Did the Stuxnet cyberweapon infect the International Space Station?
Almost certainly not, but that hasn't stopped a lot of media outlets from saying so in bold headlines.
"The American-made Stuxnet virus has infected the International SpaceStation," said ExtremeTech. "Stuxnet, America's Nuclear Plant-Attacking Virus, Has Apparently Infected the International Space Station," trumpeted Vice. "Stuxnet, gone rogue, hit Russian nuke plant, space station," asserted the Times of Israel.
All three cited a speech that Eugene Kaspersky, head of Russian anti-virus firm Kaspersky Lab, gave to the Australian Press Club in Canberra last week.
But Kaspersky never said Stuxnet had infected the International Space Station. Rather, he offered two separate and unrelated anecdotes.
The first was one about non-specific malware being carried onboard the space station by astronauts. The other was about Stuxnet infecting a Russian nuclear-facility network. (Kaspersky offered no specifics for either claim.)
Viruses in space
"The space guys, from time to time, are coming with USBs, which are infected," Kaspersky said, according to The Atlantic. "I'm not kidding. I was talking to Russian space guys and they said, 'Yeah, from time to time, there are [computer] viruses on the space station.'"
This is at least partly true. In 2008, a Windows worm designed to steal online-game log-in credentials was found on laptops aboard the space station.
The space news site SpaceRef quoted NASA as saying, "Virus was never a threat to any of the computers used for cmd and cntl [command and control] and no adverse effect on ISS Ops [operations]."
It's not clear how the malware got on the laptops, but the BBC quoted NASA as saying "it was not the first time computer viruses had traveled into space."
Since then, most, if not all, of the laptops used by astronauts aboard the space station have been switched to the open-source Linux operating system, which many of the station's built-in systems already ran. Linux has far fewer malware issues than Windows.
Stuxnet and the nukes
Regarding Stuxnet infecting the Russian nuclear network, Kaspersky made that claim during a long response to an audience question about governmental attitudes toward industrial-control system vulnerabilities.
"Departments which are responsible for offense, they see it as opportunity. They don't understand that in cyberspace, everything you do is a boomerang. It will get back to you," Kaspersky said.
"Stuxnet — which was, well, I don't know, but, if you believe American media, it was developed by American and Israel secret services— Stuxnet, against Iran, to damage Iranian nuclear power program," he continued.
"How many computers, how many enterprises, were hit by Stuxnet in United States? Do you know? I don't know, but many. Last year, for example, Chevron, they [admitted] that they were badly infected by Stuxnet," Kaspersky said.
"A friend of mine," Kaspersky said, "work in Russian nuclear-power plant, once during this Stuxnet time, sent a message that the nuclear-plant network, which is disconnected from the Internet … sent a message that their internal network is badly infected by Stuxnet.
"So, unfortunately, these people who are responsible for offensive technologies," he concluded, "they recognize cyberweapons as an opportunity."
The truth about Stuxnet
It's quite possible that Stuxnet did infect an internal network at a Russian nuclear plant. The Stuxnet worm was designed to infect Windows computers controlling Siemens System 7 programmable logic controllers at nuclear facilities.
However, it's unlikely that Stuxnet did any damage at the Russian plant. The worm was precisely calibrated to attack one specific facility: Iran's Natanz uranium-processing plant.
At Natanz, Stuxnet activated its payload, hijacked Natanz's computer system, destroyed crucial equipment and set back Iran's nuclear program by months, if not years.
Kaspersky's sensational-sounding comments, combined with reporters hungry for news about evil hackers and cyberwar, yet not well-versed on the background details, meant that many media outlets got what Kaspersky said flat-out wrong.
At least one of them eventually got it right.
"This article originally said the ISS was infected with Stuxnet," The Atlantic said in a correction. "Upon further review of Kaspersky's statements, that's not the case. We're sorry for the confusion."