This morning I wrote a long and - I hope - carefully-considered piece for Security Week on Stuxnet and the whether it constitutes a nation state attack on Iran. [Update, 26th September: I hear that article will be available today or tomorrow.]

Actually, I was asked on Friday for a quotable quote or two on the topic, but I guess I wasn't forceful, or controversial, or sensationalist, or ungeek enough to rate any column inches. So I'm going to give you a sneak preview (sorry, Mike) in the light of all the speculation today on whether Stuxnet is an attack by Israel on Iran.

So here's a sad admission. I don't know who is responsible for Stuxnet. I can see that it might be a nation state (I more or less said that here) but as far as I'm concerned it's speculation. Nor have I seen anything that proves (or even strongly suggests) to me that there is any Israeli involvement. In fact, I'm going to do something that security commentators aren't supposed to do and say I don't know, either way. Someone, somewhere, does, of course, but they probably don't work in the media.

Is Iran anybody's target? Well, I'm fully aware that there are a lot of Stuxnet detections in Iran. We noted that publicly back in July, and the report we've just put out includes some percentage distribution statistics over the period July-September if you want the full list  (they're in the Security Week article, too). But I only need the top 3 to make my point.

 

Iran

Indonesia

India

52,2%

17,4%

11,3%

 Yup. That's a lot of infections in Iran. But that isn't proof of a targeted attack. Technically, it's proof of an untargeted attack that uses several vectors to spread malware. As I seem to keep saying, self-replicating malware (worms and viruses) aren't usually the best way to deliver a targeted attack.

Now I'm going to contradict myself.

Stuxnet is targeted. Obviously. It's targeting a control system so specific that we're not sure yet which one it is. (Maybe someone will pull that rabbit out of the hat at the Virus Bulletin conference next week, but so far I haven't seen it's fluffy white tail or cute bunny ears...) But that's the (main) payload.

Most of the machines on which it's been reported aren't the target. They're just a transmission vector, and that's as true in Iran as it is in Germany (which is where Siemens have said, reportedly,  most of the 14-15 processing plants actually affected by the payload are located). You may see proof of targeting in the fact that the percentage of infected machines is far, far higher in Iran than in Germany. I don't. Distribution is influenced by many factors, and targeting may or may not be one of them. So as far as I'm concerned, it's supposition. It may be correct, but I'd like to see some evidence, please. Preferably before there's some real and bloody conflict between any of the supposed players in this game of spooks and ladders.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow 

/2010/09/25/cyberwar-cyberhisteria/