Two weeks ago, a source associated with Iran's nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran's nuclear enrichment program. WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran's Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.
Specialists have hypothesized that it would take the resources of a nation state to create the software. It uses two forged digital signatures to sneak software onto computers and exploits five different Windows vulnerabilities, four of which are zero-day (two have been patched by Microsoft). Stuxnet also hides code in a rootkit on the infected system and exploits knowledge of a database server password hardcoded into the Siemens software. And it propagates in a number of ways, including through the four Windows holes, peer-to-peer communications, network shares, and USB drives. Stuxnet involves inside knowledge of Siemens WinCC/Step 7 software as it fingerprints a specific industrial control system, uploads an encrypted program, and modifies the code on the Siemens programmable logic controllers (PLCs) that control the automation of industrial processes like pressure valves, water pumps, turbines, and nuclear centrifuges, according to various researchers.
Symantec has reverse engineered the Stuxnet code and uncovered some references that could bolster the argument that Israel was behind the malware, all presented in this report (PDF). But it's just as likely that the references are red herrings designed to divert attention away from the actual source. Stuxnet, for instance, will not infect a computer if "19790509" is in a registry key. Symantec noted that that could stand for the May 9, 1979 date of a famous execution of a prominent Iranian Jew in Tehran. But it's also the day a Northwestern University graduate student was injured by a bomb made by the Unabomber. The numbers could also represent a birthday, some other event, or be completely random. There are also references to two file directory names in the code that Symantec said could be Jewish biblical references: "guavas" and "myrtus." "Myrtus" is the Latin word for "Myrtle," which was another name for Esther, the Jewish queen who saved her people from death in Persia. But "myrtus" could also stand for "my remote terminal units," referring to a chip-controlled device that interfaces real-world objects to a distributed control system such as those used in critical infrastructure. "Symantec cautions readers on drawing any attribution conclusions," the Symantec report says. "Attackers would have the natural desire to implicate another party."