Stuxnet Splits the Atom

[Quote from the Dutch article revised, as the current Google translation makes a little more sense than the one cited at the time.]

One of my ESET colleagues (thanks, Nienke!) brought to my attention an article (sorry, it's in Dutch) that picks up on the blog by Eric Chien that I mentioned a few days ago, and suggests that "Stuxnet has been developed to bring the quality of enriched uranium down, so that it can no longer be used for the production of atomic bombs." It's an interesting theory, and I'm certainly not going to say it's wrong.

Eric’s blog does indeed suggest that the converter targeted could be used for uranium enrichment, and the fact that one of the two vendors concerned is in Tehran does lend some credibility to the theory that  Iran nuclear facilities were targeted for sabotage. I don’t know, however, how likely it is that the converters can be used for controlling unrelated processes at the speeds cited. As far as I know, no-one has gone so far as to say that that they wouldn’t be found in other types of installation, so it remains a theory. Even if it is confirmed, the targeting of Iranian facilities isn’t proven incontrovertibly.

It is, however,  a theory that could be correct. Iran was an initial hotspot for Stuxnet infections, and there is certainly concern in other parts of the world about Iran's nuclear programme.

By the same logic, since the other vendor is in Finland, you could argue the possibility of an activist group targeting Finnish nuclear facilities. Of course, Finland has no nuclear weapons programme (and is indeed a signatory to the nuclear Non-Proliferation Treaty), so that argument isn't so compelling, though weapons aren't the only use for enriched uranium, and while there's strong popular support for nuclear power in the country, that support is far from unanimous. Actually, I wouldn't be surprised, given some of the wilder speculation that we've seen, if someone noticed that Finland's Radiation and Nuclear Safety Authority has the acronym STUK and tried to suggest a connection with the most commonly used name for the malware. ;-)

But I think the Iran theory does fit the known facts better :), and it looks a lot more convincing now than it did a few weeks ago.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow