Patterico's Pontifications


Iranian Nuclear Scientists Getting Stux in the Net

Filed under: General — Aaron Worthing @ 2:26 pm

[Guest post by Aaron Worthing; if you have tips, please send them here.]

The last few days we have seen quite a few interesting stories about the Stuxnet virus/malware currently wreaking havoc in Iran’s nuclear program.  First was this very interesting Fox news reportage on the program:

Intelligence agencies, computer security companies and the nuclear industry have been trying to analyze the worm since it was discovered in June by a Belarus-based company that was doing business in Iran. And what they’ve all found, says Sean McGurk, the Homeland Security Department’s acting director of national cyber security and communications integration, is a “game changer.”

The construction of the worm was so advanced, it was “like the arrival of an F-35 into a World War I battlefield,” says Ralph Langner, the computer expert who was the first to sound the alarm about Stuxnet. Others have called it the first “weaponized” computer virus.

Simply put, Stuxnet is an incredibly advanced, undetectable computer worm that took years to construct and was designed to jump from computer to computer until it found the specific, protected control system that it aimed to destroy: Iran’s nuclear enrichment program.

The target was seemingly impenetrable; for security reasons, it lay several stories underground and was not connected to the World Wide Web. And that meant Stuxnet had to act as sort of a computer cruise missile: As it made its passage through a set of unconnected computers, it had to grow and adapt to security measures and other changes until it reached one that could bring it into the nuclear facility.

I mean that passage is so “holy sh-t” I wonder if the correct name for this thing should be “Skynet.”  Of course I urge you to read the whole thing.

But then there was a moment this morning that I liken to the second plane striking the WTC.  Now let me be clear.  I am not about to compare this thing to the evil of the 9-11 attacks, or anything like that.  But like a lot of you, I remember hearing about the first plane striking, and thinking it was an accident, or maybe just one lone crazy pilot.  And then I heard about the second plane and I knew this was an attack, and it had to be more than just one nut.  That was the feeling I had learning the next few facts.

You see, this morning we learn that two of Iran’s nuclear scientists were attacked in car bombs—meaning their cars were blown up.  One died and one is hospitalized.  And then we learn that according to Debka file

Prof. Majid Shahriari, who died when his car was attacked in North Tehran Monday, Nov. 29, headed the team Iran established for combating the Stuxnet virus rampaging through its nuclear and military networks. His wife was injured. The scientist’s death deals a major blow to Iran’s herculean efforts to purge its nuclear and military control systems of the destructive worm since it went on the offensive six months ago. Only this month, Stuxnet shut down nuclear enrichment at Natanz for six days from Nov. 16-22 and curtailed an important air defense exercise.

So the bomber coincidentally killed one of the guys who was trying to stop Skynet Stuxnet.  Now unlike the second plane hitting the WTC, there is room for it to be a coincidence.  For instance, the other target was apparently not half as significant, a political appointee.  But if this was an attempt to thwart efforts to stop Stuxnet, then consider the implications.  This means it is a conspiracy, not just a lone guy with a computer.  So either there is a conspiracy within Iran to do this, perhaps including some of the scientists.  Or perhaps this is an intelligence operation by a foreign power (which doesn’t eliminate the possibility of local involvement as well).

Or maybe this is burning down the Reichstag.  I mean dictators have been known to stage crimes to justify power grabs, especially when there are threats to their power.  You know, like the Nazis burning the Reichstag.  I mean you do have to wonder how it is we are being allowed to learn so much about Iran’s problems.

Oh, and if we are talking about a foreign power, the list is long on who might do this.  Yes, America and Israel are prime suspects.  But then so is every Arabic country, pretty much.  You think Saudi Arabia or Turkey wants to deal with a nuclear Iran?  Of course there are two big pieces of evidence is of so little value I am not even sure it qualifies as evidence.  You see, they have found references to the Old Testament and even Jewish history in the code, leading William Jacobson to rationally wonder if this evidence is so obvious that it might be a false flag.  At the time I was reminded of a scene in the “Pirates of the Caribbean: The Curse of the Black Pearl” when Jack Sparrow runs into two guards while trying to get a look at a ship.  One guard asks what his business is:

Jack: Well, then, I confess, it is my intention to commandeer one of these ships, pick up a crew in Tortuga, raid, pillage, plunder and otherwise pilfer my weasely black guts out!

Murtogg: I said no lies

Mullroy: I think he’s telling the truth

Murtogg: If he were telling the truth, he wouldn’t have told us

Jack : Unless, of course, he knew you wouldn’t believe the truth even if he told it to you.

So be appropriately skeptical, but who knows, really?  I mean if I was the hacker and I happened to be Jewish (I am not), maybe I would say, “President Amadanutjob will probably blame it on the Jooooos no matter what anyway, so frak it, I might as well make it obvious and taunt them.”  Or this could be a really obvious head fake.  Or a Christian with powerful sympathies toward Jews.  Really, who knows?

But we do have good reason to suspect that the hacker is not working alone, now.  Which should increase the psychological damage caused by this virus by tenfold.

For now, I am glad this scary computer virus/malware is doing its thing, really.  But of course if Stuxnet suddenly starts building Terminators, you know to run for your life and find John Connor.  Yes, even if the Termintor looks like this:

As Cracked once said, “Copying humanity’s schematics presents no discernible advantage on the battlefield….  Unless Skynet understands our biggest weakness is b__ers.”

[Posted and authored by Aaron Worthing.]


  1. Aaron, I’m surprised you’ve fallen for an old bit of Communist propaganda. The Nazis didn’t burn the Reichstag. Or at least the preponderance of the evidence is against it. The man who was arrested was very probably guilty, and he was connected to the Communists, though he may have been acting alone.

    Comment by Milhouse (ea66e3) — 11/29/2010 @ 2:36 pm

  2. Of course, a car bomb is a bit on the unsubtle side. You’d expect the Stuxnet folk to hack his car so it drove into a bridge abutment at extreme high speed or some such. Maybe they were hurried? Or the bombers got the wrong car?

    Comment by htom (412a17) — 11/29/2010 @ 2:52 pm

  3. Yes, America and Israel are prime suspects. But then so is every Arabic country, pretty much.

    I disagree.

    The countries in question have motive, but the idea that any of the Arab countries have the technical ability to pull off stuxnet is laughable.

    The US could do it. China could probably do it. Germany and Japan, most likely. Israel, possibly. India, possibly. Anyone else? Not believable.

    Comment by aphrael (e0cdc9) — 11/29/2010 @ 3:00 pm

  4. aphrael – are you serious ?

    In this day and age, the country doesn’t have to have the knowledge/technical ability … The country just has to have enough funds and incentives to persuade the skilled hacker(s) to write the code …

    Every oil-rich middle-eatern country has the funds to persuade the ones they need …

    Comment by Alasdair (e7cb73) — 11/29/2010 @ 3:15 pm

  5. Is it wrong of me to hope that this is a US secret ops program?

    Comment by JD (ab60db) — 11/29/2010 @ 3:16 pm

  6. Alasdair: aside from leaving Russia out, yeah, I’m serious.

    Stuxnet wasn’t the job of skilled hackers.

    Taking off my law student hat and my concerned citizen hat, and putting on my software engineer hat and my geek-with-friends-in-the-hacker-world hat: this doesn’t look or smell like a hacker job; it’s far too careful, elaborate, and formal for that. Hackers don’t create code like this.

    This is hard to get across, but … there’s a certain approach to coding which is common for hackers, a seat-of-the-pants see-what-works mentality which leads to very effective but relatively unstructured code. It’s very different from corporate code, and very different from the code produced by government agencies.

    From everything I’ve read about stuxnet, in just about every venue where it’s been analyzed by anyone with software expertise, it’s not hacker code.

    See, eg,, or, particularly:

    The code is sophisticated, incredibly large, required numerous experts in different fields, and mostly bug-free, which is rare for your average piece of malware. Stuxnet is clearly not average. We estimate the core team was five to ten people and they developed Stuxnet over six months. The development was in all likelihood highly organized and thus this estimate doesn’t include the quality assurance and management resources needed to organize the development as well as a probable host of other resources required, such as people to setup test systems to mirror the target environment and maintain the command and control server.

    Comment by aphrael (e0cdc9) — 11/29/2010 @ 3:24 pm

  7. That explanation IS so ‘holy $h-t’, and I have to wonder if it is part of the op. The Iranians are so paranoid and superstitious and irrational, how great would it be if they expended great amounts of resources trying to clean up a SUPERVIRUS that can jump from unconnected computer to unconnected computer and adapt like the Borg? It would be pretty great. I’m just sayin’…

    Of course, if it was a double-agent Pfc. who downloaded a thumbdrive to royally F over the Iranian government, that would be too unbelievable. That stuff only happens to the U.S.

    Comment by TimesDisliker (a997e5) — 11/29/2010 @ 3:27 pm

  8. JD: I think the betting money is all on the ‘US black op’ spot on the roulette table, myself.

    Comment by aphrael (e0cdc9) — 11/29/2010 @ 3:28 pm

  9. There’s probably a deep cover SF “A” team in Iran running this stuff.

    Comment by SGT Ted (5d10ae) — 11/29/2010 @ 3:35 pm

  10. aphrael – there are the ‘romanticised’ hackers with the ‘hacker culture’ and leet-speak caricature, and there are the Mozarts who compose their code as they go …

    If I was putting this sort of thing together, I would have the test boxes somewhere, and a small, discreet resort with all creature comforts somewhere, and I would invite the ‘Mozarts’ of coding to enjoy a significant challenge … and I would have regular rigorous computer folk involved in the process for QA and such …

    And if my funds/resources were sufficient, I’d have a second group in competition with the first group …

    Think about it … what better way to ‘sanitise’ hacker code than have non-hackers ‘port’ it into more standard less-idiosyncratic code …

    Then again, if it was Mossad, chances are it was home-written … they seem to have cornered the market on hyper-competence at pretty much anything they put their hands to, it would seem …

    Comment by Alasdair (e7cb73) — 11/29/2010 @ 3:43 pm

  11. The US could do it. China could probably do it. Germany and Japan, most likely. Israel, possibly. India, possibly. Anyone else? Not believable. There is one more that is believable: Russia. They are deep in bed with Iran, but the way Iran has been stiffing governments, it is possible that they did something to get on the wrong side of Putin. Both the cyber and bomb capabilities are well within Russian skills and demonstrated actions.

    Comment by docduke (10c150) — 11/29/2010 @ 3:51 pm

  12. The problem with using hackers is that they are pretty much a wild card bunch. It would be very difficult to maintain security during the operation and impossible after. Someone would brag.

    Comment by Huey (339a76) — 11/29/2010 @ 3:54 pm

  13. DocDuke: yeah, I agree. Leaving out Russia was a brainfart on my end.

    Comment by aphrael (e0cdc9) — 11/29/2010 @ 3:57 pm

  14. Alasdair – If you ever do anything like that, can I come watch, and just talk to some of them?

    Comment by JD (ab60db) — 11/29/2010 @ 4:02 pm

  15. The only hackers involved are so-called “white hats” (although the color might be something else, perhaps green?) Two Win 7 zero-day exploits? This implies that Stux-group has more. Microsoft’s either a party to the party, or their security has been penetrated very deeply by someone. My guess is the software equivalent of the Skunk Works, possibly funded by a multi-national organization. No more twenty people, in either two or three coding teams. More people out gathering intel than programmers (and all of those programmers are creative, thinking programmers, not coders coping other people’s code — unless it’s useful to do so, to disguise your style, perhaps.) Every callout (say to Jewish signifiers) is intentional.

    Comment by htom (412a17) — 11/29/2010 @ 4:03 pm

  16. The Russians have for some time been called the best code writers because they were using such crappy machines for so long. It would be a nice plot to give the mullahs the equipment, then make it unworkable. Then, of course, it’s time for the mullahs to pay the Russian mafia. “Nice little uranium enrichment process you’ve got there. It would be a shame if something happened to it after you’d spent $50 billion.”

    The car bomb fits well, too.

    Comment by Mike K (568408) — 11/29/2010 @ 4:35 pm

  17. Israelis.

    Comment by Torquemada (a8a9b2) — 11/29/2010 @ 4:38 pm

  18. Is it too far-fetched to think that an Iranian was complicit, willingly or otherwise?* It’s not like Iran is under attack, or this failure will make the country go under. But it might make Accchhhmadinijad’s regime go under…I’m just sayin’…

    *That’s the premise of “The Increment” by David Ignatius, a great recent espionage novel.

    Comment by TimesDisliker (a997e5) — 11/29/2010 @ 4:56 pm

  19. Can computer worms ride motorcycles?

    Comment by JAY (6bd75d) — 11/29/2010 @ 5:30 pm

  20. Try to think about this ongoing and largely inexplicable cyber attack from the perspective of the security services in this theocratic regime, an attack that for several months has literally been bleeding the heart out of that nation’s most important state-sponsored enterprise . . . the creation of a nuclear capacity.

    Prof. Majid Shahriari was in charge of “the team Iran established for combating the Stuxnet virus rampaging through its nuclear and military networks.”

    And he was failing.

    Just imagine the internal turmoil and finger pointing that must have been going on, especially within the ranks of those Iranian security services!

    Surly, everyone has been a suspect at one point or another, as they have desperately been trying to figure out who had so thoroughly tricked them and succeeded in utterly sabatoging this most important national project!

    They must have concuded it was an inside job.

    And, think for a moment about what kind of people these theocrats are!

    They think it is entirely appropriate to publicly stone a woman to death for the commission of adultery! Committing the innocuous offense of merely leaving their religion . . . apostacy . . . is punishable by death!

    This crime, however, was the highest of the high treasons. And because it is a theocratic regime, they no doubt saw it as an intentional crime against Islam itself.

    Secondly, I presume that the attackers of these two scientists were acting on full authority of the Iranian governing authority. It is impossible for me to believe that such a highly planned and coordinated attack could have take place without official sanction.

    I think they just concluded that these two scientists — one of whom was running the “investigation” — were actually somehow in collusion with the Great Satan, and so they were attacked.

    How could they conclude that? From the WaPo story:

    . . .
    “Shahriari also was known for his involvement in a regional, non-nuclear scientific research project – called Synchrotron-light for Experimental Science and Applications in the Middle East, or SESAME – in which Israel also participated. He is the second Iranian scientist involved in that program to be assassinated in Tehran.

    The SESAME project is based in Jordan, under the auspices of the United Nations. It includes scientists from several Middle Eastern countries. The involvement of both Iran and Israel makes the project unusual, because Israel is not recognized by Iran and has no ties to the Islamic Republic. Palestinian scientists also participate.”
    . . . .

    The idea that the United States or Israel, or that any other foreign power would have risked trying to pull these attacks off right in Tehran is just too much to believe. Why would they need to?

    I think what is really happening is that the governing Iranians are literally caught in a paranoid maelstrom, and are literally turning on one another, tearing themselves to shreds internally.

    Comment by Trochilus (f17e0a) — 11/29/2010 @ 6:28 pm

  21. Stuxnet is obviously a Fox Force Five operation.

    Comment by Jones (72b0ed) — 11/29/2010 @ 6:43 pm

  22. I’d say SD-6, no doubt.

    Comment by narciso (9d0688) — 11/29/2010 @ 7:09 pm

  23. If offered an even-money bet (with an omniscient and honest bettor) either way, I’d say the Iranians did it. If they believed that the two scientists were double agents, then the best thing to do was of course to kill them. Then they’ve got a choice: have the government kill them more or less openly, or just kill them and make it look like an attack against the government. The former scheme does have the advantage of scaring any remaining internal enemies, but it also might make the remaining scientists (and much of the Iranian public, and western liberals) hate the government. The latter scheme gets support and sympathy from all of the above.

    Comment by DWPittelli (2af301) — 11/29/2010 @ 7:14 pm

  24. DWPittelli — 11/29/2010 @ 7:14 pm

    That makes sense. The “latter scheme” sounds to me like a natural choice for the Iranians if they believed that the scientists had somehow turned.

    They would clearly want the advantage of being able to blame an outside enemy. And, they would not want to have to admit that two highly intelligent and widely respected scientists were so vehemently opposed to the government, let alone that they had committed such a “heinous crime” in acting on that opposition.

    Comment by Trochilus (b36a3e) — 11/29/2010 @ 8:40 pm

  25. JD #14 – that is, indeed, one of the problems with such a set-up … the temptation to simply converse with such intelligent folk …

    Of course, I do not have control of such funds in the foreseeable future, so, it remains a gedanken

    Comment by Alasdair (205079) — 11/29/2010 @ 9:31 pm

  26. “…and mostly bug-free…”

    Doesn’t that pretty much eliminate the MS coders?
    Especially when you consider that this bug had to navigate through a hostile environment – undetected – until it finally found a portal into the cave it was searching for?

    Comment by AD-RtR/OS! (402ca9) — 11/29/2010 @ 11:26 pm

  27. This is very obviously a state actor, not a bunch of hackers. It screams “system design” from top to bottom, and hackers are almost universally out to explore one idea at a time. This thing had signed device drivers from compromised certificates, zero day exploits, command and control servers registered in late 2008/early 2009, peer-to-peer updates from other hosts on the network if a more recent version was out in the wild, the whole nine yards.

    Some clever suits who were former t-shirts were behind this one.

    Comment by Ernst Blofeld (31fe5b) — 11/30/2010 @ 12:12 am

  28. Good catch, nothing on Drudge, Iranians must really be pissed, jester in WH and still their forest of centrifuges is petrified.

    Comment by gary gulrud (790d43) — 11/30/2010 @ 3:26 am

  29. DEBKA can be great fun to read, but always have a block of salt handy. DEBKA is thought by some to be a Israeli Intelligence propaganda operation itself.

    Comment by SPQR (26be8b) — 11/30/2010 @ 7:12 am

  30. It’s Mossad, their fingerprints are all over this one, from the virus to the killings. Remember this is the same outfit that warned the US citizen who insisted on building his enormous “gun” that was going to be used to lob huge shells into Israel to either stop his actions immediately or face elimination. You can guess the outcome. They rarely leave a trace of their comings and goings, and almost always finish the job, no matter the cost. My wife asked me a few weeks ago what Entebbe was all about, and we had a good discussion of what the Israelis were capable of and how efficient they were at taking action against their enemies – and also gave the finger to anyone else who disappoved. This administration is so feckless that it seems that either Israel does something about Iran or face their own annihilation.

    Comment by Dmac (498ece) — 11/30/2010 @ 7:53 am

  31. So if you believe DEBKA (offered without comment):

    The attacks occurred at 7.45 a.m. Iranian time, less than 12 hours after the WikiLeaks organization uncovered US diplomatic cables attesting to a proposal by Mossad director Meir Dagan to overthrow the Islamic regime as one of the ways of terminating its nuclear program. He proposed enlisting oppressed Iranian minority groups for the task, like the Baluchis and their liberation movement, Jundallah.

    Comment by Dmac (498ece) — 11/30/2010 @ 8:13 am

  32. “My wife asked me a few weeks ago what Entebbe was all about, and we had a good discussion of what the Israelis were capable of and how efficient they were at taking action against their enemies – and also gave the finger to anyone else who disappoved.”

    Not always. Take a look at, for example, the 1982 war in lebanon.

    Comment by imdw (7b0243) — 11/30/2010 @ 8:31 am

  33. Incorrect – they pulled out of Lebanon once they realized that killing Arafat would have only made him a martyr to the cause, which is exactly why they refrained from eliminating him in future years.

    Comment by Dmac (498ece) — 11/30/2010 @ 10:19 am

  34. From what has been offered so far it seems the possibile plot twists could make a “24″ season look straight-forward.

    From my very limited perspective, developing an extremely advanced cyber attack sounds like potentially the work of a “relatively few” brilliant people who by association have significant technical resources at their disposal. I mean, we’re not talking “Manhatten Project” where manpower is needed on a large scale to build nuclear reactors, purify rare and dangerous elements, test bombs that are obvious for over a hundred miles, etc., correct? There has to be money, but again, money supporting a dozen brilliant computer engineers is not like massive facilities, etc.

    So, other than Dmac’s good points about Mossad having the motive and capability to do this, it seems to me many different private and national entities could be behind this from all kinds of political and personal grudge angles, true?

    I will say this does sound a bit like 9/11 in the following sense: something that most people were not even considering suddenly shows up “out of the blue” and changes the entire paradigm. We have all been wondering if, who, and when will somebody act to prevent Iran getting a bomb by some kind of military attack on their facilities, and instead it is the quiet misdirection of billions of electrons undermining the whole operation.

    The second thing that comes to mind is I hope they are not our enemies too.

    Comment by MD in Philly (cac12c) — 11/30/2010 @ 10:53 am

  35. You have to wonder about even the information that comes out about something like this. This is clearly a huge embarrasment for Iran if true. If such was attempted but intercepted and not working Iran would not want people to know that either.

    So, is the story true? Did they really find something but in fact contained it and are doing disinformation? Is this part of the plot for a “24″ movie?

    Comment by MD in Philly (cac12c) — 11/30/2010 @ 10:57 am

  36. I still suspect China is behind much of the activity against Iran.

    Just as Russia is behind much of the activity creating the impossible problems in Iran.

    China doesn’t want a war there. They don’t want Israel and the USA to invade or bomb facilities or change regimes. Russia could gain influence over resources and pipelines routes if that occurred.

    China’s experienced with computer hacking and it is willing to take these kinds of steps (And the USA is not).

    MD’s point that we don’t really have reliable information about what’s going on is good to keep in mind.

    It’s interesting that this region’s resource richness is such a curse.

    Comment by Dustin (b54cdc) — 11/30/2010 @ 11:11 am

  37. I am inclined to think that everything we can learn from the code itself is … deceptive. Scary to think of blowing two Win7 zero day exploits to cover what you really did, but needs must when the devil drives.

    Comment by htom (412a17) — 11/30/2010 @ 12:02 pm

  38. Think “Murder on the Orient Express.”

    ALL OF

    Comment by Render (2912d6) — 11/30/2010 @ 11:40 pm

  39. Hey Iranians: Stux to be you!

    Comment by George (d57b1d) — 12/1/2010 @ 8:15 am

  40. The part that impresses me is how the virus jumps from unconnected computer to unconnected computer. Is it possible the virus is spread by sandflea?

    Comment by TimesDisliker (086961) — 12/1/2010 @ 9:43 am

  41. 33.Incorrect – they pulled out of Lebanon once they realized that killing Arafat would have only made him a martyr to the cause, which is exactly why they refrained from eliminating him in future years. Comment by Dmac — 11/30/2010 @ 10:19 am

    Correct, that strategy was excellent, it turns out. Better to let Arafat die of AIDS with a legacy of pederasty. Ironically it makes him lesser in the eyes of his people, but greater in the eyes of the Western Left.

    Comment by TimesDisliker (086961) — 12/1/2010 @ 9:49 am

  42. I’ve desired to write something similar to this on my webpage and this has given me an idea. Cheers.

    Comment by metodo de gabriel (6cf9be) — 5/24/2011 @ 7:35 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress.

Page loaded in: 0.3242 secs.