The Stuxnet attacks focused on five locations in Iran, says a report released last week by Symantec, one of the world’s largest computer security software companies that has been leading much of the research on the worm.
Between June 2009 and May 2010, Stuxnet struck in three waves, hitting at least one of the five organizations every single time in what is presumed to be an effort to target the nuclear enrichment facilities of Iran.
“These five organizations were infected, and from those five computers Stuxnet spread out—not to just computers in those organizations, but to other computers as well,” said Liam O Murchu, manager of operations for Symantec Security Response. “It all started with those five original domains.”
At least 12,000 infections can be traced back to these five organizations, but Symantec researchers would not identify the five sites. O Murchu noted only that all are “involved in industrial processing.”
“We know the exact configuration of the system [Stuxnet developers] were looking for,” O Murchu said. “We know they were looking for a certain number of frequency converters. And each of those frequency converters controls a certain number of motors. And those numbers fit in with what you expect to see in an uranium enrichment facility.”
Stuxnet was carefully designed to do no harm unless and until it found that enrichment facility. In other words, while Stuxnet produced 12,000 infections, it did not harm all those sites; it merely used them as carriers, like Typhoid Mary.
Because of high security, it is probable that a potential target like the Natanz facility, where Iran is enriching uranium, does not have Internet access. In order to infect such a site, attackers could go through a third party, such as these five original organizations, that are likely to share information and thus the worm with Natanz. Stuxnet was designed to be able to spread through USB sticks or flash drives that allow the malware to be moved.
Symantec said it was only 12 hours between the time the first Stuxnet version was completed (a time that could be determined from records within Stuxnet) and when Stuxnet invaded its initial target in June 2009. Therefore, Stuxnet’s designers probably had immediate access to an Iranian insider who intentionally or unknowingly introduced Stuxnet through an email or contaminated USB.
“This tells us that the attackers more than likely knew who they wanted to infect before they completed the code,” O Murchu says. “They knew in advance who they wanted to target and how they were going to get it there.”
Once there, Stuxnet spread via USB ports, not the Internet, until it reached its final target. When it found particular control systems made by the German-based Siemens Corporation, it disrupted the system, mainly a uranium centrifuge array, while sending false data to the monitoring system so that overseers thought their system was functioning normally.
International inspectors found in late 2009 that Natanz had stopped using 1,000 gas centrifuges, making it probable that Stuxnet disabled a major portion of the complex.
Researchers have been able to record the movement of Stuxnet because, unlike most other worms, it records the location and type of computer each time it infects, thus allowing its creators to monitor its success at reaching the target.
Symantec and other security firms working on the project have collected and analyzed 3,280 unique samples of the code that has infected more than 100,000 computers across the world. At least three versions of the program have been found that were sent over 10 months before Stuxnet was discovered.
This week, the “hacktivist” group, Anonymous, which is known for disabling government and multinational corporations’ websites it feels threaten freedom of speech, claimed to have access to Stuxnet after hacking into the emails of the US security company, HBGary. The group has not mentioned whether it will use the malware, which would be a new tactic for the collective, but did say last week that it planned to support the green opposition movement in Iran by attacking government websites.
Experts say there is little to fear over Anonymous’s claims since using Stuxnet requires the original source coding, or blueprint, so that one can take advantage of its capabilities. Anonymous has obtained the “decompiled” version of the worm, which would not allow for an attack, says senior threat researcher Snorre Fagerland of the Norwegian Internet security firm, Norman.
“The trouble with this is that you lose almost all context to its abilities,” Fagerland said. “The original source code would contain all the text information about why it’s built this way – that’s gold if you want to use it. If you decompile it, you lose all of that,” he said.