http://www.washingtonpost.com/wp-dyn/content/article/2010/09/27/AR2010092706229.html

Iran struggling to contain 'foreign-made' 'Stuxnet' computer virus

By Thomas Erdbrink and Ellen Nakashima

September 27, 2010

TEHRAN - Iran suspects that a foreign organization or nation designed "Stuxnet," a quickly mutating computer worm that has been infiltrating industrial computer systems in the Islamic republic, a high-ranking official said Monday.

"We had anticipated that we could root out the virus within one to two months," Hamid Alipour, deputy head of Iran's Information Technology Co., a part of the ministry of communication and information technology, told the Islamic Republic News Agency. "But the virus is not stable, and since we started the cleanup process three new versions of it have been spreading," he said.

No one has claimed responsibility for the worm and no entity or country has been definitively identified as its source.

It is the first known case of malware designed to sabotage an industrial control system. "We've never seen anything like this before," said Liam O'Murchu, a researcher with the security firm Symantec. "It's very dangerous."

International computer security experts say Stuxnet was designed to target control systems produced by Siemens, a German equipment manufacturer. Siemens products are widely used in Iranian electricity plants, communication systems and in the country's first nuclear power plant, near the city of Bushehr, set to start production in October.

Once inside the target system, the worm is capable of reprogramming the software that controls critical functions. Researchers still do not know what type of system it had in its sights or what type of sabotage was intended.

The worm was discovered in June, and researchers found about 45,000 infected computers in various countries, including Indonesia and India. But the vast majority were in Iran, leading analysts to conclude that a system in Iran was the likely target.

Iranian officials said Saturday that they had been hit by "electronic warfare" and acknowledged that the worm had infected more than 30,000 computers, including personal computers owned by employees of the nuclear power plant near Bushehr.

But although the officials said over the weekend that the facility itself was not in danger and that the virus was under control, Monday's remarks suggest otherwise.

Because of the worm's reach and complexity and the huge investment required to write the code, Alipour said he thinks the virus was designed by a foreign organization or country. "The writer has had access to industrial information which is not available to IT experts," he said, stressing that an ordinary group of hackers could not have designed the virus.

An Iranian computer expert said the nuclear power plant must also be infected if employees' personal computers were hit by Stuxnet. "This could either be done by Israel, intending to steal nuclear secrets or disrupt power plants, or by India, which has the biggest private programming capacity worldwide," said the expert, speaking on the condition of anonymity because of the sensitivity of the subject.

A low-level cyberwar between Iran and the West intensified after President Mahmoud Ahmadinejad's disputed election victory last year. Several groups of Iranian hackers, some of them alleged to have ties to the intelligence ministry, have been attacking opposition Web sites. In December, they temporarily disrupted the Twitter network, which they accuse of assisting the grass-roots opposition movement.

Hacker groups such as the Iranian Cyber Army and Ashiyaneh have been saying they disrupted thousands of Western sites in the past year. In return, hundreds of Iranian Web sites have also been under attack.

Tehran-based engineers specializing in repairing personal computers said they had not noticed any upsurge in demands of repairs because of the virus. Computers are widely used in Iranian society, with the Internet playing an important role in distributing opposition news that is censored by state media outlets.

Alipour said the worm had become active about a year ago. "It is different from any other virus," he said. "Stuxnet is extremely dangerous, and serious measures should be taken to clean it up."

erdbrinkt@washpost.com nakashimae@washpost.com

Nakashima reported from Washington.