The Stuxnet malware was not only built to attack Iran’s nuclear program its assault was aided by the Conficker worm of 2008, a respected U.S. security researcher has claimed.
According to a Reuters report, John Bumgarner of the independent US Cyber Consequences Unit (US-CCU) has researched a number of connections between the two pieces of malware, concluding that they were part of the same anti-Iran program. Bumgarner believes from analysing Conficker that its activation date – April Fool’s day 2009 – was chosen because it was the 30 year anniversary of Iran being declared an Islamic Republic. In addition, he discovered that the compilation dates for other modules included two days on which Iranian President Mahmoud Ahmadinejad made speeches significant for the country’s nuclear program.
Conficker’s job, then, was to attack Iranian Government computers in advance, probing for weaknesses and compromising machines for the more disruptive payload unleashed by Stuxnet 18 months later.
“Conficker was a door kicker. It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet,” he told Reuters.
With its pointed use of significant dates, Conficker also served as a veiled message to Iran’s leadership from (although Bumgarner does not state this himself) Israel and the U.S.
Without further evidence, Bumgarner’s theory is highly speculative and will not serve as anything other than an informed opinion until that is provided. Bumgarner is, however, a respected security expert and former intelligence officer and so his views will add to the inbox of theories on Stuxnet and Conficker’s origins.
Conficker was first detected in November 2009, infecting large numbers of PCs; a year after its discovery this had reached at least 7 million, according to the Shadowserver Foundation, although that included subsequent variants adopted by criminals. It has always been seen as being part of a conventional criminal campaign.
It did have one unusual element which might or might not chime with Bumgarner’s theory, depending on how it is interpreted – the malware was set to activate in botnet form on a specific day, 1 April 2009, some time after first being released.
As organizations raced to remove it in advance of this date the success of the malware started to become apparent, with infections found in the French and UK militaries, and at least one British Police force. It is believed to have infected machines in Iran just as easily although how many is impossible to confirm.
Because Conficker exploited a Windows software flaw, Microsoft offered a $250,000 bounty for information leading to the arrest of its creators. This went unclaimed.
The delayed activation of Conficker looks like an odd tactic for an important piece of malware meant to pave the way for an attack, Stuxnet, striking later on. By the time the activation data arrived, competent security teams had removed it, neutralizing its threat.
Bumgarner’s theory seems to be that it had already done its work by then and the 1 April date was deployed as a sort of cyberwar feint.
Connected or not, Stuxnet appeared in June 2010 and is now known to have been hugely successful at invading the industrial control systems used by Iran in its Uranium enrichment program.
In recent weeks, a third piece of sophisticated malware, Duqu, has been connected to Stuxnet by some security companies, again on the basis of fairly circumstantial evidence. Iran has admitted being affected by Duqu although the same is also true for many organizations around the world.