The world’s most complex malware ever created, the Stuxnet virus which was designed and enforced by the U.S. and Israel against Iran a few years ago, may have ended up infecting the International Space Station according to leading security analyst Eugene Kaspersky head of  IT security at Kaspersky Labs. The virus was designed to only attack specific software and specific hardware in a specific  uranium enrichment plant at Natanz, Iran. Stuxnet, however, isn’t at all specific on the targets it infects – basically it’s all over the world.

It’s been long thought that only a country or organization with vasts amounts of resources could develop a virus of Stuxnet’s complexity. Last year, the Obama administration stepped out and confirmed that indeed the virus was made as a joint-operation with Israel against Iran, to nobody’s surprise frankly. A leftover from the Bush administration, Stuxnet operations were accelerated during Obama’s presidency and eventually launched against Iran.

Without getting into too many details, here’s the short story: the enrichment facility depended on a series of centrifuges, which were controlled by Siemens micro-controllers. These chips governed how fast these centrifuges would spin or if they would spin at all. Stuxnet was designed to infiltrate the facility through unconventional means (spread out across the whole internet, infect millions of computers, eventually an Iranian employee would bring in an infected flash memory drive from home to work and thus compromise the whole network. Elaborate, I know), make the centrifuges randomly vary in the speed at which they rotated and in turn burn out their bearings. All of this was done of course while the monitoring software showed everything was in order.

A cumbersome worm

The Iranians had no idea what hit them, they actually blamed their in-country suppliers and the whole operation delayed uranium enrichment months and months. A perfect modern espionage attack, but was it worth it? Well, the Iranians were no saints. The local government had signed  the Non-Proliferation Treaty in which they had agreed that they would not try to develop a bomb. Guess what highly enriched uranium is good for? Nuclear bombs.

Overall, however, it was a pretty stupid move by the US. Stuxnet has infected millions if not billions of devices in the world,  including Russian nuclear plants as indicated by Kaspersky in this video at the 27 minute mark. Probably, other high end, vital infrastructure facilities are also infected by the virus all over the world and beyond apparently. In the same video, Kaspersky hints that he has information that suggests the International Space Station is also infected with Stuxnet. He credits his sources as “Russian space guys” – not quite solid, I know, but Kaspersky is a figure in the digital security world, I expect him not to flaunt ideas without a minimum of evidence backing them up.

Yes, the virus remains dormant, like a latent gene waiting to be turned on and mutate its host organism. The bad part is that the virus is open source – it’s source code has been exhaustively studied and is freely available on the web. Any hacker can study it, manipulate it and make his own Stuxnet.  However, the virus’ worst damage lies not in a few shattered centrifuges in an Iranian enrichment facility – it’s the proof of concept that’s terrifying. Imagine, for instance, having the entire US east coast or the whole country for that matter, why not, blacked out by a virus that fries electrical transmissions stations. Yes, it’s possible; most of these plants are fully automatized. The great powers all have cyber and counter-cyber warfare units well in place for obvious reasons. The wars of the future, at the flick of a button.