Stuxnet delivered to Iranian nuclear plant on thumb drive

Citing U.S. intelligence sources, ISSSource says an infected memory stick was used to hit the facility with the worm that severely damaged Iran's nuclear program.

Daniel Terdiman Former Senior Writer / News
Daniel Terdiman is a senior writer at CNET News covering Twitter, Net culture, and everything in between.
Daniel Terdiman
3 min read
CBS Interactive

An Iranian double agent working for Israel used a standard thumb drive carrying a deadly payload to infect Iran's Natanz nuclear facility with the highly destructive Stuxnet computer worm, according to a story by ISSSource.

Stuxnet quickly propagated throughout Natanz -- knocking that facility offline and at least temporarily crippling Iran's nuclear program -- once a user did nothing more than click on a Windows icon. The worm was discovered nearly two years ago.

ISSSource's report yesterday was based on sources inside the U.S. intelligence community.

These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. "Iranian double agents" would have helped to target the most vulnerable spots in the system," one source said. In October 2010, Iran's intelligence minister, Heydar Moslehi said an unspecified number of "nuclear spies" were arrested in connection with Stuxnet.33 virus.

As CNET first reported in August 2010, Stuxnet, as a worm intended to hit critical infrastructure companies, wasn't meant to remove data from Natanz. Rather, it left a back door that was meant to be accessed remotely to allow outsiders to stealthily control the plant.

The Stuxnet worm infected industrial control system companies around the world, particularly in Iran and India but also companies in the U.S. energy industry, Liam O'Murchu, manager of operations for Symantec Security Response, told CNET. He declined to say how many companies may have been infected or to identify any of them.

"This is quite a serious development in the threat landscape," he said. "It's essentially giving an attacker control of the physical system in an industrial control environment."

According to ISSSource, the double agent was likely a member of the Mujahedeen-e-Khalq (MEK), a shadowy organization often engaged by Israel to carry out targeted assassinations of Iraninan nationals, the publication's sources said.

As CNET reported in August 2010:

The Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in ".lnk," according to...[the] Microsoft Malware Protection Center....Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling.

The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan--RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos.... It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.

Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens' Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system's Microsoft SQL database.