Stuxnet: the Never-Ending Story

[Updated 21st January because when going back to check on something I'd said here, I noticed that I'd had a slip of concentration and said something so stupid, I'm not going to tell you what it was. ;-)]

It was to be expected that there'd be a lot of media interest following the New York Times story I previously mentioned here.

And sure enough, I've been able to add several more items to the Stuxnet Information and Resources blog. There is commentary from Heise and from John Leyden in The Register:

My colleague Josep Albors gave me three links from the Spanish press as well as quoting me at length in his own blog (also in Spanish).

He says (excuse the free translation) that:

"Stuxnet is still making news half a year after the first reports to make its existence public knowledge. Now, a comprehensive article in the New York Times attempts to prove the theory that this advanced malicious code was developed by the Governments of Israel and United States in order to delay Iran's planned production of enriched uranium. The articlesuggest that the Israeli nuclear complex at Dimona tested this sophisticated malware against similar centrifuges to those employed in Iran, as a check of Stuxnet's effectiveness."

"According to this information, plans to launch a cyber-attack to impede Iran's nuclear progress have their origin in 2008, when George Bush's administration was still in command of the United States."

But, like John Leyden, Josep is a little more sceptical than some of the media. And I think they're right.

The NYT article strikes me as being well-researched, well-written, and well worth reading, and the involvement of Dimona is more plausible than much of the speculation I've seen, but it's still hard to distinguish hard fact from sheer guesswork, which is why I'm more comfortable with the data we've been able to determine from the code, and that's what ESET researchers have focused on in our own writing on the topic.

The assertion that "Israeli officials grin widely when asked about its effects" and Samore's "sidestepping" of a Stuxnet question are flimsy foundations for assuming the truth of these assertions, though there are other indications that might be more convincing. On the other hand, this "nudge, nudge, wink, wink" hinting at US/Israeli collaboration might actually explain an anomaly I've mentioned before. Stuxnet has the hallmarks of a collaboration between several individuals or groups with specialist expertise, yet it's cover was blown by its promiscuous dissemination through the Autorun-like LNK vulnerability, a vector that automatically raises its chances of being detected heuristically.

That suggests to me:

  • A team where no-one had specific experience in the malware field (maybe that's understandable in a team put together under the auspices of a government or governments).
  • The malware had already been so effective that staying under the radar wasn't a major concern (the LNK version of Stuxnet was not the first version).
  • Someone intended to send a message to Iran and the rest of the world about the capabilities of certain agencies and states. After all, much has been made of the "clues" in the code. However, I haven't seen conclusive proof that it was the US and/or Israel that orchestrated that message, or planted those clues. If either of those nations are really hinting that they did, that doesn't make it so: misdirection is a standard tool for diplomats and politicians, as well as for spooks.

ESET Senior Research Fellow

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.