Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010.
The Stuxnet malware was considered a harbinger of a new era of state-sponsored attacks on control systems, after it infected the Natanz uranium enrichment complex in Iran and later spread through the Internet other organizations. Some earlier assessments said that a coding error in Stuxnet caused it to be leaked from Natanz. Newer theories state that Stuxnet leaked after infecting five "patients zero" -- all companies in the Iranian industrial control system supply chain -- in order to reach Natanz.
Today, Symantec and Kaspersky Lab released the identities of these patients zero and more information, based on analysis of more than 2,000 Stuxnet files. The reports were published in conjunction with the release of Countdown to Zero Day, a new book written by Kim Zetter and based in part on interviews with Kaspersky and Symantec researchers.
As Kaspersky explained in a Securelist blog today:
- For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.
Researchers were able to track backward to these companies -- the "patients zero" -- because the attackers' rather helpfully left "bread crumbs" in each Stuxnet sample. As Symantec's Liam O Murchu writes in a blog post today:
- Every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected.
The bread crumbs led back to five organizations, all in the Iranian industrial control systems arena, including several that are on the US government's sanctions lists:
1. Foolad Technic Engineering Company
This company headquartered in Isfahan creates automated systems for Iranian industrial facilities. Examining the attack on Foolad and the timestamp of the Stuxnet code, Kaspersky researchers concluded that the systems could not have been infected via a USB stick containing the malware. From Kaspersky:
- The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body -- in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive -- the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.
Also based in Isfahan, Behpajoo develops industrial automation systems. In 2006, the company was implicated as the recipient of banned weapons technology smuggled into the country, including pressure sensors used to trigger explosives. According to Kaspersky, "This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet -- first in Iran, then across the globe."
3. Neda Industrial Group
Neda provides industrial automation services for power plants and the oil, gas, and petrochemical sector. It was placed on the sanctions list by the US Department of Justice, which charged it with illegal export of US-manufactured commodities with military applications to "prohibited entities" and to Iran.
4. Control-Gostar Jahed Company
The Iranian industrial automation company has ties to Iranian businesses in the oil production, metallurgy, and energy supply sectors.
5. Kala Electric (a.k.a. Kalaye Electric)
The attack on Kala was launched from three computers on the same day. According to Kaspersky.
- This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of worm's propagation.
Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges.
Kala has been labeled as an "entity of concern" by government agencies in the US, the United Kingdom, and Japan because of its potential to divert items to programs related to the development of weapons of mass destruction.
The researchers do not pose any new theories about the perpetrators of the attacks, though experts have pointed to a joint effort between the United States and Israel.