The technology industry is being rattled by a quiet and sophisticated malicious software program that has infiltrated factory computers.
The malware, known as Stuxnet, was discovered in mid July, at least several months after its creation, by VirusBlokAda, a Belarussian computer security company that was alerted by a customer.
Security experts say Stuxnet attacked the software in specialized industrial control equipment made by Siemens by exploiting a previously unknown hole in the Windows operating system.
The malware marks the first attack on critical industrial infrastructure that sits at the foundation of modern economies.
It also displays an array of novel tactics like an ability to steal design documents or even sabotage equipment in a factory that suggest its creators are much more sophisticated than hackers whose work has been seen before. The malware casts a spotlight on several security weaknesses.
Eric Chien, the technical director of Symantec Security Response , a security software maker that has studied Stuxnet, said it appears that the malware was created to attack an Iranian industrial facility. Security experts say that it was likely staged by a government or government-backed group, in light of the significant expertise and resources required to create it. The specific facility that was in Stuxnet’s crosshairs is not known, though speculation has centered on gas and nuclear installations.
Since it was unleashed, Stuxnet has spread to plants around the world. Siemens said it has received 15 reports from affected customers, five of which were located in Germany. All of these sites successfully removed the malicious program, which can be detected and removed by commercial antivirus programs. “Up to now there have been no instances where production operations have been influenced,” the company said in an e-mailed statement. Security researchers initially believed Stuxnet’s primary purpose was espionage because of its ability to steal design documents for industrial control systems. But more in-depth study of the program, which is extremely large and highly complex by malware standards, has revealed that it can also make changes to those systems.
Exactly what Stuxnet might command industrial equipment to do still isn’t known. But malware experts say it could have been designed to trigger such Hollywood-style bedlam as overloaded turbines, exploding pipelines and nuclear centrifuges spinning so fast that they break. “The true end goal of Stuxnet is cyber sabotage. It’s a cyber weapon basically,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky, a security software maker. “But how it exactly manifests in real life, I can’t say.”
Stuxnet’s remarkable sophistication has surprised many security professionals. Its authors had detailed knowledge of Siemens’ software and where its security weaknesses are. They discovered and used four unknown security flaws in Microsoft’s Windows operating system. And they masked their attack with the aid of sensitive intellectual property stolen from two hardware companies, Realtek and JMicron, which are located in the same office park in Taiwan.
“It’s impossible this was created by some teenager in his basement,” Mr. Chien said. “The amount of resources and man hours to put this together,” he said, show “it has to be something that was state originated.”