The International Space Station as seen from the U.S. space shuttle Endeavour following undocking on May 29, 2011.
Did the Stuxnet cyberweapon infect the International Space Station?
Almost certainly not, but that hasn't stopped a lot of media outlets from saying so in bold headlines.
"The American-made Stuxnet virus has infected the International Space Station," said ExtremeTech. "Stuxnet, America's Nuclear Plant-Attacking Virus, Has Apparently Infected the International Space Station," trumpeted Vice. "Stuxnet, gone rogue, hit Russian nuke plant, space station," asserted the Times of Israel.
All three cited a speech that Eugene Kaspersky, head of Russian anti-virus firm Kaspersky Lab, gave to the Australian Press Club in Canberra last week.
But Kaspersky never said Stuxnet had infected the International Space Station (ISS). Rather, he offered two separate and unrelated anecdotes.
The first was one about non-specific malware being carried onboard the ISS by astronauts. The other was about Stuxnet infecting a Russian nuclear-facility network. (Kaspersky offered no proof for either allegation.)
Viruses in spaaaaaaace
"The scientists, from time to time, they are coming to the space [station] with USBs which are infected," Kaspersky said in the speech, which is available in its entirety on YouTube. "I'm not kidding. I was talking to Russian space guys. They said, 'Yes, from time to time, there are virus epidemics in the space station.'"
This is at least partly true. In 2008, a Windows worm designed to steal online-game login credentials was found on laptops aboard the ISS.
The space news site SpaceRef quoted NASA as saying, "Virus was never a threat to any of the computers used for cmd and cntl [command and control] and no adverse effect on ISS Ops [operations]."
It's not clear how the malware got on the laptops, but the BBC quoted NASA as saying "it was not the first time computer viruses had travelled into space."
Since then, most, if not all, of the laptops used by astronauts aboard the ISS have been switched to the open-source Linux operating system, which many of the ISS' built-in systems already ran. Linux has far fewer malware issues than Windows.
Regarding Stuxnet infecting the Russian nuclear network, Kaspersky made that allegation during a long response to an audience question about governmental attitudes toward industrial-control system vulnerabilities.
"Departments which are responsible for offense, they see it as opportunity," Kaspersky said. "They don't understand that in cyberspace, everything you do is a boomerang. It will get back to you."
"Stuxnet — which was, well, I don't know, but, if you believe American media, it was developed by American and Israel secret services— Stuxnet, against Iran, to damage Iranian nuclear power program," he continued.
"How many computers, how many enterprises, were hit by Stuxnet in United States? Do you know?" Kaspersky asked. "I don't know, but many. Last year, for example, Chevron, they [admitted] that they were badly infected by Stuxnet."
"A friend of mine," Kaspersky said, "work in Russian nuclear-power plant, once during this Stuxnet time, sent a message that the nuclear-plant network, which is disconnected from the Internet … sent a message that their internal network is badly infected by Stuxnet."
"So, unfortunately, these people who are responsible for offensive technologies," he concluded, "they recognize cyberweapons as an opportunity."
The truth about Stuxnet
It's quite possible that Stuxnet did infect an internal network at a Russian nuclear plant. The Stuxnet worm was designed to infect Windows computers controlling Siemens System 7 programmable logic controllers at nuclear facilities.
However, it's very unlikely that Stuxnet did any damage at the Russian plant. The worm was precisely calibrated to attack one specific facility: Iran's Natanz uranium-processing plant.
At Natanz, Stuxnet activated its payload, hijacked Natanz's computer system, destroyed crucial equipment and set back Iran's nuclear program by months, if not years.
Kaspersky's sensational-sounding comments, combined with reporters hungry for news about evil hackers and cyberwar, yet not well versed on the background details, meant that many media outlets got what Kaspersky said flat-out wrong.
At least one of them eventually got it right.
"This article originally said the ISS was infected with Stuxnet," said the Atlantic in a correction. "Upon further review of Kaspersky's statements, that's not the case. We're sorry for the confusion."