Eric Byres was shocked. Sitting in his office in Vancouver, Canada a few weeks
ago, he began sifting through some of the requests submitted via the Internet to
gain access to blocked-off parts of the website of his company, Tofino Security,
which provides computer security solutions for large industries.
the requests caught his eye. It was the name of a person he knew from one of the
large industries Tofino works with.
Byres called his acquaintance to find
out why he was signing up on the site again if he already had an account. The
friend was shocked and said that someone else must have been impersonating him.
That set off an alarm which sent Byres to examine the lists of new requests he
had received in recent months. What he found was astounding.
our attention was that last year we maybe had one or two people from Iran trying
to access the secure areas on our site,” Byres said. “Iran was never on the map
for us and all of a sudden we are now getting massive numbers of people going to
our website and people who we can identify as being from Iran.”
said that some people openly identified themselves as Iranian when asking for
permission to log onto his website, while others were impersonating employees of
industries that he frequently works with.
“There are a large number of
people trying to access the secure areas directly from Iran and other people who
are putting together fake identities,” he said. “We are talking about hundreds.
It could be people who are curious about what is going on, but we are such a
specialized site that it would only make sense that these are people who are
involved in control systems.”
BUT WHY visit Tofino’s website to begin
with? The answer is called Stuxnet, sometimes referred to as a worm, a virus or
malware and suspected of having caused serious damage to Iran’s nuclear
facilities, particularly its Natanz uranium enrichment plant.
security experts have called Stuxnet a “weapon,” claiming the damage it has
caused has been as effective as a military strike, possibly setting back the
Iranian nuclear program. One of them, Ralph Langer from Hamburg, was one of the
first people to study Stuxnet’s code, which he has described as sophisticated as
that written for cruise missiles.
Without access to Iran, however, it is
difficult to validate the claims, although that might have been what outgoing
Mossad chief Meir Dagan tried to do in early January when he told reporters that
Iran would not be capable of producing a nuclear weapon until 2015, a slight
pushback on earlier estimates which had it reaching that stage in the next year
The US is also reportedly working on adjusting its assessments on
Iran’s nuclear program and will shortly issue an updated National Intelligence
Other experts are more wary of Stuxnet’s impact, claiming that
even if it caused damage it has likely been repaired.
WHATEVER THE case,
Stuxnet is a sign that a new era of warfare has arrived – the era of the cyber
“Fighting in the cyber dimension is as significant as the
introduction of fighting in the aerial dimension in the early 20th century,”
former head of Military Intelligence Maj.-Gen. (res.) Amos Yadlin said in a
policy speech last year. “Preserving the lead in this field is especially
important, given the dizzying pace of change...
Like unmanned aircraft,
it’s a use of force that can strike without regard for distance or duration, and
without endangering fighters’ lives.”
He was not exaggerating. He said
that it was a field that Israel had a lot to benefit from as a small country
with limited military capabilities. Through cyber warfare, Yadlin said, even
small countries could do things once reserved for superpowers.
was first discovered by a computer security company in Belarus, but it only made
global headlines after the Iranian media announced that the country had been the
target of a coordinated cyber attack. In December, President Mahmoud Ahmadinejad
admitted that Stuxnet had infected the Natanz facility, but downplayed the
extent of the damage.
“They succeeded in creating problems for a limited
number of our centrifuges with the software they had installed in electronic
parts. But the problem has been resolved,” he said.
That might not be so
accurate. Byres, who has done some work for Israeli companies, says that the
continued Iranian interest in his company’s website is likely an indication that
the malware is still raging throughout Natanz’s computers and control systems.
“Otherwise, why would they be looking so closely at my site,” he
FOR THE West, it is extremely difficult to measure the extent of
the damage Stuxnet caused. In September, the cyber security firm Symantec
determined that more than 30,000 computer systems had been infected.
few days later however, Iran put up a firewall to stop information on its
computer systems from reaching the outside world.
It has yet to be
But what Symantec was able to determine is that Stuxnet was
designed to target systems that have a frequency converter, a type of device
that controls the speed of a motor, like in a centrifuge.
code modifies programmable logic controllers in the frequency converter drives
used to control the motors. It changes the frequencies, first to higher than
1400 Hz and then down to 2 Hz – speeding it up and then nearly halting it –
before setting it at just over 1000 Hz. Iran usually runs its motors at 1,007
cycles per second to prevent damage, while Stuxnet seemed to increase the motor
speed to 1,064 cycles per second, a small increase but enough, according to
experts, to cause damage.
“If you start changing the speed, there are
vibrations and they become so severe that it can break the motor,” said David
Albright, a Washington-based expert on nuclear proliferation who studied
Stuxnet. “If it is true that it is attacking the IR-1, then it is changing the
speed to attack the motor.”
During his investigation, Albright discovered
that early last year, 1,000 centrifuges, a 10th of those at Natanz, were
The fact that only 1,000 were damaged could
mean that Stuxnet – if it caused the breakage – was meant to be subtle and work
slowly by causing small amounts of damage without leading the Iranians to
suspect that something foreign had infiltrated their computer
BUT THE question remains – how did Stuxnet infiltrate the
centrifuges to begin with? According to an analysis of Stuxnet, its creators
took advantage of speciallycrafted shortcut files placed on USB drives to
automatically execute malware as soon as the file is read by an operating
In simpler terms, once a disk-on key with the malware was
connected to one of the computers on the Natanz network, it was automatically
downloaded and began spreading. Another unique feature was the inclusion of a
rootkit, software designed to hide the presence of the worm. This part of the
worm was called WinNT/Stuxnet.A.
The second phase of the worm,
WinNT/Stuxnet.B, injects encrypted files into the infected computer’s memory.
Each file has a different purpose – some are meant to be used to spread to other
computers and some are drivers, meant to takeover control of the centrifuge’s
Whoever wrote the code made sure to cover his tracks. Instead of
writing a forged digital certificate, the creators allegedly stole the
certificate – essentially a piece of software’s calling card – of a Taiwan-based
computer chip company. How it was stolen is unclear but the company is not
suspected of involvement.
In addition, the complexity of the worm has led
experts to conclude that there were at least five or six writers working on the
code simultaneously, overseen by quality control and project management teams,
likely reaching a crew of several dozen over a period of several years. One
foreign analyst claimed that the code was of the quality of the type of software
you would find in cruise missiles.
According to Langer, the German
computer expert, all the attacker had to do was infect the computer of an
outside contractor who works at Natanz. “You don’t have to get the infected
drive into Natanz; all you need to do is make sure that someone who has access
to the facility has his or her computer infected and then connects to the
server,” he said.
Some news reports have referred to possible hints left
behind in Stuxnet’s 15,000- line code. One possible clue was the use of the word
“Myrtus” as the name of one of the files, a possible reference to Hadassah, the
birth name of the Queen Esther, who is buried in Persia. Another supposed clue
was the number 19790509 which also appears in the code and might refer to May 9,
1979, the day a prominent Persian Jew was executed in Teheran.
chances that these are real clues are low, according to Byres. While there is a
tradition in the software industry of leaving calling cards behind inside codes,
in cases like Stuxnet, it would make more sense to throw in a red herring to
divert attention away from the real creator.
NO ONE has taken
responsibility for the attack but fingers have been pointed mostly at Israel.
Langer said that in his opinion at least two countries – possibly Israel and the
US – were behind Stuxnet.
While everyone in Israel’s top political and
defense echelons believe that Iran’s nuclear program needs to be stopped, many
are concerned about retaliation, including Dagan. If Stuxnet can spare Israel
that war, there is no question it is worth it.
There are a limited number
of agencies that could have been involved in writing such a program. The first
is Military Intelligence’s Unit 8200, the equivalent of the US National Security
Agency, which is responsible for signal intelligence, eavesdropping on the enemy
and code decryption and was entrusted in 2009 with the IDF’s offensive cyber
Another possibility is the Mossad, which also has strong
technological capabilities but is slightly inferior to Unit 8200, the largest
unit within the IDF.
The Mossad has received a major boost in its budget
in recent years to help it acquire the resources needed to effectively combat
Iran’s nuclear program. Its focus is reportedly on covert operations such as
acts of sabotage and assassinations similar to the type that killed a top
scientist in Teheran in November, which was attributed to the Mossad, and cyber
The Iranian announcement that a network of Mossad spies had been
caught in Teheran this week – whether the story is true or not – is an
indication of how nervous the ayatollahs are.