“Who unleashed Stuxnet?” – Mikko Hypponen on the origin of the Stuxnet virus


The well-known malware researcher Mikko Hypponen (CRO at F-Secure) speaks on the probable origin and objectives of the notorious Stuxnet virus, outlines mobile malware issues and sheds some light on the mysteries around Conficker worm.

Mikko Hypponen When Stuxnet was originally found in summer of 2010, we didn’t really understand, in the beginning, what we have found. Stuxnet is the only one of its kind. It’s the only malware that actually infects factory automation gear or these PLC1 boxes, which are basically the building blocks that control critical infrastructure and normal infrastructure around us. You go to any factory, any chemical plant, any food producing plant, you’ll find these PLC gear devices, and that’s exactly what Stuxnet infects.

And it is the only one of its kind, and Stuxnet as a whole is far more complicated than anything we’ve seen. Stuxnet was a multimillion dollar project which, we estimate, took more than 10 man-years to complete.

And who built it? I believe Stuxnet was done by U.S. Government. In fact, I believe, when George W. Bush signed a cyber attack program against the Iran nuclear program in 2008, that the end result of that signature was Stuxnet.

Stuxnet was a multimillion dollar project which took more than 10 man-years to complete.

There were questions whether Stuxnet was an ultimate project of that cyber attack program, or it was created as alternative to a physical attack. Well, if your target is to stop a foreign nation from reaching nuclear capability, you have a couple of different options. I mean, you can go to war, but nobody likes to go to war, especially USA, which already has plenty of wars at the moment. Other alternative is you can do a surgical strike and just send a bomber to bomb what you think where the facilities are. And of course, we’ve seen attacks like that before. But they have problems like, you know, you can’t deny that you did it. Everybody will know that you did it because they can tell who bombed you. And you have to know what to bomb.

Nuclear plant of Natanz in Iran
Nuclear plant of Natanz in Iran
Stuxnet will find its target. Stuxnet is just a worm, so it spreads everywhere but it only activates when it finds the right target. It’s very precise on making sure it identifies the right target before it actually starts doing anything. And that means that it will find its way to the real target and will even find an unknown target. So, let’s imagine that we know that Natanz nuclear enrichment facility in Iran was one of the targets. There could have been other targets like clones of Natanz, completely unknown, maybe underground somewhere. But we would assume that the same nuclear researchers will be working in all those facilities, and they would be carrying the worm with them. And you can’t get that kind of deniability and that kind of reach with traditional weapons, but you do with these modern cyber weapons.

Do we have any real evidence that this was the Americans who created Stuxnet? For now we cannot prove it, but if you look at who has the know-how, who has the technology, who has the motive. It’s pretty obvious. Then you combine it with the fact that we know that George Bush started an operation in this realm. So, it’s pretty clear to me. There’s lots of links that people try to find to Israel, and I find it perfectly plausible that it was tested together with Israel. But the fact is we actually don’t know. I believe, it was done by U.S. Government but I cannot prove it. But is there anyone else trying to prove it? Maybe we will find out with the leak of WikiLeaks.

Another issue is smartphone malware. Is it really such a big problem or do the restrictions put on software on Google and Android Marketplace and the App Store for the iTunes limit the damage that malware can do on phones? As to phones, we found the very first smartphone viruses in 2006. Since then, we’ve only found a few hundred of those, which actually is nothing. We find more new PC malware or Windows malware every single day than what we found over the last 5 years on smartphones. And the main reason why we haven’t seen more activity on smartphones is that current smartphones actually are more secure by their security design than our computers. Regardless of what mobile platform you look at, the built-in security features are far superior to what you have in, let’s say, Windows or OS X on your Mac or so.

We find more new PC malware every single day than what we found over the last 5 years on smartphones.

Let’s hope this defense doesn’t come down and that there is no ‘spy vs. spy’ kind of war going on. One thing that clearly affects the amount of activity on mobile side is the fact that if we look at operating systems as a whole, and just try to figure out what’s the most common operating system on the planet, it’s actually Windows XP. Windows XP has over 50% market share of all the computers on this planet. And Windows XP is 11 years old, I mean it’s actually a very easy target. So, now, if you think about this from the point of view of the attacker, which platform are you going to target with your attacks: Windows 7, Android, iOS or Windows XP? Which is the easiest target and the biggest target? I mean, why would you go after anything else as long as you have this huge low-hanging fruit? But the fruit is going away. So, in two or three years the attackers will be moving to other platforms and we expect to see much more activity, especially on Android which is the most open of the common smartphone platforms, and right now seems to have the biggest amount of attacks against it as well.

Conficker worm And one more huge security topic is the Conficker worm. It is one of the biggest mysteries that we’ve seen in the history of malware as a whole. It was a massive botnet, we are talking about more than 10 million infected computers around the world. It used several new tricks we had never seen before. But the biggest mystery was that once this massive botnet was built, the attackers never used it. They only did some very limited trials, showing that they could actually use it for something, but they actually never did do anything with it. And there was a big discussion about what was the original motive, and who was originally behind it. And I did research on this two years ago and I was about to do a talk on this in the ‘Black Hat’ conference in Vegas, but I was asked not to go into too much detail regarding the research. And those restrictions are still in place, and we are still not talking more about that. But there are still different theories about where Conficker came from, and there is still an ongoing research. And Conficker is still out there. There are still more than 1 Million infected computers by Conficker right now.


1PLC (programmable logic controller) is a digital computer used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures.


Please enter your comment!
Please enter your name here