Cyberwar, Cyberhysteria

This morning I wrote a long and – I hope – carefully-considered piece for Security Week on Stuxnet and the whether it constitutes a nation state attack on Iran. [Update, 26th September: I hear that article will be available today or tomorrow.]

Actually, I was asked on Friday for a quotable quote or two on the topic, but I guess I wasn't forceful, or controversial, or sensationalist, or ungeek enough to rate any column inches. So I'm going to give you a sneak preview (sorry, Mike) in the light of all the speculation today on whether Stuxnet is an attack by Israel on Iran.

So here's a sad admission. I don't know who is responsible for Stuxnet. I can see that it might be a nation state (I more or less said that here) but as far as I'm concerned it's speculation. Nor have I seen anything that proves (or even strongly suggests) to me that there is any Israeli involvement. In fact, I'm going to do something that security commentators aren't supposed to do and say I don't know, either way. Someone, somewhere, does, of course, but they probably don't work in the media.

Is Iran anybody's target? Well, I'm fully aware that there are a lot of Stuxnet detections in Iran. We noted that publicly back in July, and the report we've just put out includes some percentage distribution statistics over the period July-September if you want the full list  (they're in the Security Week article, too). But I only need the top 3 to make my point.








 Yup. That's a lot of infections in Iran. But that isn't proof of a targeted attack. Technically, it's proof of an untargeted attack that uses several vectors to spread malware. As I seem to keep saying, self-replicating malware (worms and viruses) aren't usually the best way to deliver a targeted attack.

Now I'm going to contradict myself.

Stuxnet is targeted. Obviously. It's targeting a control system so specific that we're not sure yet which one it is. (Maybe someone will pull that rabbit out of the hat at the Virus Bulletin conference next week, but so far I haven't seen it's fluffy white tail or cute bunny ears…) But that's the (main) payload.

Most of the machines on which it's been reported aren't the target. They're just a transmission vector, and that's as true in Iran as it is in Germany (which is where Siemens have said, reportedly,  most of the 14-15 processing plants actually affected by the payload are located). You may see proof of targeting in the fact that the percentage of infected machines is far, far higher in Iran than in Germany. I don't. Distribution is influenced by many factors, and targeting may or may not be one of them. So as far as I'm concerned, it's supposition. It may be correct, but I'd like to see some evidence, please. Preferably before there's some real and bloody conflict between any of the supposed players in this game of spooks and ladders.

ESET Senior Research Fellow 


Author David Harley, ESET

  • Yegor

    The big difference.

    United States





    • David Harley

      Yegor, the figures in the Stuxnet analysis reflect ThreatSense figures from July to late September. Obviously, the July figures were a snapshot much earlier in the infection cycle. I’d expect a spike at that point (and in fact the Iran figures over time show a sharp spike, a fairly sharp decline almost immediately, then a soft decline over the rest of the period).

  • Mauro

    Hi David,
    A question about the paper ESET published on Stuxnet. On page 52 you speak about the Bot Configuration Data. The activation and deactivation time after which the worm is active/inactive is always the same in every sample you analysed? Can you tell us more about it? When will the worm inactive?
    Many thanks for the important paper ESET distributed

    • David Harley

      Hi Mauro.

      This is the answer from Aleksandr Matrosov.

      “Mechanisms of deactivation and infection counter occurred in all our analyzed samples. Time of activation/deactivation can be changed by commands from C&C servers. The deactivation time for one of the samples we have analyzed is the 24th of June, 2012.”

  • Davi Ottenheimer

    I’d wager it could easily be an attack staged by a disgruntled ex-pat/insider rather than an outside or state agent.

    You don’t have to read Persepolis to understand why NAMIR never really ended.

    Support from a state agent is a different story, as operation Ajax demonstrated. The sad irony of Ajax is that Mossadegh played into the hands of the CIA by becoming scared, reactionary and dictatorial. In others words, even if you want to believe that Stuxnet is a conspiracy it is best to remain calm and level-headed about security.

  • Charles Jeter

    Hi Davi,
    Great point, I just answered a similar one in another thread. Yet the hardest part of the disgruntled insider view is figuring out how the forged certificates came into play. That's two commercial burglaries in a fairly well policed section of Taiwan, if physical, or if cyber it's two separate networks compromised in the same physical proximity…

Follow us

Copyright © 2017 ESET, All Rights Reserved.