Back in Hack: Computer Researcher Stumped By AC/DC Virus at Iranian Nuclear Facilities
Finnish computer security researcher Mikko Hypponen seemed a bit overwhelmed when we reached him on his cell phone at London's Heathrow airport this morning.
"My phone is ringing off the hook for this stupid email," he said. The "stupid email" is the one he received from an Iranian atomic scientist this weekend claiming Iranian nuclear facilities have been hit by a cyber attack which blasts AC/DC's "Thunderstruck" at full volume at night.
"I am writing to inform you that our nuclear program has once again been compromised and attacked by a new worm," began the email, which Hypponen received Sunday morning and posted to his blog yesterday. But unlike the infamous Stuxnet, this new worm didn't secretly sabotage their hardware. "There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC."
Given that cyber espionage is hotter than ever, the attention the email garnered is no real surprise. The most recent frenzy came last month with the discovery of Flame, a massive, sophisticated spyware program developed by the U.S. and Israel that infected Iranian computers and could surreptitiously activate microphones and cameras, and record keystrokes. Did this scientist's email prove the U.S. government's newest cyberwarfare tool comes programmed with a sense of humor?
But Hypponen says the real importance of the email, which he confirmed came from inside the Atomic Energy Organization of Iran, is far from certain.
"I'm not buying his story as it is," Hypponen said. "I can't confirm any of this."
For one thing it's strange that it was sent by someone claiming to be a nuclear scientist, instead of a fellow computer security researcher. Hypponen has received emails from Iranian computer experts looking to publicize their discoveries before: In June, an analyst from Iran's Computer Emergency Response Team emailed him to tell him they'd discovered Flame spying on their networks.
In this case, though, the scientist said he was simply relaying information that was sent to his team by other "cyber experts." To try to confirm the scientist's outlandish claims, Hypponen replied to the email asking for a sample of the worm for his lab, F-Secure, to analyze. But no such luck.
"He emailed back that he's unlikely to be able to send a sample because he's not a computer security expert," Hypponen said.
Unable to examine a sample of the supposed worm, and having only hearsay to rely on about its effects, Hypponen remains skeptical of the email—especially the automated AC/DC claim. "It does sound really weird," he said. "If there was an attack, why would the attacker announce themselves by playing 'Thunderstruck?"
The email also said the attacker used a free hacker tool called Metasploit. Hypponen said this would be "completely different that what we've seen with" Flame or Stuxnet, which were both the products of expensive government programs.
This leaves a wide range of possibilities. The email could be a hoax or disinformation campaign by the Iranian Atomic Energy Organization, though, as Hypponen pointed out, it's hard to see what they would gain by promoting a fake attack on their systems. Or maybe it's a gossipy nuclear scientist who dished to a computer security researcher without knowing what he's really talking about. Of course, it's possible some new worm really is assaulting Iranian nuclear scientists with midnight barrages of "Thunderstruck," possibly unleashed ba a rogue hacker using Metasploit.
Since he posted the email to his blog with the scientist's permission, Hypponen hasn't received any more emails.
"He wants to get the word out so I published what he wanted to get out. That's all we really know."