Symantec's Murchu, like other researchers, says just why Stuxnet spread beyond its targeted Siemens PLC system remains a mystery. "From looking at the code and the way it was written, and the techniques used in it, they didn't want this to spread ... It was to stay local to the company it was trying to infect," he says. "Somehow it did spread. It looks like they wanted to keep it low-key, and maybe it spread" somehow, he says.
Michael Sconzo, principal security consultant with NetWitness, concurs that the attackers letting the worm escape into the wild just doesn't add up. "Why invest all of that time and money buying zero-days and let it get out into the wild," Sconzo says. "If that and you steal a digital certificate, I would think that they would have been careful the worm didn't get out of hand."
Even so, the attack raises the bar for what has been seen thus far in targeted attacks. "Yesterday the world learned that all the stuff covered so far about zero-days, a rootkit, and a botnet wasn't what the [attackers] were trying to do. What they were doing was getting into the actual control software at the deepest level," Cigital's McGraw says.
A German researcher says the attack was likely aimed at an Iranian nuclear power plant. Ralph Langner said in a blog posting that the attack is "sabotage" and required much insider knowledge in order to pull off. "The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution," he wrote.
Researchers agree this was a highly coordinated attack that required various types of skill. "You needed people skilled in different areas to make this work: a person who writes code that affects PLCs is different from a person who infects USB drives. The skills needed to write this code is very different" for each, says Murchu.
It was likely a large project team, with a project manager, some quality assurance, and testing elements as well, he says. "They had to identify what type of hardware, PLCs, and then after that was established, creating the project to fit the target they were trying to attack. You get people who know SCADA and can test on PLCs," he says. "This was either an industrial funded group with deep pockets, or nation-state sponsored. But I am only speculating here."
Meanwhile, while the specific payload of Stuxnet is only aimed at the Siemens S7, the malware model is likely to be reused in some way and emulated in future targeted attacks, experts say. "We'll see more of these types of things in the future," says Marc Maiffret, chief technology officer at eEye Digital Security.
Next: What this means for the security of power plant and industrial control systems
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.