A computer worm that has infected industrial computers around the world may be part of a campaign targeting nuclear installations in Iran, computer-security researchers say.
The highest concentration of affected systems — almost 60 percent — is in that country, according to data from Symantec Corp., the computer-security software maker. The worm’s sophisticated programming and ability to hide itself suggest it may have been built by a government-sponsored organization in a country such as the United States or Israel, said Frank Rieger, technology chief at GSMK, a maker of encrypted mobile phones.
He estimated that building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months.
“All the details so far to me scream that this was created by a nation-state,” Rieger said. Iran’s nuclear facilities may have been targets, said Rieger and Richard Falkenrath, principal at the Chertoff Group, a Washington-based security advisory firm.
Iran, which has the world’s second-largest oil reserves, is under United Nations sanctions because it has refused to curtail uranium enrichment and the development of ballistic missiles that might carry a weapon. The country started a 1,000-megawatt nuclear-power reactor near the city of Bushehr in August.
“It is theoretically possible that the U.S. government did this,” Falkenrath said Friday in an interview with Bloomberg Television. “But in my judgment, that’s a very remote possibility. It’s more likely that Israel did it.”
The U.S. Department of Homeland Security, which is studying the worm, hasn’t identified its origins.
The worm initially infects computers running several editions of Microsoft Corp.’s Windows, including older versions such as Windows 2000, and recent ones such as Windows 7, using one of four vulnerabilities known only to the worm’s creators, said Liam O Murchu, manager of North American security-response operations for Mountain View, California-based Symantec.
“It hides in Windows and then tries to spread itself to other computers running Windows,” O Murchu said. An infected computer shows no ill effects and the worm ensures that no software crashes.
As it spreads, the worm searches for connections to a device known as a programmable logic controller, which helps link Windows computers and computerized industrial-control systems, converting commands sent from the Windows machine into a format the industrial machines can understand. The worm targets industrial software made by Munich-based Siemens AG, researchers said.
Once an industrial machine is infected, the worm lies dormant until certain conditions in the machine are met, O Murchu said. For example, when the temperature of a certain component gets hot, the worm might prevent a cooling system from functioning. What conditions the worm waits for are unclear, he said.
Symantec estimated in July that 14,000 individual computers connected to the Internet worldwide had shown signs of infections by the so-called Stuxnet worm. The highest concentration — 59 percent — were in Iran; 18 percent were in Indonesia; 8 percent in India and less than 2 percent in the United States.
Copy the Story Link
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.