Stuxnet: Are Israel and Iran waging cyber war?

Iran has arrested several "nuclear spies" after its nuclear facilities were targeted with a virulent computer worm by foreign intelligence agencies, says intelligence minister, Heidar Moslehi.

Moslehi claimed that the Stuxnet worm had been designed "to undermine Iran's nuclear activities" but said it had been "thwarted" without causing any damage to the country's fledgling nuclear programme.

Is Stuxnet a battle in the first real cyber-war, or is Iran just paranoid?
What is Stuxnet?Stuxnet, named by computer experts for two keywords found in its code, is one of the most sophisticated worms ever created – and the first which targets the computers used to control power plant systems. It is thought to have been created between June 2009 and February 2010, but remained undetected until June 2010. It was revealed last week that Stuxnet had infected Iran's nascent Bushehr nuclear plant, the Country's first such facility. It is thought to have made its way there via the laptops of Russian contractors.

Is Stuxnet a virus?
No – a computer worm is not a virus. Viruses are parasitic: they attach themselves to an existing piece of software, and are designed to alter files on an infected computer – usually maliciously. Worms exist in their own right, reproducing themselves and travelling via the internet. They often do not alter files on an infected computer; and they can be designed to give remote control of systems to their programmer. Both worms and viruses are classed as 'malware' – malicious software.

What does Stuxnet do?
The worm spreads itself initially through infected USB sticks. Once inside a network, it can spread between computers without the need of a physical carrier. It then looks for - and attacks - software made by Siemens which is used to control and monitor industrial processes. It can then reprogram these systems and disguise the changes it has made. The Siemens systems control the actual physical movement of industrial components: so Stuxnet could be used to cause a nuclear facility to malfunction.

Why does Iran feel it has been targeted?
While Stuxnet has been detected in many countries, researchers at security software giant Symantec say that, in July this year, 60 per cent of all infections were on Iranian computers. Around 60,000 systems in Iran are thought to be carrying the worm. While Iran's intelligence minister said yesterday that Stuxnet had not affected his country's nuclear programme, other observers are not so sure: it has been noted that the plant's launch date has been put back several months to early 2011. Coded references to biblical events in the software also hint at its origins and target.

Why do analysts suspect a government is behind the worm?
Most worms are aimed at creating financial reward, or causing maximum damage. But Stuxnet has no monetisation and is very specifically targeted. Because of its sheer complexity, innovation and virulence, many malware experts are sure the worm must have been created with the support of a government. Stuxnet has been called "groundbreaking", "amazing" and "the best malware ever". One analyst told Wired magazine the worm must have taken many man-months or even years to write, and must be the product of a huge team with tremendous resources.

Stuxnet contains four 'zero-day' attacks on Windows – which means it exploits four different vulnerabilities in the Windows operating system, all of which were previously unknown to Microsoft. Zero-day vulnerabilities are few and far between: as soon as Microsoft finds out about such a hole, they start to plug it. 

So it would be unheard of for ordinary hackers to use more than one such vulnerability in one piece of software – let alone four. Further, Stuxnet must have been tested out on Siemens's highly-specialised software before it was launched. All these factors suggest organisation beyond the means of casual cyber-vandals.

Why has suspicion fallen on Israel?
Israel is an obvious suspect for a cyber-attack on Iran, but there are more concrete reasons to suspect its involvement. Stuxnet contains the word "guava" and the number "19790509". The guava plant is a member of the myrtle family, and the Hebrew word for myrtle – Hadassah – was the original name of Old Testament queen Esther. Esther saved the Jews in Persia, now Iran, from a plot to massacre them. The number may be a reference to the date May 9, 1979, on which a Persian Jew was executed in Iran.

Is this really the first cyber war?
The first computer 'virus' predates the internet, striking the US military's Arpanet in the early 1970s. In 1988, the first worm – the Morris worm – disrupted around 10 per cent of computers on the internet. But experts are sure Stuxnet is a government-backed attack directed specifically at another country – the first open-and-shut example of that happening. One European security software firm called Stuxnet a "working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race". ·