EXCLUSIVE: Iran's nuclear program is still in chaos despite its leaders' adamant claim that they have contained the computer worm that attacked their facilities, cybersecurity experts in the United States and Europe say.
The American and European experts say their security websites, which deal with the computer worm known as Stuxnet, continue to be swamped with traffic from Tehran and other places in the Islamic Republic, an indication that the worm continues to infect the computers at Iran's two nuclear sites.
The Stuxnet worm, named after initials found in its code, is the most sophisticated cyberweapon ever created. Examination of the worm shows it was a cybermissile designed to penetrate advanced security systems. It was equipped with a warhead that targeted and took over the controls of the centrifuge systems at Iran’s uranium processing center in Natanz, and it had a second warhead that targeted the massive turbine at the nuclear reactor in Bashehr.
Stuxnet was designed to take over the control systems and evade detection, and it apparently was very successful. Last week President Mahmoud Ahmadinejad, after months of denials, admitted that the worm had penetrated Iran's nuclear sites, but he said it was detected and controlled.
The second part of that claim, experts say, doesn’t ring true.
Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.
“The effort has been stunning," Byres said. "Two years ago American users on my site outnumbered Iranians by 100 to 1. Today we are close to a majority of Iranian users.”
He said that while there may be some individual computer owners from Iran looking for information about the virus, it was unlikely that they were responsible for the vast majority of the inquiries because the worm targeted only the two nuclear sites and did no damage to the thousands of other computers it infiltrated.
At one of the larger American web companies offering advice on how to eliminate the worm, traffic from Iran has swamped that of its largest user: the United States.
“Our traffic from Iran has really spiked,” said a corporate officer who asked that neither he nor his company be named. “Iran now represents 14.9 percent of total traffic, surpassing the United States with a total of 12.1 percent. Given the different population sizes, that is a significant number.”
Perhaps more significantly, traffic from Tehran to the company's site is now double that of New York City.
Ron Southworth, who runs the SCADA (the Supervisory Control and Data Access control system that the worm specifically targeted) list server, said that until two years ago he had clearly identified users from Iran, “but they all unsubscribed at about the same time.” Since the announcement of the Stuxnet malware, he said, he has seen a jump in users, but few openly from Iran. He suspects there is a cat-and-mouse game going on that involves hiding the e-mail addresses, but he said it was clear his site was being searched by a number of users who have gone to a great deal of effort to hide their country of origin.
Byres said there are a growing number of impostors signing on to Stuxnet security sites.
“I had one guy sign up who I knew and called him. He said it wasn’t his account. In another case a guy saying he was Israeli tried to sign up. He wasn’t.”
The implication, he says, is that such a massive effort is a sign of a coordinated effort.
Ralph Langner, the German expert who was among the first to study and raise alarms about Stuxnet, said he was not surprised by the development.
“The Iranians don’t have the depth of knowledge to handle the worm or understand its complexity,” he said, raising the possibility that they may never succeed in eliminating it.
“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”
“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.
And Iran’s anti-worm effort may have had another setback. In Tehran, men on motorcycles attacked two leading nuclear scientists on their way to work. Using magnetic bombs, the motorcyclists pulled alongside their cars and attached the devices.
One scientist was wounded and the other killed. Confirmed reports say that the murdered scientist was in charge of dealing with the Stuxnet virus at the nuclear plants.