Computer Worm Shuts Down Iranian Centrifuge Plant

The secretary general of the International Atomic Energy Agency stunned Iran watchers on Nov. 23, 2010, when he announced officially that Iran had been forced to shut down its main uranium enrichment plant at Natanz for seven days earlier this month.

The revelation was buried in a footnote of the latest report from the IAEA on Iran’s nuclear program, and was immediately interpreted by computer security analysts and others as an indication that Iran’s uranium enrichment program was the main intended target of the Stuxnet computer worm attack.

The report by IAEA Director General Yukiya Amano revealed that Iran slowed down enrichment operations in the beginning of November then brought them to a total halt by Nov. 16 and kept the entire facility offline for six days.

The effect of the Stuxnet attack was like as “digital warhead,” the CEO of the National Board of Information Security Examiners of the United States, Inc., Michael J. Assante, told a Senate Governmental Affairs hearing last week.

Experts from the virus protection firm Symantec believe that Stuxnet was specifically designed to attack systems at Iran’s Natanz uranium enrichment plant that control the speed at which the enrichment centrifuges spin.

“We speculate that the ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers to operate as the attackers intend them to, most likely out of their specified boundaries, and to hide those changes from the operator of the equipment,” Dean Turner, director of Symantec’s Global Intelligence Network, told a Senate Governmental Affairs committee hearing last week.

The worm causes the centrifuges to speed up beyond their normal tolerance, and then jams on the brakes to bring them to a screeching halt, before returning them to their normal operating speed.

If the centrifuges spin too fast, they can explode. If they survive the first speed-up, then the abrupt braking and subsequent re-acceleration can throw them off balance, also causing them to crash.

If such a crash occurs when the centrifuges are loaded with hot uranium hexafluoride gas, the accident could have catastrophic results.

“Stuxnet sabotages the system,” a white paper by chief Symantec analyst Eric Chien found.

Symantec also found that Stuxnet was designed to attack only frequency converter drives manufactured by two companies: Fararo Paya in Tehran, and Vacon based in Finland. Because these devices are used in uranium enrichment plants, the Nuclear Suppliers Group forbids their export to Iran.

So whoever designed Stuxnet intended it to attack Iran’s nuclear enrichment program, Symantec concluded.

German computer security analyst Ralph Langner believes Stuxnet actually contains two separate digital warheads, each aimed at different targets and possibly even developed by different teams.

Taken together, the two digital bombs “were deployed in combination as an all-out cyberstrike against the Iranian nuclear program,” he said. The first warhead attacked the centrifuge controllers, and “would very likely be able to attack and destroy centrifuge facilities that are unknown to IAEA inspectors and the world.”

The ability to cripple secret nuclear facilities in Iran “was a major strategic aspect in developing warhead one,” he believes.

The second digital warhead was targeted at non-nuclear control systems at the Bushehr nuclear power plant, which was hit by Stuxnet over the summer.

Langner believes Stuxnet was designed to attack the gigantic steam turbine used to generate electric power at Bushehr. “Manipulating this controller by malware as we see it in Stuxnet can destroy the turbine as effectively as an air strike,” Langner says.

Many computer analysts and U.S. policy now worry that Stuxnet could hit the United States as well, with potentially catastrophic results.

“If a cyberattack like this worm were launched on a large transformer on the electric power grid, for example, the impact could cascade, potentially leaving large regions of the United States without electricity, halting our economy, and undermining our national security,” Sen. Susan Collins, the ranking Republican on the Senate Governmental Affairs committee, warned last week.

Stuxnet was first discovered over the summer at the Bushehr power plant, but most analysts now believe it was created at least a year earlier and may have been lying in wait before going operational. The Symantec analysis found that Stuxnet lurked in the background for weeks and even months as it “learned” the system where it was introduced.

By now it has been found in computer systems in China, Indonesia, India, the United States, and elsewhere. “More than 100,000 computers have been infected,” Collins revealed.

Langner argues that the whole world is vulnerable to future Stuxnet-type attacks, because Stuxnet doesn't attack software bugs that can be patched, but "regular product features" that could "take many years" to change.

The worm was most likely introduced into Iran by a technician unwittingly inserting a thumb-drive into a computer system linked to the Bushehr power plant that was carrying the worm. “Someone could have switched the thumb-drive without the technician knowing it,” a senior French official closely monitoring Stuxnet’s impact on Iran’s nuclear weapons program told Newsmax.

It operated deep inside the control systems until it identified the specific command sequences it had been designed to target and modify, creating fake code identical to real code to cover its tracks.

“Stuxnet is a dual menace,” said Sen. Joe Lieberman, chairman of the Senate Homeland Security committee. “First, it has the power to burrow deep into a network and steal secrets. Second, and most frightening, it also has the ability to commandeer industrial operations and make machinery do things — like open or close a valve — undetected by a plant’s operators, because Stuxnet tells the operators that their instructions are being followed. The potential for catastrophic consequences should these critical systems fall under the control of our enemies is obvious.”

While Stuxnet appears to be specifically targeted at Iran’s nuclear weapons program and carries biblical references in its code that seem to indicate an Israeli origin, future copycat attacks “won’t use project names with biblical references . . . but references to the Koran.”