Story

Irishman who deciphered the cyber-virus attack on Iran

LIAM Ó MURCHÚ is a 33-year-old, baby-faced Irishman from Athy, Co Kildare, with smiley eyes and a dimple in his chin. It was to save money for snowboarding in Andorra and Chile that Ó Murchú, who holds a degree in computer engineering from UCD, took a job blocking spam email in Dublin in the early 2000s.

The Dublin company was bought by Symantec, a world leader in information security and storage. After five years at Symantec’s Blanchardstown operation, Ó Murchú was promoted to head analysis for North America at the firm’s headquarters in Silicon Valley.

He became the cyber sleuth who deciphered the Stuxnet virus that sabotaged the Iranian nuclear programme.

Ó Murchú first became aware of Stuxnet in June 2010, when a Belarus company working in Iran alerted other computer security professionals of its existence. It is common courtesy among such firms to share virus samples, though each develops its own protection.

“I decided this was something very significant, that we were going to do a 100 per cent full analysis of it,” Ó Murchú said. “As far as I know, we are the only people who’ve done the complete analysis on Stuxnet.”

Most viruses take a half hour, perhaps a day, at most a week or two, to decipher. Stuxnet was tens of thousands of lines of very professionally written code. It took Ó Murchú and fellow engineers Eric Chien and Nicolas Falliere six months to break Stuxnet. Their teams worked in round-the-clock shifts, with Tokyo taking over from Silicon Valley, and Dublin picking up where Tokyo left off.

The virus commanded infected computers to connect to websites in Denmark and Malaysia. By monitoring that traffic, Symantec realised that 70 per cent of Stuxnet infections were in Iran.

Yet Stuxnet did not harm the carrier computers. In a “eureka” moment, Symantec discovered that it was designed to target a Siemens S7-300 programmable logic controller, which controls factory equipment.

“That was quite a revelation,” Ó Murchú recalled. “It showed us we were on the right path, that the threat was looking for a very, very specific configuration of equipment.” A CBS 60 Minutes documentary in which Ó Murchú appeared this month, and an earlier investigation by the New York Times, concluded that Israel and the US designed Stuxnet to sabotage Iran’s nuclear programme.

In this 21st-century form of germ warfare, “the attackers couldn’t deliver directly into the uranium enrichment plant at Natanz,” Ó Murchú said. “They blasted it out there and hoped that one of the infectors would make it to the target.” He is only interested in analysing the threat. “I don’t look at the political side of it.” he said. Yet in the interview with Steve Kroft of CBS, he admitted that he had never before worked on such a politically charged analysis.

If he died by suicide, Ó Murchú joked to colleagues, he wanted them to know he wasn’t suicidal. “These were the sort of thoughts that were occurring to us: we may be followed, or people may be interested in the information that we have and may not want us to disperse it.”

Not only was Stuxnet the first virus designed to target a specific piece of machinery, “this is the first time we have ever seen a virus that changes something physical – that changes how equipment works in the real world,” Ó Murchú said.

Stuxnet caused centrifuges in the plant at Natanz to spin so fast they broke down. So the Iranians would not realise what was happening, the virus first recorded normal traffic coming to the Siemens box. “Then, when it started to cause malicious activity on the network, it relayed the normal traffic it had recorded earlier to the operators’ screens,” Ó Murchú explained.

“Stuxnet was changing how the machinery was working, and the operators never saw that.” US and Israeli experts estimate that, by destroying 1,000 or more centrifuges, the attack has set the Iranian programme back several years. President Mahmoud Ahmadinejad has acknowledged a cyber attack by “enemies of the state” and admitted it caused “minor problems”.

Stuxnet was preprogrammed to stop working in 2012. In November 2011,the Symantec team identified a new virus called Duqu – already present in Iran, Sudan and all over Europe – which is based on Stuxnet’s code. Duqu steals information from firms that manufacture industrial control systems. The information “would be useful to anyone who wants to slow down the uranium enrichment process in Iran,” Ó Murchú said. “We see it as an extension of the Stuxnet programme. It’s clear the motivation is the same.”

The Stuxnet attack “has given people a blueprint of how to [carry out] this type of operation,” Ó Murchú said. Like other computer security experts, he fears the authors of Stuxnet may have opened up a whole new front in cyber warfare – one that may eventually be used to harm the US and Europe.