Did the Stuxnet cyberweapon infect the International Space Station?
Almost certainly not, but that hasn't stopped a lot of media outlets from saying so in bold headlines.
"The American-made Stuxnet virus has infected the International Space Station," said ExtremeTech. "Stuxnet, America's Nuclear Plant-Attacking Virus, Has Apparently Infected the International Space Station," trumpeted Vice. "Stuxnet, gone rogue, hit Russian nuke plant, space station," asserted the Times of Israel.
All three cited a speech that Eugene Kaspersky, head of Russian anti-virus firm Kaspersky Lab, gave to the Australian Press Club in Canberra last week.
But Kaspersky never said Stuxnet had infected the International Space Station (ISS). Rather, he offered two separate and unrelated anecdotes.
The first was one about non-specific malware being carried onboard the ISS by astronauts. The other was about Stuxnet infecting a Russian nuclear-facility network. (Kaspersky offered no proof for either allegation.)
Viruses in spaaaaaaace
"The space guys, from time to time, are coming with USBs, which are infected," Kaspersky said, according to the Atlantic. "I'm not kidding. I was talking to Russian space guys and they said, 'Yeah, from time to time, there are [computer] viruses on the space station.'"
This is at least partly true. In 2008, a Windows worm designed to steal online-game login credentials was found on laptops aboard the ISS.
It's not clear how the malware got on the laptops, but the BBC quoted NASA as saying "it was not the first time computer viruses had travelled into space."
Since then, most, if not all, of the laptops used by astronauts aboard the ISS have been switched to the open-source Linux operating system, which many of the ISS' built-in systems already ran. Linux has far fewer malware issues than Windows.
Regarding Stuxnet infecting the Russian nuclear network, Kaspersky made that allegation during a long response to an audience question about governmental attitudes toward industrial-control system vulnerabilities.
"Departments which are responsible for offense, they see it as opportunity," Kaspersky said. "They don't understand that in cyberspace, everything you do is a boomerang. It will get back to you."
"Stuxnet — which was, well, I don't know, but, if you believe American media, it was developed by American and Israel secret services— Stuxnet, against Iran, to damage Iranian nuclear power program," he continued.
"How many computers, how many enterprises, were hit by Stuxnet in United States? Do you know?" Kaspersky asked. "I don't know, but many. Last year, for example, Chevron, they [admitted] that they were badly infected by Stuxnet."
"A friend of mine," Kaspersky said, "work in Russian nuclear-power plant, once during this Stuxnet time, sent a message that the nuclear-plant network, which is disconnected from the Internet … sent a message that their internal network is badly infected by Stuxnet."
"So, unfortunately, these people who are responsible for offensive technologies," he concluded, "they recognize cyberweapons as an opportunity."
The truth about Stuxnet
It's quite possible that Stuxnet did infect an internal network at a Russian nuclear plant. The Stuxnet worm was designed to infect Windows computers controlling Siemens System 7 programmable logic controllers at nuclear facilities.
However, it's very unlikely that Stuxnet did any damage at the Russian plant. The worm was precisely calibrated to attack one specific facility: Iran's Natanz uranium-processing plant.
At Natanz, Stuxnet activated its payload, hijacked Natanz's computer system, destroyed crucial equipment and set back Iran's nuclear program by months, if not years.
Kaspersky's sensational-sounding comments, combined with reporters hungry for news about evil hackers and cyberwar, yet not well versed on the background details, meant that many media outlets got what Kaspersky said flat-out wrong.
At least one of them eventually got it right.
"This article originally said the ISS was infected with Stuxnet," said the Atlantic in a correction. "Upon further review of Kaspersky's statements, that's not the case. We're sorry for the confusion."