Iran blames Stuxnet worm on western powers

Iran subject to largest-ever cyber-attack. Nigerian Independence Day marred by bombings. Europe steps up terror-alert following US warnings. All this and more in this week's security briefing.
Luke Heighton
5 October 2010


Iran has detained several “spies” in connection with last week’s 'Stuxnet' cyber attack on the country’s industrial computer systems, according to Iranian intelligence minister, Heydar Moslehi. Moslehi did not give details as to where, when and how many arrests had taken place, nor did he reveal whether any of the suspected spies were thought to be foreign nationals.

Iran is believed to have been the first country to be attacked by a computer virus designed to target real world infrastructure. The attack – first discovered in Belarus in June, but which hit the headlines last week – has been attributed to a worm known as “Stuxnet”. International experts studying the worm believe its sophistication points towards state-sponsored development. Speaking to the BBC, Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, said "The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it".

What sets the worm apart from most of its kind is that it targets systems not usually connected to the internet for security reasons. It is thought the worm enters the network through a conventional USB drive. Once in the operating system, it then looks for a particular combination of a software code, an application or hardware platform, before manipulating the settings on devices known as programmable logic controllers – used in everything from water purification facilities, factory floors and elevator doors, to chemical and pharmaceutical manufacture and the power industry. Stuxnet is thought to have infected nearly 30,000 computers in Iran, primarily those running Siemens operating systems.

There has been speculation, however, that Stuxnet was intended specifically to severely hamper the development of Iran’s Bushehr nuclear power plant and/or the uranium enrichment plant at Natanz. Kevin Hogan, Senior Director of Security Response at Symantec, told Reuters that the numbers of infections in Iran “are off the charts”. It has been estimated that nearly 60% of all infections occurred in Iran, though China, India, Pakistan and Indonesia also appear to have seen relatively high infection rates.

As to where Stuxnet comes from, Sean McGurk, who runs the National Cybersecurity and Communications Integration Center, a cyber watch centre run by the U.S. Department of Homeland Security, told reporters: "We're not looking right now to try to attribute where it came from. What we're focusing on is how to mitigate and prevent the spread." By contrast Moslehi said Iran had discovered the "destructive activities of the arrogant [western powers] in cyberspace", adding that "different ways to confront them have been designed and implemented". He added: "I assure all citizens that the intelligence apparatus currently has complete supervision of cyberspace and will not allow any leak or destruction of our country's nuclear activities."

At least one independent commentator - computer security expert Ralph Langer - is hardly surprised by the attack. Langer argues that while the Stuxnet incident serves to highlight a profound lack of readiness on the part of national governments the world over, at the same time it should reduce the likelihood of such an attack happening again any time soon:

“The attackers behind Stuxnet had and used the element of surprise. Few people besides me had expected such an attack, and therefore defense was non-existent. This has now changed, or at least it should have. Any operator of an installation of strategic value who has not reviewed security policy during the last two weeks is doing the same thing that I said about the Bushehr plant: Begging to be cyber-attacked. The good news with critical infrastructure is, this is a manageable task, as the number of installations is comparatively low and the assets are worth significant investments in appropriately upgraded security."

Recently both the EU and NATO have been taking steps to protect their members from the increasing threat of cyber attack. Yet Ralph Langer also issues a sobering warning to those who continue to hope better security and stronger international partnerships might lessen the danger:

“Proliferation of cyber weapon technology cannot be controlled. So while governments may sign lengthy treaties addressing the issue, such treaties won't be countersigned by rogue nation states, terrorists, organized crime, and hackers. Yet all of these will be able to possess and use such weapons soon.”

Pakistan drone attack linked to Europe-wide terror alerts

Five Germans of Arab and Pakistani origin and at least three people were killed by a US drone on Monday, following a week in which the US issued a Europe-wide terror alert amidst fears one or more “commando-style” terrorist attacks were imminent. The drone strike occurred in Pakistan’s tribal belt, as part of a rapidly escalating CIA campaign targeting what is thought to be the hub of Al Qaida’s global operations. The drone is understood to have fired two missiles into a house in Mir Ali, North Waziristan, following several days in which a number of German, British and other foreign nationals have been killed in similar strikes in the area.

Much of the intelligence that led to the terror alert is believed to have come from one Ahmad Sidiqi, an Afghan-born German militant who attended the same Hamburg mosque as some of those who took part in the September 11th attacks in 2001. Sidiqi was captured by US forces earlier this summer and went on to name Britain and France as possible targets while under interrogation at Bagram jail outside Kabul, though it is not known for certain whether this would appear to confirm or contradict reports that a Europe-wide wave of attacks was ordered by Osama bin Laden himself. Bin Laden had in September 2009 called for the withdrawal of European forces from Afghanistan in a message with German and English subtitles. The demand was followed by specific threats against Germany aired in German language internet videos.

The US is thought to have told European capitals and EU headquarters in Brussels that Al Qaida was preparing co-ordinated strikes in various European countries, and there have been reports in the US media that the German authorities were made aware of specific threats to Berlin’s Adlon hotel and the central railway station and television tower at Alexanderplatz. These were immediately played down by German authorities. French intelligence services, meanwhile, issued an alarm regarding possible attacks abeing planned in Europe by a Al Qaida in the Islamic Maghreb (AQIM), a group which many EU observers believe is becoming a greater threat than bin Laden. On Friday Sweden also increased its threat level following circulation on Jihadist websites of an audio message purporting to come from bin Laden.

As Bill Roggio and Lisa Lundquist wrote at the time:

“The revelation of this latest terror plot shakes an already edgy Europe, which has recently seen the Eiffel Tower evacuated twice in the past two weeks due to anonymous bomb threats, the arrest in Norway of several operatives planning another attack on the Danish newspaper Jyllands-Posten, and specific threats to the French public transportation systems. At present, the terror alert level in France is high, as it is in England.”

Yet there is some scepticism as to the timing of the warnings. The Guardian cites one “European source” familiar with the intelligence material behind the alarms as saying "The threat was real, obviously, and it's not over. But why it's been put on the market in this way is a different issue." The paper goes on to say that there is speculation the alerts might be intended to shore up western intelligence and security funding at a time of budget cuts; that the US will use the new anxiety to negotiate greater information sharing from European countries; and that it could strengthen the case for staying in Afghanistan at a time when many European governments feel the war is a lost cause.

Arrests made after Abuja bombing

Nigerian authorities say they have arrested nine people linked to last week’s car bombings in the capital, Abuja, during celebrations marking fifty years of independence from Great Britain. Reports as to the human cost of the bombings vary, but it is thought at least twelve people died and 36 people were injured in the two attacks, which are being widely attributed to individuals linked with the rebel Movement for the Emancipation of the Niger Delta (MEND) group.

MEND have claimed official responsibility for the attacks, though Nigeria’s president, Goodluck Jonathan, also expressed the view that foreign terrorist elements had carried out the attacks, using the group’s name as cover. Nevertheless, the spotlight seems to have fallen on one of the group’s leaders, Henry Okah. Okah was arrested in Johannesburg on 2 October and charged with two counts of terrorism by a South African Court. According to Bloomberg, Okah’s charge sheet says he “unlawfully and intentionally caused to be delivered, placed, discharged, and/or detonated an explosive device at Abuja, Nigeria, with the purpose of causing death or serious bodily injury.”

Okah denies committing any unlawful acts, either in South Africa or outside the country, and is believed to be considering challenging his arrest on the grounds that it was “unlawful”. Okah has been remanded in custody and is expected to appear in court on 14 October. On Sunday the BBC also reported that the Nigerian police had named two more Nigerian men - Chima Orlu and Ben Jessy - as suspects in the case, but gave no further details about them. On Monday Nigeria's State Security Service (SSS) announced it had foiled a larger plot to detonate at least a further six car bombs close to key government and security buildings in Abuja’s “three-arm zone” on 29 September.

Had enough of ‘alternative facts’? openDemocracy is different Join the conversation: get our weekly email


We encourage anyone to comment, please consult the oD commenting guidelines if you have any questions.
Audio available Bookmark Check Language Close Comments Download Facebook Link Email Newsletter Newsletter Play Print Share Twitter Youtube Search Instagram WhatsApp yourData