Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.
Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.
The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.
The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.
Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.
Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009.
“We don’t see direct confirmation” that the attack was meant to slow Iran’s nuclear work, David Albright, president of the Institute for Science and International Security, a private group in Washington that tracks nuclear proliferation, said in an interview Thursday. “But it sure is a plausible interpretation of the available facts.”
Intelligence officials have said they believe that a series of covert programs are responsible for at least some of that decline. So when Iran reported earlier this year that it was battling the Stuxnet worm, many experts immediately suspected that it was a state-sponsored cyberattack.
Until last week, analysts had said only that Stuxnet was designed to infect certain kinds of Siemens equipment used in a wide variety of industrial sites around the world. But a study released Friday by Mr. Chien, Nicolas Falliere and Liam O. Murchu at Symantec, concluded that the program’s real target was to take over frequency converters, a type of power supply that changes its output frequency to control the speed of a motor. The worm’s code was found to attack converters made by two companies, Fararo Paya in Iran and Vacon in Finland. A separate study conducted by the Department of Homeland Security confirmed that finding, a senior government official said in an interview on Thursday.
Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart.
In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed.
“It’s striking how close it is to the standard value,” he said.
The computer analysis, his Wednesday report concluded, “makes a legitimate case that Stuxnet could indeed disrupt or destroy” Iranian centrifuge plants.
The latest evidence does not prove Iran was the target, and there have been no confirmed reports of industrial damage linked to Stuxnet. Converters are used to control a number of different machines, including lathes, saws and turbines, and they can be found in gas pipelines and chemical plants. But converters are also essential for nuclear centrifuges.
On Wednesday, the chief of the Department of Homeland Security’s cybersecurity center in Virginia, Sean McGurk, told a Senate committee that the worm was a “game changer” because of the skill with which it was composed and the care with which it was geared toward attacking specific types of equipment.
Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.
Ralph Langner, a German expert in industrial control systems who has examined the program and who was the first to suggest that the Stuxnet worm may have been aimed at Iran, noted in late September that a file inside the code was named “Myrtus.” That could be read as an allusion to Esther, and he and others speculated it was a reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.
Writing on his Web site last week, Mr. Langner noted that a number of the data modules inside the program contained the date “Sept. 24, 2001,” clearly long before the program was actually written. He wrote that he believed the date was a message from the authors of the program, but did not know what it might mean.
Last month, researchers at Symantec also speculated that a string of numbers found in the program — 19790509 — while seeming random, might actually be significant. They speculated that it might refer to May 9, 1979, the day that Jewish-Iranian businessman Habib Elghanian was executed in Iran after being convicted of spying for Israel.
Interpreting what the clues might mean is a fascinating exercise for computer experts and conspiracy theorists, but it could also be a way to mislead investigators.
Indeed, according to one investigator, the creation date of the data modules might instead suggest that the original attack code in Stuxnet was written long before the program was actually distributed. According to Tom Parker, a computer security specialist at Securicon LLC, a security consulting firm based in Washington, the Stuxnet payload appeared to have been written by a team of highly skilled programmers, while the “dropper” program that delivered the program reflected an amateur level of expertise. He said the fact that Stuxnet was detected and had spread widely in a number of countries was an indicator that it was a failed operation.
“The end target is going to be able to know they were the target, and the attacker won’t be able to use this technique again,” he said.