Did Conficker PC worm help sabotage Iran's nuke program?
The worm served as a 'door kicker' for the Stuxnet virus


updated 12/2/2011

A cyber warfare expert claims he has linked the Stuxnet computer virus that attacked Iran's nuclear program in 2010 to Conficker, a mysterious "worm" that surfaced in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet, according to research from John Bumgarner, a retired U.S. Army special-operations veteran and former intelligence officer.

"Conficker was a door kicker," said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit group that studies the impact of cyber threats. "It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet."

While it is widely believed that the United States and Israel were behind Stuxnet, Bumgarner wouldn't comment on whether he believes the Americans and Israelis also unleashed Conficker, one of the most virulent pieces of so-called malware ever detected. He wouldn't name the attackers he believes were behind the two programs, saying the matter was too sensitive to discuss.

The White House and the FBI declined to comment.

Prime Minister Benjamin Netanyahu's office, which oversees Israel's intelligence agencies, also declined comment.

If Bumgarner's findings, which couldn't immediately be independently confirmed, are correct then it shows that the United States and Israel may have a far more sophisticated cyber-warfare program than previously thought. It could also be a warning to countries other than Iran that they might be vulnerable to attacks.

His account leaves unresolved several mysteries. These include the severity of the damage that the program inflicted on Iran's uranium enrichment facility, whether other facilities in Iran were targeted and the possibility that there were other as yet unidentified pieces of malware used in the same program.

The analysis may be met with skepticism in some quarters because dozens of researchers teamed up in 2009 and spent months studying Conficker, yet nobody concluded that the worm was used to attack Iran. Still, the bulk of that work was concluded long before Stuxnet was even discovered.

Bumgarner — who wrote a highly praised analysis of Russia's 2008 cyber assault on Republic of Georgia — says he identified Conficker's link to Stuxnet only after spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code.

He is well regarded by some in the security community. "He is a smart man," said Tom Kellermann, an advisor to the Obama Administration on cyber security policy and the chief technology officer of a company called AirPatrol.

His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud.

The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny.

If confirmed, Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.

He provided Reuters with his timeline of the attack, which indicates it began earlier than previously thought. He said that it was planned using data stolen with early versions of Duqu, a data stealing tool that experts recently discovered and are still trying to understand. The operation ended earlier-than-planned after the attackers got caught because they were moving too quickly and sloppiness led to errors.

Who did it?
The view that Stuxnet was built by the United States and Israel was laid out in a January 2011 New York Times report that said it came from a joint program begun around 2004 to undermine Iran's efforts to build a bomb. That article said the program was originally authorized by U.S. President George W. Bush, and then accelerated by his successor, Barack Obama.

The first reports that the United States and Israel were behind Stuxnet were greeted skeptically. There are still a handful of prominent cyber security experts, including Jeffrey Carr, the author of the book "Inside Cyber Warfare: Mapping the Cyber Underworld," who dispute the U.S.-Israel idea. He says that circumstantial evidence paints a convincing case that China was behind Stuxnet.

According to Bumgarner's account, Stuxnet's operators started doing reconnaissance in 2007, using Duqu, which spied on makers of components used in Iran's nuclear and critical infrastructure facilities.

In November 2008, Conficker was let loose and it quickly spread, attacking millions of PCs around the world. Its initial task was to infect a machine and "phone home" with its location. If it was at a strategic facility in Iran, the attackers tagged that PC as a target. The release left millions of untagged machines infected with Conficker around the world, but no damage was done to them.

In March 2009, Bumgarner says, the attackers released a new, more powerful version of Conficker that started the next phase of the attack on April 1 by downloading Stuxnet onto the targeted PCs. After it completed that task, Conficker's mission on those machines was complete.

Cracking the case
It took Bumgarner months to conclude that Conficker was created by the authors of Stuxnet.

First, he noticed that the two pieces of malware were both written with unprecedented sophistication, which caused him to suspect they were related. He also found that infection rates for both were far higher in Iran than the United States and that both spread by exploiting the same vulnerability in Windows.

He did more digging, comparing date and time stamps on different versions of Conficker and Stuxnet, and found a correlation — key dates related to their development and deployment overlapped. That helped him identify April Fool's Day, April 1, 2009, as the launch date for the attack.

Bumgarner believes the attackers picked that date to send a message to Iran's leaders. It marked the 30th anniversary of the declaration of an Islamic republic by Ayatollah Khomeini after a national referendum.

He also identified two other signals hidden in the Stuxnet code, based on the dates when key modules were compiled, or translated from programming text into a piece of software that could run on a computer.

One coincided with a day when Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York.

Futbol fans
The operators communicated with Stuxnet-infected computers over the Internet through servers using fake soccer websites that they built as a front for their operation: www.mypremierfutbol.com and www.todaysfutbol.com.

If Iranian authorities noticed that traffic, they would be deceived into assuming it was from soccer fans, rather than suspect that something was awry, Bumgarner said.

Once Conficker had pulled Stuxnet into computers in Iran there was still one big hurdle, he said. Those infected computers weren't yet in the target - the underground uranium enrichment facility at Natanz.

Getting the virus in there was one of the trickiest parts of the operation.

Computers controlling the rapidly rotating gas centrifuges were cut off from the Internet. The best way to attack was to put the malware on a device like a USB thumb drive, and then get somebody to connect that drive to the system controlling the centrifuges.

Stuxnet was programmed to automatically jump from an infected PC to a USB drive as soon as it was put into a computer. That was the easy part. Getting somebody to be a human "mule" by bringing that USB drive to Natanz and plugging it into the right machine was a logistical nightmare.

It was impossible to predict when somebody with an infected USB drive would visit the plant. It could take a week or it might be six months.

"It's a painstakingly slow game of chess," said Bumgarner. "They had to keep making moves and countermoves until they reached the centrifuges. Then it was checkmate."

That was probably delivered by somebody who regularly visited the facility and had reason to share information electronically - an academic affiliated with an engineering program at one of Iran's universities or a worker at a company that provided technology to the facility, according to Bumgarner. He or she was almost certainly unaware of what was happening, he said.

Bumgarner is not sure when Stuxnet first hit Natanz, but suspects that early versions only did limited damage. He believes the attackers grew impatient with the pace at which it was damaging the facility and as a result they performed the cyber equivalent of injecting steroids into Stuxnet, adding modules to make it spread faster and inflict more damage. They deployed an enhanced version in January 2010, and two months later an even more powerful one.

Bumgarner believes the juiced-up malware was effective in damaging the centrifuges. But just as steroids have side effects on humans, so the additional modules had a negative impact on the malware: They started causing infected machines to act abnormally.

A then-obscure security firm known as VirusBlokAda in Belarus reported that it discovered Stuxnet after a piece of the souped-up virus made a computer in Iran behave erratically. International investigations followed, which eventually uncovered the attacks on Natanz.

"It blew their operation wide open," says Bumgarner.

Yet its creators may still have other irons in the fire, thanks to Conficker, which lies dormant in millions of PCs around the globe in strategic locations such as Iran, China, Russia, India and Pakistan.

"Conficker represents the largest cyber army in the world," Bumgarner said. "These soldiers are just waiting for their next mission."

Obama Order Sped Up Wave of Cyberattacks Against Iran
By DAVID E. SANGER


WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.

If Olympic Games failed, he told aides, there would be no time for sanctions and diplomacy with Iran to work. Israel could carry out a conventional military attack, prompting a conflict that could spread throughout the region.

A Bush Initiative

The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.

Iran’s president, Mahmoud Ahmadinejad, took reporters on a tour of the plant and described grand ambitions to install upward of 50,000 centrifuges. For a country with only one nuclear power reactor — whose fuel comes from Russia — to say that it needed fuel for its civilian nuclear program seemed dubious to Bush administration officials. They feared that the fuel could be used in another way besides providing power: to create a stockpile that could later be enriched to bomb-grade material if the Iranians made a political decision to do so.

Hawks in the Bush administration like Vice President Dick Cheney urged Mr. Bush to consider a military strike against the Iranian nuclear facilities before they could produce fuel suitable for a weapon. Several times, the administration reviewed military options and concluded that they would only further inflame a region already at war, and would have uncertain results.

For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.

The goal was to gain access to the Natanz plant’s industrial computer controls. That required leaping the electronic moat that cut the Natanz plant off from the Internet — called the air gap, because it physically separates the facility from the outside world. The computer code would invade the specialized computers that command the centrifuges.