The fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear program — was a specifically aimed attack that ended up scattering randomly around the globe.

Share story

SAN FRANCISCO — As in real warfare, even the most carefully aimed weapon in cyberwarfare leaves collateral damage.

The Stuxnet worm was no different.

The fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear program — was a specifically aimed attack that ended up scattering randomly around the globe.

This week, save 90% on digital access.

Computer-security specialists who have examined it say the malware was created by a government and is an example of clandestine cyberwarfare. While there have been suspicions of other government uses of computer worms and viruses in cyberwarfare, Stuxnet — its name was derived from some of the file names/strings in its code — is the first to go after industrial systems. Unlike those other attacks, this bit of malware did not stay invisible.

The program splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment. Computer-security specialists also are puzzled by why it was created to spread so widely.

In plain terms, the worm was able to burrow into some operating systems that included software designed by Siemens AG, by exploiting a vulnerability in several versions of Microsoft Windows.

Unlike a virus, which is created to attack computer code, a worm is designed to take over systems, such as those that open doors or turn physical processes on or off.

The malicious Stuxnet code was designed to go after several “high-value targets,” said Liam O Murchu, manager of security response operations at Symantec. The malware has infected as many as 45,000 systems worldwide. Siemens said it has infected 15 of the industrial control plants it apparently was intended to infiltrate.

It’s not clear what sites were infected, but they could include water filtration, oil-delivery, electrical and nuclear plants.

While it is not clear that Iran was the main target — the infection also has been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer-security monitors.

Global alarm over the computer worm has come many months after the program is suspected of stealthily entering an Iranian nuclear enrichment plant, perhaps carried on a USB memory drive containing the malware.

Computer-security specialists have speculated that once inside the factory and its software that controls equipment, the worm reprogrammed centrifuges made by Siemens to fail in a way that would be virtually undetectable. Whether the program achieved its goal is not known, although Iran has reported trouble with centrifuges at its main uranium-enrichment facility in Natanz.

The Wikileaks website reported in mid-July that it had learned there had been a serious nuclear accident at the plant. But international nuclear inspectors say no evidence of one exists.

The timing is intriguing because a time stamp found in the Stuxnet program says it was created in January, suggesting any digital attack took place long before it was identified and began to attract global attention.

The head of the Bushehr nuclear plant in Iran said Sunday that the worm had affected only the personal computers of staff members, Reuters reported.

One of the pieces of the Stuxnet puzzle is why its creators let the software spread widely, giving up many of its secrets in the process.

One possibility: They simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.

Given the sophistication of the worm and its aim at specific industrial systems, many experts believe it most probably is the work of a state, rather than independent hackers. The worm can attack computers that are disconnected from the Internet, usually to protect them; in those cases, an infected USB drive is plugged into a computer. The worm spreads itself within a computer network, and possibly to other networks.

Iranians have reason to suspect they are high on the target list: In the past, they have found evidence of sabotage of imported equipment, notably power supplies to run the centrifuges used to enrich uranium at Natanz. The New York Times reported in 2009 that President George W. Bush had authorized new efforts, including experimental ones, to undermine electrical systems, computer systems and other networks that serve Iran’s nuclear program, according to current and former U.S. officials.

The program is among the most secret in the U.S. government, and it has been accelerated since President Obama took office, according to some U.S. officials.

James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington and one of the country’s leading experts on cyberwar intelligence, said the United States is “one of four or five places that could have done it — the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can’t rule out the Russians and the Chinese.”

The fact that the worm is aimed at Siemens equipment is telling: The company’s control systems are used around the world but have been spotted in many Iranian facilities, say officials and experts who have toured them.

At the Homeland Security Department’s National Cybersecurity & Communications Integration Center, a top U.S. cyberofficial on Friday displayed a portable flash drive containing the Stuxnet code and said officials have been studying it in the lab.

Experts at the Energy Department’s Idaho National Laboratory also have been analyzing it.

Experts in Germany discovered the worm, and German officials transmitted the malware to the United States through a secure network. The two computer servers controlling the malware were in Malaysia and Denmark, O Murchu said, but both were shut down after they were discovered by computer-security experts last summer.

Custom-curated news highlights, delivered weekday mornings.