Fake soccer websites used to mislead Iran during cyber-attack on its nuclear program

Two fake soc­cer web­sites helped the cre­ators of the Stuxnet com­put­er virus that last year attacked com­put­ers used in Iran’s nuclear pro­gram mis­lead author­i­ties as they launched their assault as part of a covert cam­paign involv­ing assas­si­na­tions of nuclear sci­en­tists and mys­te­ri­ous blasts at Iran­ian nuclear and mil­i­tary facil­i­ties.

 -
Source: KrebsOnSecurity.com
Click to enlarge

The cre­ators used the web­sites, www.mypremierfutbol.com and www.todaysfutbol.com, as fronts to com­mu­ni­cate with Stuxnet-infect­ed Iran­ian com­put­ers in a bid to make Iran­ian author­i­ties believe that relat­ed traf­fic orig­i­nat­ed with soc­cer fans, accord­ing to a Reuters news agency sto­ry.

The sto­ry dis­clos­es details of how Stuxnet was devel­oped and deployed based on research con­duct­ed by cyber war­fare expert John Bum­gar­ner, a retired U.S. Army spe­cial-oper­a­tions vet­er­an and for­mer intel­li­gence offi­cer, who is chief tech­nol­o­gy offi­cer of the US Cyber Con­se­quences Unit, a non-prof­it group that stud­ies the impact of cyber threats.

The Stuxnet virus cre­at­ed hav­oc in com­put­ers that con­trol Iran­ian cen­trifuges designed to enrich ura­ni­um in the Islam­ic republic’s under­ground Nan­taz nuclear facil­i­ty and is believed to have set the pro­gram back by sev­er­al months. It report­ed­ly affect­ed 1,000 of Iran’s esti­mat­ed 8,000 cen­trifuges.

In a sec­ond cyber war inci­dent, Iran said last month that it had dis­cov­ered traces of the Duqu virus on which Stuxnet was based but had devel­oped soft­ware to stop it before it cre­at­ed dam­age. Secu­ri­ty soft­ware com­pa­ny Syman­tec Corp said in Octo­ber that it had noticed a virus with a code sim­i­lar to that of Stuxnet. Unlike Stuxnet, which is designed to take out con­trol sys­tems, Duqu is intend­ed to col­lect data in advance of a cyber-attack.

Stuxnet is wide­ly believed to have been devel­oped by Israel and the Unit­ed States as part of a covert effort to pre­vent Iran from acquir­ing the capa­bil­i­ty to build nuclear weapons. An enhanced upgrad­ed ver­sion of the virus is report­ed to be close to com­ple­tion.

It is dif­fi­cult to see the virus attack on the Iran­ian com­put­ers inde­pen­dent of the assas­si­na­tion of at least three key Iran­ian nuclear sci­en­tists in the past two years as well as a series of explo­sions in Iran.

A blast last month at the Bid Ganeh Rev­o­lu­tion­ary Guards base 48 kilo­me­ters west of Tehran killed 17 peo­ple, includ­ing Gen­er­al Has­san Tehrani Moghad­dam, a key fig­ure in the Islam­ic republic’s mis­sile devel­op­ment pro­gram. Iran’s asser­tion that the explo­sion was an acci­dent has wide­ly been greet­ed with scep­ti­cism. Iran­ian offi­cials acknowl­edged that the explo­sion hap­pened as sci­en­tists were work­ing on weapons that could be used in an attack on Israel.

Iran­ian offi­cials how­ev­er denied that a sec­ond blast in Isfa­han days after the Bid Ganeh inci­dent involved a nuclear facil­i­ty in the city where raw ura­ni­um is believed to be con­vert­ed to ura­ni­um hexa­flu­o­ride, the gas used in cen­trifuges in the ini­tial phase of the process to enrich yel­low cake.

The offi­cials ini­tial­ly said the blast was relat­ed to a mil­i­tary exer­cise but lat­er denied that any explo­sion had occurred. At least two more uncon­firmed explo­sions are report­ed to have hap­pened at facil­i­ties that host Iran­ian Sha­hab-3 medi­um-range mis­siles capa­ble of car­ry­ing nuclear war­heads.

Two Iran­ian nuclear sci­en­tists, Fer­ey­doon Abbasi-Davan and Majid Shahri­ari, were tar­get­ed in bomb­ings in Tehran late last year in sep­a­rate attacks. Mr. Abbasi-Davan sur­vived the attack and was sub­se­quent­ly appoint­ed as head of Iran’s Atom­ic Ener­gy Orga­ni­za­tion while Mr. Shahri­ari was killed. The modus operan­di in both attacks was the same: a motor­cy­clist who attached a bomb to the vehi­cles that they were trav­el­ling in.

In relat­ed inci­dents, nuclear sci­en­tist Dar­i­oush Rezaie was killed in Tehran by gun­men in Tehran in July of last year while Mas­soud Ali Moham­ma­di died in a bomb­ing in the Iran­ian cap­i­tal in Jan­u­ary 2010. A Tehran court con­vict­ed in August Majid Jamali Fashi to death on charges of hav­ing been involved in the mur­der of Mr. Mohamme­di on behalf of Israel’s Mossad intel­li­gence agency.

The inci­dents are believed to be part of a covert cam­paign designed to com­ple­ment ever tougher sanc­tions imposed on Iran and make a mil­i­tary strike against Iran­ian nuclear tar­gets less like­ly.

Cyber war­fare expert Mr. Bum­gar­ner told Reuters that the fake soc­cer web­sites were part of a far larg­er effort to cre­ate a smoke screen behind which the Stuxnet virus attack could be launched unde­tect­ed. Mr. Bum­gar­ner said that an ear­li­er virus, Con­fick­er, that infect­ed mil­lions of com­put­ers in 2008 and was still dor­mant in many of those com­put­ers across the globe enabled the cre­ators of Stuxnet to launch anoth­er attack with an improved ver­sion of the virus when­ev­er they were ready.

While such an attack is like­ly, it is less like­ly to employ soc­cer as a decep­tion.

About The Author:
James M. Dorsey is a senior fel­low at the S. Rajarat­nam School of Inter­na­tion­al Stud­ies at Nanyang Tech­no­log­i­cal Uni­ver­si­ty in Sin­ga­pore and the author of the blog, The Tur­bu­lent World of Mid­dle East Soc­cer.