Fake soccer websites used to mislead Iran during cyber-attack on its nuclear program

Two fake soc­cer web­sites helped the cre­ators of the Stuxnet com­put­er virus that last year attacked com­put­ers used in Iran’s nuclear pro­gram mis­lead author­i­ties as they launched their assault as part of a covert cam­paign involv­ing assas­si­na­tions of nuclear sci­en­tists and mys­te­ri­ous blasts at Iran­ian nuclear and mil­i­tary facil­i­ties.

 -
Source: KrebsOnSecurity.com
Click to enlarge

The cre­ators used the web­sites, www.mypremierfutbol.com and www.todaysfutbol.com, as fronts to com­mu­ni­cate with Stuxnet-infect­ed Iran­ian com­put­ers in a bid to make Iran­ian author­i­ties believe that relat­ed traf­fic orig­i­nat­ed with soc­cer fans, accord­ing to a Reuters news agency sto­ry.

The sto­ry dis­clos­es details of how Stuxnet was devel­oped and deployed based on research con­duct­ed by cyber war­fare expert John Bum­gar­ner, a retired U.S. Army spe­cial-oper­a­tions vet­er­an and for­mer intel­li­gence offi­cer, who is chief tech­nol­o­gy offi­cer of the US Cyber Con­se­quences Unit, a non-prof­it group that stud­ies the impact of cyber threats.

The Stuxnet virus cre­at­ed hav­oc in com­put­ers that con­trol Iran­ian cen­trifuges designed to enrich ura­ni­um in the Islam­ic republic’s under­ground Nan­taz nuclear facil­i­ty and is believed to have set the pro­gram back by sev­er­al months. It report­ed­ly affect­ed 1,000 of Iran’s esti­mat­ed 8,000 cen­trifuges.

In a sec­ond cyber war inci­dent, Iran said last month that it had dis­cov­ered traces of the Duqu virus on which Stuxnet was based but had devel­oped soft­ware to stop it before it cre­at­ed dam­age. Secu­ri­ty soft­ware com­pa­ny Syman­tec Corp said in Octo­ber that it had noticed a virus with a code sim­i­lar to that of Stuxnet. Unlike Stuxnet, which is designed to take out con­trol sys­tems, Duqu is intend­ed to col­lect data in advance of a cyber-attack.

Stuxnet is wide­ly believed to have been devel­oped by Israel and the Unit­ed States as part of a covert effort to pre­vent Iran from acquir­ing the capa­bil­i­ty to build nuclear weapons. An enhanced upgrad­ed ver­sion of the virus is report­ed to be close to com­ple­tion.

It is dif­fi­cult to see the virus attack on the Iran­ian com­put­ers inde­pen­dent of the assas­si­na­tion of at least three key Iran­ian nuclear sci­en­tists in the past two years as well as a series of explo­sions in Iran.

A blast last month at the Bid Ganeh Rev­o­lu­tion­ary Guards base 48 kilo­me­ters west of Tehran killed 17 peo­ple, includ­ing Gen­er­al Has­san Tehrani Moghad­dam, a key fig­ure in the Islam­ic republic’s mis­sile devel­op­ment pro­gram. Iran’s asser­tion that the explo­sion was an acci­dent has wide­ly been greet­ed with scep­ti­cism. Iran­ian offi­cials acknowl­edged that the explo­sion hap­pened as sci­en­tists were work­ing on weapons that could be used in an attack on Israel.

Iran­ian offi­cials how­ev­er denied that a sec­ond blast in Isfa­han days after the Bid Ganeh inci­dent involved a nuclear facil­i­ty in the city where raw ura­ni­um is believed to be con­vert­ed to ura­ni­um hexa­flu­o­ride, the gas used in cen­trifuges in the ini­tial phase of the process to enrich yel­low cake.

The offi­cials ini­tial­ly said the blast was relat­ed to a mil­i­tary exer­cise but lat­er denied that any explo­sion had occurred. At least two more uncon­firmed explo­sions are report­ed to have hap­pened at facil­i­ties that host Iran­ian Shahab‑3 medi­um-range mis­siles capa­ble of car­ry­ing nuclear war­heads.

Two Iran­ian nuclear sci­en­tists, Fer­ey­doon Abbasi-Davan and Majid Shahri­ari, were tar­get­ed in bomb­ings in Tehran late last year in sep­a­rate attacks. Mr. Abbasi-Davan sur­vived the attack and was sub­se­quent­ly appoint­ed as head of Iran’s Atom­ic Ener­gy Orga­ni­za­tion while Mr. Shahri­ari was killed. The modus operan­di in both attacks was the same: a motor­cy­clist who attached a bomb to the vehi­cles that they were trav­el­ling in.

In relat­ed inci­dents, nuclear sci­en­tist Dar­i­oush Rezaie was killed in Tehran by gun­men in Tehran in July of last year while Mas­soud Ali Moham­ma­di died in a bomb­ing in the Iran­ian cap­i­tal in Jan­u­ary 2010. A Tehran court con­vict­ed in August Majid Jamali Fashi to death on charges of hav­ing been involved in the mur­der of Mr. Mohamme­di on behalf of Israel’s Mossad intel­li­gence agency.

The inci­dents are believed to be part of a covert cam­paign designed to com­ple­ment ever tougher sanc­tions imposed on Iran and make a mil­i­tary strike against Iran­ian nuclear tar­gets less like­ly.

Cyber war­fare expert Mr. Bum­gar­ner told Reuters that the fake soc­cer web­sites were part of a far larg­er effort to cre­ate a smoke screen behind which the Stuxnet virus attack could be launched unde­tect­ed. Mr. Bum­gar­ner said that an ear­li­er virus, Con­fick­er, that infect­ed mil­lions of com­put­ers in 2008 and was still dor­mant in many of those com­put­ers across the globe enabled the cre­ators of Stuxnet to launch anoth­er attack with an improved ver­sion of the virus when­ev­er they were ready.

While such an attack is like­ly, it is less like­ly to employ soc­cer as a decep­tion.

About The Author:
James M. Dorsey is a senior fel­low at the S. Rajarat­nam School of Inter­na­tion­al Stud­ies at Nanyang Tech­no­log­i­cal Uni­ver­si­ty in Sin­ga­pore and the author of the blog, The Tur­bu­lent World of Mid­dle East Soc­cer.

Team GlobDef

Team GlobDef

Seit 2001 ist GlobalDefence.net im Internet unterwegs, um mit eigenen Analysen, interessanten Kooperationen und umfassenden Informationen für einen spannenden Überblick der Weltlage zu sorgen. GlobalDefenc.net war dabei die erste deutschsprachige Internetseite, die mit dem Schwerpunkt Sicherheitspolitik außerhalb von Hochschulen oder Instituten aufgetreten ist.

Alle Beiträge ansehen von Team GlobDef →