Cyber War Goes Heavy Metal

New computer attack detected on Iran nuclear facility

July 26, 2012

Computer systems at Iran’s nuclear facilities were attacked recently by a new worm that forced some workstations to randomly play the heavy metal rock song Thunderstruck, U.S. officials said.

The computer attack followed several U.S.- and Israeli-origin virtual strikes on Iran’s illicit nuclear program that involved the insertion of malicious software into Iranian industrial control networks. Those attacks were carried out under the code names Stuxnet and Flame.

The latest attack took place about a week ago and was discovered after an Iranian scientist revealed it in emails sent to a Finnish computer security expert asking for assistance in countering the malicious software attack.

The senior security specialist at the Finnish computer security company F-Secure, Mikko Hypponen, wrote on a blog post that he received several emails beginning July 21 from the Atomic Energy Organization of Iran, which is in charge of Iran’s nuclear program.

The Iranian scientist stated that the nuclear program was "compromised" from an attack by a new worm or hacker software called Metasploit.

The attack penetrated the Iranian virtual private network and shut down the computer control networks at the Natanz nuclear facility as well as a second plant called Fordo near Qom. Both sites have been linked by U.S. intelligence agencies to Iran’s covert nuclear program.

Additionally, the computer attack shut down the Siemens software used to control industrial facilities.

Officials believe the software also caused several workstations to randomly play the song by the heavy metal group AC/DC in the middle of the night at a high volume.

The music element of the hack prompted one security specialist to note that it was similar to a characteristic of the Stuxnet worm that hit Iran which contained a coded copy of the Israeli national anthem Hatikvah that supposedly played using the variable drive frequency motors of uranium enrichment centrifuges that were destroyed by the computer attack.

U.S. officials suspect that Hypponen may be working covertly with the Iranians on computer security and may have been called on in the past to help mitigate computer attacks.

In the blog post, Hypponen quoted the Iranian scientist as saying, "Our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom."

The Iranian said the country’s cyber experts "believe a hacker tool Metasploit was used."

"The hackers had access to our VPN," the scientist stated. "The automation network and Siemens hardware were attacked and shut down."

"There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC."

The new virus is the latest in the covert war against Iran’s nuclear program that has been under way for the past several years and involves cyber attacks and the assassination of Iranian nuclear scientists.

Intelligence analysts said "Thunderstruck"’s title and lyrics indicate a psychological warfare element, in that it is meant to be taunting and is symbolic of the impact of the virus on Iran’s nuclear program. The AC/DC album also includes other songs that computer warfare specialists may have intended to highlight the conflict. Other song titles on the 1990 album "The Razors Edge" include the title cut, "Fire Your Guns," "Are You Ready," and "Got You By The Balls."

On Wednesday, an Iranian official appeared to confirm the recent cyber attack. The official was quoted in state-controlled media as threatening a counterattack against the United States for cyber attacks on Iran.

"If the vain American cyber attacks against our country do not end, they will receive a decisive response," the IRNA news agency quoted an official described as being from the "cyber base."

On Monday, an official from Iran’s National Security and Foreign Policy Commission, Seyed Hossein Naqavi was quoted in Iranian press reports as saying a recent cyber attack on Iranian facilities had been thwarted.

Published under: Iran , Middle East