Attacks/Breaches
11/11/2014
04:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Stuxnet 'Patient Zero' Attack Targets Revealed

Researchers name five Iranian industrial control systems companies attacked in 2009-2010, and they question whether USB sticks were really the method of infection.

Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010.

The Stuxnet malware was considered a harbinger of a new era of state-sponsored attacks on control systems, after it infected the Natanz uranium enrichment complex in Iran and later spread through the Internet other organizations. Some earlier assessments said that a coding error in Stuxnet caused it to be leaked from Natanz. Newer theories state that Stuxnet leaked after infecting five "patients zero" -- all companies in the Iranian industrial control system supply chain -- in order to reach Natanz.

Today, Symantec and Kaspersky Lab released the identities of these patients zero and more information, based on analysis of more than 2,000 Stuxnet files. The reports were published in conjunction with the release of Countdown to Zero Day, a new book written by Kim Zetter and based in part on interviews with Kaspersky and Symantec researchers.

As Kaspersky explained in a Securelist blog today:

    For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.

Researchers were able to track backward to these companies -- the "patients zero" -- because the attackers' rather helpfully left "bread crumbs" in each Stuxnet sample. As Symantec's Liam O Murchu writes in a blog post today:

    Every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected.

The bread crumbs led back to five organizations, all in the Iranian industrial control systems arena, including several that are on the US government's sanctions lists:

1. Foolad Technic Engineering Company
This company headquartered in Isfahan creates automated systems for Iranian industrial facilities. Examining the attack on Foolad and the timestamp of the Stuxnet code, Kaspersky researchers concluded that the systems could not have been infected via a USB stick containing the malware. From Kaspersky:

    The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body -- in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive -- the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.

2. Behpajooh
Also based in Isfahan, Behpajoo develops industrial automation systems. In 2006, the company was implicated as the recipient of banned weapons technology smuggled into the country, including pressure sensors used to trigger explosives. According to Kaspersky, "This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet -- first in Iran, then across the globe."

3. Neda Industrial Group
Neda provides industrial automation services for power plants and the oil, gas, and petrochemical sector. It was placed on the sanctions list by the US Department of Justice, which charged it with illegal export of US-manufactured commodities with military applications to "prohibited entities" and to Iran.

4. Control-Gostar Jahed Company
The Iranian industrial automation company has ties to Iranian businesses in the oil production, metallurgy, and energy supply sectors.

5. Kala Electric (a.k.a. Kalaye Electric)
The attack on Kala was launched from three computers on the same day. According to Kaspersky.

    This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of worm's propagation.

    Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges.

Kala has been labeled as an "entity of concern" by government agencies in the US, the United Kingdom, and Japan because of its potential to divert items to programs related to the development of weapons of mass destruction.

The researchers do not pose any new theories about the perpetrators of the attacks, though experts have pointed to a joint effort between the United States and Israel.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
11/13/2014 | 6:51:44 PM
Insider Espionage?
If we are to take the information at face value, we need to think about how worms like Stuxnet are implemented.  If the computer at Foolad Technic Engineering Company was infected just hours after the worm's creation, then yes, the idea of infection via USB isn't as likely, unless the worm was either written there onsite (which could have even been done on the first computer infected) or it was downloaded by an insider who was in communication with the Stuxnet authors and was waiting for it to be completed before downloading it.  There is great significance in the short time frame between creation of Stuxnet and infection of the first computer.  We could be looking at insider espionage, and investigation of who was working at Foolad during that timeframe will likely lead to identification of the original perpetrators.  I'm no political scientist, but after reading all the original articles linked from the Wikipedia page on Stuxnet, and newer ones since, one wonders if we aren't actually looking at self-sabotage (whether or not the actual writers of the code were based in Iran – it could have been made to order).  

I recall reading that several facts of the attack would make self-sabotage out of the question, the argument being that if the Iranians at the plants were going to sabotage themselves, they wouldn't create such a complex worm to do it.  Expense, intelligence involved, sheer hours to develop the work and the fact all the exploits it used were exposed and can't necessarily be used again; all point to external players.  Additionally, highly-guarded authentic private keys from two large companies were compromised and used to digitally-sign the worm, making the software "authentic", and the fact that four (at least) zero-day exploits were used to spread this worm - hardcore.  But I'd argue that we've seen more sophistication in the Middle East that we'd previously given credit for, even if it was gained through working with outsiders.  Remember, these plants are staffed with sharp engineers and whatever the reason for it, there could easily have been a motive for someone in one of the organizations listed, Foolad standing out, to kick off Stuxnet.         
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 8:47:01 AM
Re: stuxnet
Yes, I definately want to put the book on my reading list...
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/12/2014 | 8:17:01 AM
stuxnet
The malware was a game changer in so many ways. Looking forward to reading this when I get a chance.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/12/2014 | 7:46:39 AM
Re: Stuxnet
Agreed, it truly is fascinating and terrifying at the same time. Has this attack evolved since its original inception or has it remained pretty close to a constant?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/11/2014 | 5:25:18 PM
Stuxnet
I find the Stuxnet endlessly fascinating. I look forward to reading Kim Zetter's account.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers