems were affected, Iranian officials claimed Sunday.

The news followed Saturday's admission by Iran that Stuxnet had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the most sophisticated malware ever , targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility companies.

[ Was Stuxnet built to attack Iran's nuclear program? ]

Those control systems, called SCADA, for "supervisory control and data acquisition," manage and monitor machinery in power plants, factories, pipelines and military installations.

"The studies show that few PCs of Bushehr nuclear power plant workers are infected with the virus," Mahmoud Jafari, the facility's project manager, told Iran's state-run Islamic Republic News Agency on Sunday.

Jafari denied that the worm had caused major damage to SCADA systems, or that Stuxnet had delayed the reactor's completion.

Bushehr is slated to go online in the next few months. In late August, workers began loading the reactor with nuclear fuel.

Stuxnet has attracted as much attention for its presumed target as for its technical expertise. Shortly after a Belarus antivirus firm reported finding the worm, U.S.-based security company Symantec noted that Iran was hit hardest , with approximately 60% of all infections traced to that country's computers.

Since then, experts have amassed evidence that Stuxnet has been attacking industrial control systems since at least January 2010, while others have speculated that the worm was developed by a state-sponsored team of programmers and designed to cripple the Bushehr reactor .

The reactor, located in southwestern Iran near the Persian Gulf, has been one of the flash points of tension between Iran and the West, including the U.S., which believes that spent fuel from the reactor could be reprocessed elsewhere in the country to produce weapons-grade plutonium for use in nuclear warheads.

Liam O Murchu, manager of operations with Symantec's security response team, and one of the researchers who has been analyzing Stuxnet since it popped into public view, said there was not enough evidence to conclude that the worm was aimed at Bushehr.

"I've also seen reports [from Iranian officials] that the Bushehr reactor doesn't use Siemens software," said O Murchu, referring to the German electronics giant's control program that Stuxnet specifically targets. "So if it doesn't use Siemens software, the Windows machines may have been infected but not the SCADA software."

At the same time, O Murchu said that in plants that do use Siemens SCADA software, the likelihood of Stuxnet spreading from an infected Windows computer to the facility's industrial control systems was "quite high."

"Stuxnet can spread using several vectors," O Murchu said. "It's quite likely that it would be able to crawl the network and infect the Siemens software."

Later Sunday a different Iranian official also denied that Stuxnet had caused any problems at Bushehr. About four hours after quoting Jafari, the Islamic Republic News Agency published another story, citing Asghar Zarean , deputy head of the country's Atomic Energy Organization in charge of safety and security, who reiterated that Stuxnet had not impacted the plant's control systems.

Zarean claimed that "no penetration by the virus had been observed" in the agency's nuclear facilities. He also said that precautions had been taken to stymie Stuxnet from further infection.

Stuxnet, called "groundbreaking" by another researcher actively analyzing the worm, used multiple unpatched, or "zero-day" vulnerabilities in Windows, relied on stolen digital certificates to disguise the malware, hid its code by using a rootkit and reprogrammed PLC (programmable logic control) software to give new instructions to machinery that software managed.

Microsoft has patched two of the four vulnerabilities exploited by Stuxnet, and has promised to fix the remaining flaws at some unspecified future date.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon