The latest round of Stuxnet revelations hit manic levels in the mainstream media over the weekend, and the unsubstaniated, uninformed, unconscionable wild-eyed speculation I've seen stinks to high heaven. Several so-called reporters should be strung up and goose-marched back to J-School.
What's wrong with the mainstream coverage? Let me count the ways.
First, nobody has any idea if Iran -- much less the Bushehr Nuclear Power Plant -- was the primary target.
Second, nobody knows who put Stuxnet together -- or even if, indeed, it came from one single organization.
Third, calling Stuxnet a "state-sponsored cyber attack" entails a leap of faith spanning several chasms, a handful of continents, and one or two parallel universes.
Let's all take a deep breath and look at what we know, for sure.
Was Iran targeted? Estimates about Stuxnet infections, and the location of infected Windows PCs, run all over the place. Alexander Gostev at Kaspersky puts it this way:
[A]ny estimates about the number of infected machines can only be based on the data which AV companies get from their clients' machines. And such data only comes from those countries where a company actually has clients. So if there aren't any clients, or the antivirus product in question isn't widely used, any estimates have to be regarded as having a serious margin of error.
Since the beginning of July, Kaspersky's Internet-based scanner -- which primarily scans personal, not business, systems -- caught 86,000 infected PCs in India, 34,000 in Indonesia, and 14,000 in Iran. Back in July, when Kaspersky first started scanning for Stuxnet infections, India had 8,600 infected PCs, Indonesia had 5,100, and Iran had 3,100.
Symantec's July 16 report says that 40 percent of the infections seen at that point were in India, 33 percent in Indonesia, and 20 percent in Iran. Shortly after, Symantec started intercepting Internet traffic bound for Stuxnet's "phone home" website, and the numbers shifted. The numbers get a little dicey because Stuxnet doesn't always phone home, and because Symantec was only able to collect unique IP addresses -- it couldn't identify individual PCs. Given those caveats, over a 72-hour period Symantec picked up 8,000 infected "phone home" calls from different IP addresses in Iran, 2,600 from Indonesia, and 1,200 from India.
In August and September, Iran, by most reports, seems to have topped the infection charts. But in the past weeks, according to Kaspersky, Iran has cleaned many infected systems, while India has not -- and Russia and Kazakhstan infections grew steadily. Kaspersky infection numbers right now are way up for Bangladesh, Iraq, and Syria, with Iran's infection rate below those in Russia and Kazakhstan. Still, local news reports in Iran confirm Stuxnet is still active, although the details appear overblown.
Did the infection originate in Iran? Was it preferentially spread around Iranian machines? Are the numbers of infected machines in Iran skewed because of the U.S. government's ongoing ban on doing business there -- making it difficult for an Iran-based PC to be registered with, for example, U.S.-based Symantec, but much easier for Moscow-based Kaspersky?
The bottom line: There's no hard evidence that Iran was (or is) the target. It's impossible to say where (or even when) the infection started. And it's entirely possible that Stuxnet spread far, far beyond its intended original audience -- Iran or otherwise.
Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, working for ESET antivirus, have published a very detailed analysis of Stuxnet's infection mechanism. We now know that Stuxnet uses four different zero-day infection mechanisms (I talked about one of them in my InfoWorld Tech Watch article "Watch out for this nasty zero-day exploit" in July), and one Windows security hole that was patched in 2008. Two of the zero-days have been patched (MS10-046 and MS10-061). Two have not.
But PC infection is only part of the story. While Stuxnet gets passed from PC to PC, and the eye-popping numbers you see deal with PCs that contain the payload, Stuxnet exists solely to monkey around with a specific type of Siemens SCADA control system. Upper Slobovia could have 100,000 infected PCs, but unless one of them gets connected to a particular model of Siemens process control computer running WinCC/Step 7 software, Slobovians can sleep sound at night: Stuxnet won't do a thing.
And that's where the Iranian angle gets very strange indeed.
Stuxnet has been around a long time. According to Liam O Murchu at Symantec:
The development of the threat dates back to June of 2009 at least. The threat has been under continued development as the authors added additional components, encryption and exploits.
The payload -- the part that singles out a specific type of Siemens SCADA system and messes around with it -- hasn't changed much since June 2009. But the infection method has gone through many twists and turns over the past 15 months. If one specific Siemens SCADA system is the intended target, it took the Stuxnet folks a long, long time to hit it.
Nicolas Falliere at Symantec posted an excellent overview of the Siemens SCADA programming model and how Stuxnet uses it. Worthy of note: The payload only gets planted on Siemens SCADA systems that use specific processors, or PLCs, model numbers S7/417 and S7/315-2.
Siemens hasn't come out with many details, but Computerworld reports confirmation from Siemens that "we detected the virus in the SCADA systems of 14 plants in operation but without any malfunction of process and production and without any damage." Reportedly, "most" of the infected plants are in Germany, with others in the United States, South Korea, and Iran. Given the large number of infected PCs in Iran and a dearth of reported infections in the United States and Europe, to me it seems odd that Siemens found so many infected SCADA systems in Germany.
It also raises the question of how many Siemens S7/315-2 systems are located in Iran. Siemens hasn't released that information. Siemens is under a great deal of pressure to stop doing business (totalling $700 million in 2009) with Iran, but that's another story.
In a revelation that's sure to embarrass the company, Stuxnet uses default Siemens passwords to pwn the SCADA system. But Siemens has warned its customers to not change the default password, for fear of crashing their systems. That's security, eh?
Clearly, Stuxnet is the product of several very sophisticated programmers, who were intimately aware of Windows zero-day security holes, probably (but not certainly) before Microsoft found out about them. It's highly unlikely that the same people who wrote the PC infection routines also wrote the Siemens-specific code. Work on Stuxnet has gone on for more than a year. It isn't a weekend project by a bunch of high schoolers. But beyond that, all we have is speculation.
Is Stuxnet a clandestine effort by some top-secret government group to snoop on, or take over, Iran's showcase nuclear power plant -- one that's been under construction, with several breaks, for the past 35 years? If so, which government or governments? What's to be gained?
Could it, instead, be the effort of a wealthy individual or organization attempting a grand round of corporate espionage, aimed at large production facilities in Europe run by specific Siemens SCADA systems?
Is Siemens involved? I can think of a dozen scenarios where direct involvement by Siemens is quite plausible, regardless of the intended target.
I've heard one quid pro quo conspiracy theory that tickled my American fancy: Iranian intelligence invented Stuxnet and infected Bushehr employees' PCs to bolster resentment toward the West.
Is it possible that Mossad or one of the American TLAs (three-letter agencies) with or without help from Siemens created Stuxnet specifically to spy on or control, the Bushehr reactor? Sure. But it's also possible that Elvis is living in a suburb of Milwaukee -- and I haven't even gotten around to the UFO theories.
You're going to see a lot of Stuxnet technical news coming out of the VirusBulletin 2010 conference this week. Keep an open mind. Realize that the computer malware industry feeds on speculation and fear -- and the journalism industry isn't exactly beyond reproach. Many of the articles you'll see will come from writers who don't know C++ from STEP 7. A healthy dose of skepticism and an advanced BS detector will serve you well.
This article, "Stuxnet worm + Iran + mainstream media = Global nuclear meltdown," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.