Did Stuxnet strike Iran again?

“A power plant and other industries in southern Iran have been targeted by the Stuxnet computer worm,” reported the BBC on December 25th. “Accounts of the attacks in the official press did not specify who was responsible, when they were carried out or how they were thwarted. But they strongly suggested that the attacks had originated in the United States and Israel, which have been engaged in a shadowy struggle of computer sabotage with Iran,” said the New York Times.

The Fars news agency was more specific: “The cyber attack, originated from the US city of Dallas via switches in Malaysia and Vietnam, had targeted the information center of the Culture Ministry's Headquarters for Supporting and Protecting Works of Art and Culture. The attack was repelled by the headquarters' experts.”

Now, it is claimed, it was just a case of ‘lost in translation.’ “At a press conference,” said Ali Akbar Akhavan, head of Iran’s Passive Defense Organization on Wednesday, “we announced readiness to confront cyber attacks against Hormozgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled.” According to Computerworld, the ISNA news agency that had released the original story, hit back by “publishing MP3 files which it claimed contained Akhavan's initial remarks,” but then also published a further report that “quoted other Iranian officials as saying there had been no attacks on electrical installations in the region.”

Earlier this month it was announced that a new virus, dubbed BatchWiper, had been discovered in the country. Kaspersky Lab described the virus as ‘simple but effective.’ But it may just be a smokescreen, warns Israeli security expert Shmuel Tamar in the Times of Israel. “This is Iran, after all, which is in the cyber-gunsights of many groups and governments,” said Tamar, who works for a major database firm in Jerusalem. “Sometimes ‘simple’ attacks like this are a smokescreen, masking something else going on in a system that is doing a lot more damage.”

The newspaper points out that it was the earlier Wiper malware that drew attention to the original Stuxnet attack. “It was a very similar trojan, called Wiper, that drew attention to a file that was added to Iranian computers that were eventually found to be suffering from Stuxnet. Although analysts thought that Wiper was also a simple virus, it turned out to be much more, and its connection to Stuxnet is still being analyzed.”

If Tamar is right, then the current confused reports of a new ‘Stuxnet’ attack may be more than just coincidence.

What’s hot on Infosecurity Magazine?