Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010.

The Stuxnet malware was considered a harbinger of a new era of state-sponsored attacks on control systems, after it infected the Natanz uranium enrichment complex in Iran and later spread through the Internet other organizations. Some earlier assessments said that a coding error in Stuxnet caused it to be leaked from Natanz. Newer theories state that Stuxnet leaked after infecting five "patients zero" -- all companies in the Iranian industrial control system supply chain -- in order to reach Natanz.

Today, Symantec and Kaspersky Lab released the identities of these patients zero and more information, based on analysis of more than 2,000 Stuxnet files. The reports were published in conjunction with the release of Countdown to Zero Day, a new book written by Kim Zetter and based in part on interviews with Kaspersky and Symantec researchers.

As Kaspersky explained in a Securelist blog today:

Researchers were able to track backward to these companies -- the "patients zero" -- because the attackers' rather helpfully left "bread crumbs" in each Stuxnet sample. As Symantec's Liam O Murchu writes in a blog post today:

The bread crumbs led back to five organizations, all in the Iranian industrial control systems arena, including several that are on the US government's sanctions lists:

1. Foolad Technic Engineering Company
This company headquartered in Isfahan creates automated systems for Iranian industrial facilities. Examining the attack on Foolad and the timestamp of the Stuxnet code, Kaspersky researchers concluded that the systems could not have been infected via a USB stick containing the malware. From Kaspersky:

2. Behpajooh
Also based in Isfahan, Behpajoo develops industrial automation systems. In 2006, the company was implicated as the recipient of banned weapons technology smuggled into the country, including pressure sensors used to trigger explosives. According to Kaspersky, "This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet -- first in Iran, then across the globe."

3. Neda Industrial Group
Neda provides industrial automation services for power plants and the oil, gas, and petrochemical sector. It was placed on the sanctions list by the US Department of Justice, which charged it with illegal export of US-manufactured commodities with military applications to "prohibited entities" and to Iran.

4. Control-Gostar Jahed Company
The Iranian industrial automation company has ties to Iranian businesses in the oil production, metallurgy, and energy supply sectors.

5. Kala Electric (a.k.a. Kalaye Electric)
The attack on Kala was launched from three computers on the same day. According to Kaspersky.

Kala has been labeled as an "entity of concern" by government agencies in the US, the United Kingdom, and Japan because of its potential to divert items to programs related to the development of weapons of mass destruction.

The researchers do not pose any new theories about the perpetrators of the attacks, though experts have pointed to a joint effort between the United States and Israel.