LONDON (Reuters) – A computer virus that attacks a widely used industrial system appears aimed mostly at Iran and its sophistication suggests a state may have been involved in creating it, Western cyber security companies said on Friday.
Kevin Hogan, Senior Director of Security Response at Symantec, told Reuters 60 percent of the computers worldwide infected by the so-called Stuxnet worm were in Iran, indicating industrial plants in that country were the target.
European digital security company Kaspersky Labs said the attack could only be conducted "with nation-state support."
"Stuxnet is a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world," it said in a statement about the virus which attacks Siemens AG's widely used industrial control systems.
The companies' remarks are the latest in a series of specialist comment stirring speculation that Iran's first nuclear power station, at Bushehr, may have been targeted in a state-backed attempt at sabotage or espionage.
"It's pretty clear that based on the infection behavior that installations in Iran are being targeted," Hogan said of the virus.
"The numbers (of infections in Iran) are off the charts," he said, adding Symantec had located the IP addresses of the computers infected and traced the geographic spread of the malicious code.
At a cyber watch center run by the U.S. Department of Homeland Security outside Washington, a U.S. government official declined to be drawn out on reports that Bushehr was the main target.
"It's very hard to understand what the code was developed for," Sean McGurk, who runs the National Cybersecurity and Communications Integration Center, told reporters. He said it was capable of taking over physical systems when a certain combination of Siemens software and hardware are present.
"We're not looking right now to try to attribute where it came from," McGurk said. "What we're focusing on is how to mitigate and prevent the spread."
He displayed a blue rubber-clad swivel-style USB thumb drive that he said contained the malicious code. "Once it's in the operating system it no longer requires this to move around," he said. "It looks for a particular combination of a software code, or an application, and a hardware platform.
"If it finds it, then it starts manipulating some of the settings" of devices known as programmable logic controllers. Such devices are used, for instance, to move robot arms that build cars, open elevator doors and control HVAC systems.
McGurk said Siemens systems were used by companies doing everything from pharmaceutical and chemical manufacturing to water purification and power.
Diplomats and security sources say Western governments and Israel view sabotage as one way of slowing Iran's nuclear program, which the West suspects is aimed at making nuclear weapons but Tehran insists is for peaceful energy purposes.
Hogan said the virus' targets could be a major complex such as an oil refinery, a sewage plant, a factory or water works.
"We cannot rule out the possibility (of a state being behind it). Largely based on the resources, organization and in-depth knowledge across several fields ... it would have to be a state or a non-state actor with access to those kinds of (state) systems."
Siemens was involved in the original design of the Bushehr reactor in the 1970s, when West Germany and France agreed to build the nuclear power station for the former Shah of Iran before he was overthrown by the 1979 Islamic revolution.
Siemens, the world's number one maker of industrial automation control systems, says it has not supplied Iran with any industrial control systems usable for nuclear facilities.
However, experts say such industrial control systems can be bought on the open market.
Western countries have been critical of Russia's involvement in completing the long-mothballed Bushehr plant. Moscow says it is purely civilian and cannot be used for any weapons program.
Israel, which is assumed to have the Middle East's only atomic arsenal, has hinted it could attack Iranian facilities if international diplomacy fails to curb Tehran's nuclear designs.
Israel has also developed a powerful cyberwar capacity. Major-General Amos Yadlin, chief of military intelligence, last year said Israeli armed forces had the means to provide network security and launch cyber attacks of their own.
Construction of two pressurized water nuclear reactors at Bushehr began in 1974 with the help of Siemens and French scientists. The plant started up finally last month after Iran received nuclear fuel for Bushehr from Russia.
Stuxnet is a "Trojan worm" -- malicious computer software, or malware, that disguises itself as a safe application -- which spreads from USB "thumb drive" memory devices, exploiting a vulnerability in Microsoft Corp's Windows operating system that has since been resolved.
The malware attacks software programs that run Supervisory Control and Data Acquisition, or SCADA, systems. Such systems are used to monitor automated plants -- from food and chemical facilities to power generators.
Siemens, Microsoft and security experts who have studied the worm have yet to determine who created it.
In Washington, Vice Admiral Bernard McCullough, the head of the U.S. Navy's Fleet Cyber Command, told Reuters on Thursday after testifying about cyber operations before a House of Representatives Armed Services subcommittee, that the worm "has some capabilities we haven't seen before."
In a blog posting last week, German cyber expert Ralph Langner said Bushehr may have been the target, with the attack exploiting the plant's used of unlicensed Windows software.
"This is sabotage. ... The attack involves heavy insider knowledge," he said. "It seems that the resources needed to stage this attack point to a nation state."
Fred Burton, a former U.S. counterterrorism agent and vice president of risk consultancy Stratfor, said he suspects covert action on the part of a nation state intelligence service in an effort to disrupt Iranian military or nuclear efforts.
"Disinformation causes disruption and internal witchhunts lacing the seed of doubt as to who could have done this. The internal Security blowback will cause chaos. Brilliant if true."
(Additional reporting by Jens Hack in Munich, Jim Wolf in Washington and Peter Apps in London)
(Editing by Paul Taylor, Peter Graff and Todd Eastham)