Iran Nuclear Worker

Iran's civil defense chief, Gholam Reza Jalali, said yesterday the country had been attacked by another computer virus called Stars. If correct it will be the second cyber attack in less than a year.

According to Jalili via RTT news, the virus specifically targeted Iran's governmental institutions and may have been cloaked as innocuous looking, official files.

Jalili said the virus could have been "mistaken for executive files of governmental organizations." However, he refused to speculate on identities of likely suspects.

Iran's Bushehr nuclear power plant was struck by the Stuxnet worm in September 2010. Due to the nature of the attack, President Mahmoud Ahmadinejad claimed the virus was created by the United States and Israel.

No evidence of the worms origin were discovered.

Iran Alleges Espionage Over Internet Worm

Senior government official says foreign governments are launching malware dubbed Stars at the country's nuclear facilities.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A senior official in Iran has alleged that foreign governments have been targeting the country's nuclear facilities using an Internet-borne worm, dubbed Stars.

Brigadier general Gholam Reza Jalali, Iran's head of civil defense, on Monday told the Iranian Mehr news agency that the country has detected a new worm that targets government systems. "The damage is very low in the first phase," said Jalali. "The executable files may sometimes be confused with official state documents."

More Security Insights

White Papers



We spoke with Chris Sather, Product Management for Network Defense at McAfee about McAfee's next generation firewalls that analyze relationships and not protocols.PGP CEO Phil Dunkleberger talks to us about the latest Ponemon research data, which will show a higher cost from legal fees and targeted malware.PGP CEO Phil Dunkleberger talks about the newest features of PGP, and some of the trends driving where its technology is going.
We spoke with Chris Sather, Product Management for Network Defense at McAfee about McAfee's next generation firewalls that analyze relationships and not protocols.

He also warned that although the Stars malware had been discovered--he didn't specify how--researchers still didn't understand its purpose or how exactly it operates, meaning that it might still unleash some type of attack. Finally, he called for legal sanctions against whomever launched Stars.

According to security experts, Jalali's description of the worm makes it sound as if the attack employs malicious Word, Excel, or PDF files, and that echoes a recent series of targeted attacks that have exploited a vulnerability in Flash. But is a worm that targets a government network anything to write home about? In fact, wouldn't the absence of targeted attacks suggest that government agencies simply weren't spotting attacks that were sure to be underway?

Learn the security essentials of mobility

Business-Ready Mobile Infrastructure

"From my perspective, most governments will be running into and dealing with targeted attacks," said James Lyne, director of technology strategy at Sophos, in an email interview. "Targeted attacks are common today--even for medium-size enterprises."

"In many cases, we see targeted phishing attempts--though the volume is still 'spray and pray,' where an attacker may just be lucky and hit the right system," he said. "The quality of these attacks ranges from basic social engineering or Web threats--low tech can still be very successful--to quite coordinated and clever malicious code."

Of course, any apparent phishing attack against Iran raises the specter of Stuxnet, which apparently targeted five facilities related to an Iranian nuclear enrichment facility to then infect systems at the facility. Beginning in June 2009, the worm spread, ultimately infecting the facility's supervisory control and data acquisition (SCADA) software, which was supplied by Siemens. The malware then adjusted the speeds of the high-frequency converter drives used for enrichment, from very low to very high frequencies, while failing to report this activity via the user interface.

Ultimately, Stuxnet disrupted the refinement process and, according to some reports, disabled the drives. Iran, however, has denied that any equipment was damaged, or its nuclear program disrupted.

Earlier this month, Jalali told the Islamic Republic News Service, Iran's state news agency, that Siemens was partially to blame for Stuxnet. "Siemens should explain why and how it provided the enemies with the information about the codes of the SCADA software (which is used at some of Iran's major industrial sites) and prepared the ground for a cyber attack against us," he said, according to the Tehran Times.

Jalali also said that Iran's investigation traced the origin of the worm to the United States and Israel, and identified transmissions back to those countries from PCs infected by Stuxnet. On a similar note, earlier this year, a New York Times story quoted unnamed officials who said that that Stuxnet was a joint American and Israeli creation.

Jalali also called for legal action against the companies and countries that launched Stuxnet. "The attacking countries should be held legally responsible for the cyber attack," he said. "If we were not ready to tackle the crisis and their attack was successful, the attack could have created tragic incidents at the country's industrial sites and refineries."

Stuxnet 2? Iran Under Attack From New Computer Virus

Stuxnet Senate Homeland Security

Iranian computers are again being targeted by a computer virus in what the country's commander of civil defense described Monday as a "cyber war,"according to Reuters.

"Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations," Gholamreza Jalali was quoted as saying. The civil defense commander did not detail the targets of the attack.

"The particular characteristics of the Stars virus have been discovered," Jalali said. "The virus is congruous and harmonious with the [computer] system and in the initial phase it does minor damage and might be mistaken for some executive files of government organizations."

Last year, Iranian nuclear facilities were apparently the main target of the Stuxnet computer worm—a Windows-specific computer threat that spies on and reprograms industrial control systems—which infected tens of thousands IP addresses in the country.

Jalali said that the mutating Stuxnet worm still put Iranian systems at risk, though Iranian officials have claimed to have neutralized the threat.

Stuxnet was first discovered at the Bushehr nuclear reactor last August when Iran began loading fuel into its first such facility. Iranian officials have claimed that Israel and U.S. were behind the Stuxnet worm.

A recent report from McAfee and the Center for Strategic and International Studies (CSIS) warned that sophisticated computer threats like Stuxnet that target critical infrastructure would only increase in the future.

Read more on Computer Worm Wreaking Havoc on Iran's Nuclear Capabilities
Important: Do You Support Pres. Obama's Re-Election? Vote Here Now!

Computer Worm Wreaking Havoc on Iran's Nuclear Capabilities

An internal report by a special intelligence unit in Iran has concluded that the Stuxnet malware computer virus that has infected Iran’s nuclear facilities is so dangerous it could shut down the entire national power grid.

The report, written by the Iranian Passive Defense Organization, chaired by Revolutionary Guards Gen. Gholam-Reza Jalali, states that Stuxnet has so thoroughly infected the operating systems at the Bushehr power plant that work on the plant must be halted indefinitely.

If the Bushehr power plant were to go on line, “the internal directives programmed into the structure of the virus can actually bring the generators and electrical power grid of the country to a sudden halt, creating a “heart attack type of work stoppage,” the report states.

The report was obtained by the “Green Liaison news group,” Iranian journalists affiliated with presidential candidate Mir Hussein Mousavi, and was translated into English by Reza Kahlili, a former Revolutionary Guards officer who spied on behalf of the CIA for over a decade while inside Iran.

The report claims that Stuxnet “has automatic updating capabilities in order to track and pirate information,” and that it “can destroy system hardware step-by-step."

Gen. Jalali has held two press conferences in recent weeks where he has given tantalizing glimpses into the conclusions of his top-secret task force to analyze and defuse the Stuxnet computer worm.

At one, he blamed Israel for collaborating in developing the worm and claimed that his experts had traced “reports” sent by the worm back to Texas.

“Enemies have attacked industrial infrastructure and undermined industrial production through cyberattacks. This was a hostile action against our country,” Jalali said. “If it had not been confronted in time, much material damage and human loss could have been inflicted.”

Jalali also lashed out at Siemens, the German firm that sold Iran the Supervisory Control and Data Acquisition (SCADA) process controllers used to run the Bushehr power plant, the Natanz uranium enrichment plant, and other industrial facilities in Iran.

"Our executive officials should legally follow up the case of Siemens SCADA software, which prepared the ground for the Stuxnet virus," he said.

"The Siemens company must be held accountable and explain how and why it provided the enemies with the information about the codes of SCADA software and paved the way for a cyberattack against us," he said.

Siemens has said it was blindsided by Stuxnet, and began publishing its own research and tools to remove the worm from infected computers last fall.

On Monday, Jalali claimed that his intelligence unit, which merges computer analysts from the intelligence ministry and the Revolutionary Guards intelligence service, had found a new computer virus attacking Iran’s nuclear facilities called “Stars.”

He called “Stars” an “espionage virus,” and said that it copied government files and was difficult to destroy in its early stages.

Kahlili believes that Gen. Jalali’s admission of the damage wrought by Stuxnet is significant, since until now the Iranian authorities have suggested that everything was under control. “This is the first official statement out of Iran that the U.S. and Israel should be blamed for this attack,” Kahlili told Newsmax.

“They held back for a long time in order to solve the problem, but have gone public because they haven’t succeeded in doing so. This shows the extent of the damage to the Bushehr power plant. What Jalali is saying is that they are holding the U.S. and Israel responsible and that Iran will retaliate,” he added.

Ralph Langner, the German computer security expert who first identified the specifics of the malicious code used by Stuxnet, says that the worm contains two “digital warheads” that seek out specific control systems to attack. But its targets are computers driving Iran’s uranium enrichment program, not the control systems at Bushehr, he insists. The larger of the two warheads loads onto S7-415 controllers in Siemens SCADA process control software. While these controllers are found “in power plant turbine control” systems, such as those at Bushehr, Langner now believes the warhead was not programmed to affect those systems.

“Anything that went wrong in Bushehr cannot be attributed to Stuxnet. It may be attributed to other sabotage acts, to stupidity, or whatever,” he told Newsmax in an email.

Because the Iranians reported early on that Stuxnet had infected Bushehr, Langner spent several months investigating what systems Stuxnet might attack at the Russian-built plant, before setting aside that thesis based on his analysis of the worm’s internal code.

“It would certainly be a good idea for Iran to clean up all systems before going operational in Bushehr (and before resuming operations in Natanz) as any further attempts to remove the virus when the plant is running will be much harder or even impossible,” Langner wrote in his blog on Feb. 1. “As long as there is even a single system in the nuclear program still infected with Stuxnet, those centrifuges continue to be at risk.”

Russian experts and officials have been warning for several months that the Bushehr power plant has become too dangerous to operate because of the Stuxnet infection. In February, Russia's envoy to NATO, Dmitry Rogozin, described to reporters an incident he claimed had been witnessed by Russian engineers working at the plant.

The engineers "saw on their screens that the systems were functioning normally, when in fact they were running out of control," he said. This was because Stuxnet was sending out false messages to the control instruments the engineers normally monitored.

The Russian engineers performed additional tests that determined physical malfunctions were occurring at the plant and then removed all nuclear fuel from the reactor. "The virus which is very toxic, very dangerous, could have had very serious implications," Rogozin said.

Iran was forced to shut down its uranium enrichment plant at Natanz last November and removed nearly 1,000 centrifuges because of malfunctions caused by Stuxnet. See "Cyberwar Declared on Iran."

Earlier this month, Iran refueled the Bushehr nuclear power plant and seemed ready to start the reactor, but Jalali’s report has put an indefinite hold on operations there.

The Iranian parliament recently sent a separate report to Supreme Leader Ali Khamenei saying that Bushehr had become so expensive and so many years behind schedule that it would be cheaper and quicker to build a new nuclear power plant and shut the Bushehr site definitively, Kahlili said.

Read more on Computer Worm Wreaking Havoc on Iran's Nuclear Capabilities
Important: Do You Support Pres. Obama's Re-Election? Vote Here Now!