Pentagon on computer super-worm that’s been attacking Iran’s nuke program: Er, no comment

Easily the most fascinating story of the past week, but it’s so tech-heavy that I don’t trust myself to even summarize it properly, let alone opine on it. Let’s start slow, with the official American non-response:

The Pentagon is refusing to comment on widespread accusations that it is responsible for coordinating a cyber-attack against Iran’s nuclear facilities. Earlier this month the Iranians acknowledged the “Stuxnet Worm” had invaded software it uses at multiple nuclear production plants.

Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack…

It’s also important to note that researchers have determined the worm originated sometime in early 2010. Therefore if it was initiated by the United States it would have been done under the Obama administration.

A fine theory, except that Wired claimed a few days ago that Stuxnet was actually first deployed in January 2009. That’s one of many mysteries here — not only who rolled it out, but how long has it been around and what, precisely, is it up to? Rather than drone at you, let me instead recommend this useful primer about the worm at New Scientist explaining how it works and why it’s blowing the minds of cybersecurity experts who deal with it. In a nutshell, it’s fantastically sophisticated, hacking four previously unknown vulnerabilities of Microsoft Windows in order to gain entry to a system. It’s also fantastically specific, targeting industrial machinery operated by the German electronics company Siemens, which just so happens to run a bunch of Iranian nuclear infrastructure. And it’s potentially fantastically dangerous: Unlike most worms, which are used to gather information and spy, Stuxnet is aimed at messing up the timing of heavy industrial machines, which could lead to mechanical breakdowns or even explosions. Wired explains:

Byres agrees and says this is because the malware interjects what’s known as Organizational Block 35 data blocks. OB35 data blocks are used for critical processes that are either moving very fast or are in high-pressure situations. These data blocks take priority over everything else in the processor and run every 100 milliseconds to monitor critical situations that can change quickly and wreak havoc.

“You use this priority for things that are absolutely mission-critical on the machine — things that really are threatening to the life of the people around it or the life of the machine,” Byres says, “like a turbine or a robot or a cyclone — something that’s going very, very fast and will tear itself apart if you don’t respond quickly. Big compressor stations on pipelines, for example, where the compressors are moving at very high RPMs would use OB35.”

A turbine or a robot or a cyclone or … a centrifuge, maybe? The early theory about Stuxnet was that it was aimed at penetrating Iran’s nuclear reactor at Bushehr, but that makes no sense to me. Bushehr, as we’ve explained before, simply isn’t all that important to Iran’s bomb-making abilities. It’s a scary symbol of Iranian nuclear know-how, but as an actual threat, it’s small potatoes. The real threat is the uranium enrichment facility at Natanz; if/when Iran masters the enrichment process completely, the centrifuges there will be churning out the HEU needed for Hiroshima-type bombs. Which explains why Wired thinks it’s Natanz, not Bushehr, that was the real target in all this.

I recommend reading the full NS and Wired pieces above and then this analysis by Greenroomer J.E. Dyer about why it’s probably not the U.S. or Israel who’s behind this. Granted, according to most experts, Stuxnet is so complex and would have taken so long to create that only a nation or a very well-funded group could have come up with it, but of course there are other nations out there who are interested in what Iran’s doing. Nations like, say, China, which has not only developed a reputation for sophisticated hackery in recent years but which, as Dyer explains, is a better fit on the facts here. While most of the computers infected by Stuxnet are in Iran, not all are: Some are in India and Indonesia, which makes no sense for an America that’s worried about Iranian nukes but could make sense for a China that’s worried about Russia’s energy dealings in those countries. Russia began a brand new partnership with Siemens last year so the Chinese obviously would have good reason to want to target Siemens machines. But if this is a Chinese/Russian game, how come more computers in Russia haven’t been infected? (Or maybe they have and the Russians are keeping it quiet? It was a Belorussian security firm that first detected Stuxnet.) And if the Chinese wanted to use this worm as a weapon against an archenemy, why would they tip their hand by dumping it into relatively unimportant systems in Iran, thus bringing it to global attention, instead of holding it in reserve for a true cyberwar with Russia or the U.S.?

Seriously, though, read the pieces above so that you have the background you need as this develops. Apparently some tech firm is rolling out a paper on Stuxnet later this week so we may soon know whose fingerprints are on it. As for the Pentagon’s official no comment, that’s easy: Why tip our own hand one way or the other when this story obviously has Iran feeling paranoid? If we’re not responsible for it, they don’t need to know that. Let ’em worry.