Attacks/Breaches
11/11/2014
04:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Stuxnet 'Patient Zero' Attack Targets Revealed

Researchers name five Iranian industrial control systems companies attacked in 2009-2010, and they question whether USB sticks were really the method of infection.

Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010.

The Stuxnet malware was considered a harbinger of a new era of state-sponsored attacks on control systems, after it infected the Natanz uranium enrichment complex in Iran and later spread through the Internet other organizations. Some earlier assessments said that a coding error in Stuxnet caused it to be leaked from Natanz. Newer theories state that Stuxnet leaked after infecting five "patients zero" -- all companies in the Iranian industrial control system supply chain -- in order to reach Natanz.

Today, Symantec and Kaspersky Lab released the identities of these patients zero and more information, based on analysis of more than 2,000 Stuxnet files. The reports were published in conjunction with the release of Countdown to Zero Day, a new book written by Kim Zetter and based in part on interviews with Kaspersky and Symantec researchers.

As Kaspersky explained in a Securelist blog today:

    For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.

Researchers were able to track backward to these companies -- the "patients zero" -- because the attackers' rather helpfully left "bread crumbs" in each Stuxnet sample. As Symantec's Liam O Murchu writes in a blog post today:

    Every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected.

The bread crumbs led back to five organizations, all in the Iranian industrial control systems arena, including several that are on the US government's sanctions lists:

1. Foolad Technic Engineering Company
This company headquartered in Isfahan creates automated systems for Iranian industrial facilities. Examining the attack on Foolad and the timestamp of the Stuxnet code, Kaspersky researchers concluded that the systems could not have been infected via a USB stick containing the malware. From Kaspersky:

    The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body -- in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive -- the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.

2. Behpajooh
Also based in Isfahan, Behpajoo develops industrial automation systems. In 2006, the company was implicated as the recipient of banned weapons technology smuggled into the country, including pressure sensors used to trigger explosives. According to Kaspersky, "This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet -- first in Iran, then across the globe."

3. Neda Industrial Group
Neda provides industrial automation services for power plants and the oil, gas, and petrochemical sector. It was placed on the sanctions list by the US Department of Justice, which charged it with illegal export of US-manufactured commodities with military applications to "prohibited entities" and to Iran.

4. Control-Gostar Jahed Company
The Iranian industrial automation company has ties to Iranian businesses in the oil production, metallurgy, and energy supply sectors.

5. Kala Electric (a.k.a. Kalaye Electric)
The attack on Kala was launched from three computers on the same day. According to Kaspersky.

    This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of worm's propagation.

    Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges.

Kala has been labeled as an "entity of concern" by government agencies in the US, the United Kingdom, and Japan because of its potential to divert items to programs related to the development of weapons of mass destruction.

The researchers do not pose any new theories about the perpetrators of the attacks, though experts have pointed to a joint effort between the United States and Israel.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
11/13/2014 | 6:51:44 PM
Insider Espionage?
If we are to take the information at face value, we need to think about how worms like Stuxnet are implemented.  If the computer at Foolad Technic Engineering Company was infected just hours after the worm's creation, then yes, the idea of infection via USB isn't as likely, unless the worm was either written there onsite (which could have even been done on the first computer infected) or it was downloaded by an insider who was in communication with the Stuxnet authors and was waiting for it to be completed before downloading it.  There is great significance in the short time frame between creation of Stuxnet and infection of the first computer.  We could be looking at insider espionage, and investigation of who was working at Foolad during that timeframe will likely lead to identification of the original perpetrators.  I'm no political scientist, but after reading all the original articles linked from the Wikipedia page on Stuxnet, and newer ones since, one wonders if we aren't actually looking at self-sabotage (whether or not the actual writers of the code were based in Iran – it could have been made to order).  

I recall reading that several facts of the attack would make self-sabotage out of the question, the argument being that if the Iranians at the plants were going to sabotage themselves, they wouldn't create such a complex worm to do it.  Expense, intelligence involved, sheer hours to develop the work and the fact all the exploits it used were exposed and can't necessarily be used again; all point to external players.  Additionally, highly-guarded authentic private keys from two large companies were compromised and used to digitally-sign the worm, making the software "authentic", and the fact that four (at least) zero-day exploits were used to spread this worm - hardcore.  But I'd argue that we've seen more sophistication in the Middle East that we'd previously given credit for, even if it was gained through working with outsiders.  Remember, these plants are staffed with sharp engineers and whatever the reason for it, there could easily have been a motive for someone in one of the organizations listed, Foolad standing out, to kick off Stuxnet.         
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 8:47:01 AM
Re: stuxnet
Yes, I definately want to put the book on my reading list...
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/12/2014 | 8:17:01 AM
stuxnet
The malware was a game changer in so many ways. Looking forward to reading this when I get a chance.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/12/2014 | 7:46:39 AM
Re: Stuxnet
Agreed, it truly is fascinating and terrifying at the same time. Has this attack evolved since its original inception or has it remained pretty close to a constant?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/11/2014 | 5:25:18 PM
Stuxnet
I find the Stuxnet endlessly fascinating. I look forward to reading Kim Zetter's account.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.