“It was most likely developed by a Western power, and they most likely provided it to a secondary power which completed the effort,” he told
The malicious software, first detected in June last year, was almost certainly designed to make damaging, surreptitious adjustments to the centrifuges used at Natanz, Iran’s uranium enrichment site. While he downplayed its impact, the Iranian President Mahmoud Ahmadinejad has confirmed Stuxnet set back his nuclear ambitions.
Separate investigations by US nuclear experts have discovered that Stuxnet worked by increasing the speed of uranium centrifuges to breaking point for short periods. At the same time it shut off safety monitoring systems, hoodwinking operators that all was normal.
Mr Parker found that this part of the attack must have been conceived by “some very talented individuals”, and the other by a less talented, or more rushed, group of developers.
The element written by the first group, which was activated after Stuxnet reached its target and is known as the “payload”, is very complex, well designed and effective, according to Mr Parker’s analysis. He believes this is evidence of the involvment of a major Western power or powers – potentially including Britain – because they have both the scarce cyber expertise, and access to the tightly-regulated nuclear equipment necessary to test the virus.
In contrast, the way Stuxnet was distributed and its “command and control” features, which allow it to be remotely altered, include many errors and are poorly protected from surveillance.
“It’s a bit like spending billions on a space shuttle and then launching it using the remote control from a £15 toy car,” said Mr Parker.
His criticisms of Stuxnet’s distribution mechanism, presented this week at the Black Hat computer security conference in Washington DC, are supported by other experts, including Nate Lawson, a computer encryption consultant.
“Either the authors did not care if the payload was discovered by the general public, they weren’t aware of these techniques, or they had other limitations, such as time,” said Mr Lawson.
However, the apparently cheap wrapping of an expensive package points to Israel as the distributing power, said Mr Parker.
Each of the two stages of the Stuxnet operation demanded different resources to succeed. Stuxnet’s distributors may not have had the elite software engineering abilities of those responsible for the payload, but according to President Ahmadinejad, they hit their target.