Jeff Carr: China ‘Most Likely Candidate for Stuxnet’s Origin’

Jeffrey Carr

Swirling speculations about  possible culprits behind the Stuxnet worm have mostly focused on  Israel or the United States. But a cyber expert says there is another key suspect involved.

In an post on Forbes The Firewall, cybersecurity expert and author Jeff Carr argues that discussions about the creators of Stuxnet never expanded beyond Israel and Iran, and the appeal of a U.S. or Israeli cyber attack against Bushehr and Natanz “was just too good to pass up even though there was no hard evidence and very slim circumstantial evidence to support a case for either country.”

The best “proof” presented, Carr said, was an arcane Hebrew word for Myrtus and a biblical reference for a date found in the malware that related to Persia– both of which could have been explained in a half-dozen ways without being associated with either Israel nor the United States, Carr writes.

In a previously published whitepaper titled “Dragons, Tigers, Pearls, and Yellowcake,” Carr outlined four scenarios linking  Stuxnet to China. That paper also provided a reason for the attack, which, Carr said, fit China’s role as Iran’s ally and customer, while opposing Iran’s fuel enrichment plans.

While researching his whitepaper, Carr writes how he uncovered a connection between Vacon, the Finnish manufacturer of one of two frequency converter drives targeted by Stuxnet, and RealTek, whose digital certificate was stolen and used to facilitate the worm’s loading onto a Windows host without alerting anyone.

Those familiar with the Stuxnet investigation know the international headquarters for Vacon are located in Finland, but surprisingly, Carr says, Vacon’s manufacturing plant is in China, functioning under the name Vacon Suzhou Drives Co. Ltd.

Vacon, however, is not the only company involved with Stuxnet that has a Chinese connection. According to Carr, the first genuine digital certificate used by Stuxnet developers was from RealTek Semiconductor Corp., a Taiwanese company with  a subsidiary in China.

But what motive would China have to attack Iran’s nuclear facilities? According to Carr, Beijing has repeatedly opposed  Iran’s goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counterproductive. China wanted to support its third largest supplier of oil, while simultaneously exploring ways to get Iran to cease its uranium fuel enrichment program, Carr writes.

“What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz’ centrifuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S.,” he asks rhetorically. “It’s both simple and elegant. Even if the worm was discovered before it accomplished its mission, who would blame China, Iran’s strongest ally, when the most obvious culprits would be Israel and the U.S.?”

According to Carr, there is still a significant lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets.

[H]owever, based solely on the known facts, I consider China to be the most likely candidate for Stuxnet’s origin,” Carr concluded.

Related posts:

1. Jeff Carr: Cyber Terrorists Affected by Generational Gap
2. Stuxnet, an Inside Job?
3. Stuxnet Worm Suspected of Targeting ‘High-Value’ Infrastructure in Iran
4. What is Cyber War Anyway? A Conversation with Jeff Carr, Author of ‘Inside Cyber Warfare’
5. Upgraded Stuxnet Variants Could Attack US