The code, believed to be state-sponsored, first made its way into the wild in 2005, security researchers say – and there is evidence that it was wreaking havoc with Iranian facilities even then.
Symantec has discovered that Stuxnet 0.5 predates what was believed to be the original worm launched in 2007. Discovered in July 2010, the virus targeted Siemens industrial software to throw various wrenches into the operations of the Natanz uranium enrichment facility in Iran. Now, the earlier birth date actually correlates to plant production vacillations in the earlier time frame, researchers found.
“To put this evolution in context, we have mapped key dates of Stuxnet development against low-enriched uranium (LEU) production levels at Natanz,” Symantec said in a blog post. “Interesting events are dips in feed or production amounts and lower levels of production given the same or greater feed amounts (gaps between the two lines).”
The discovery also changes the DNA of the worm. When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, it documented two attack strategies.
“We also noted that the one targeting 417 PLC devices was disabled,” the company said in a follow-up blog post. The earlier version, however, contains the fully operational 417 PLC device attack code.
“After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges,” researchers explained. “The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems.”
It added, “In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally. It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”
Stuxnet is responsible for taking thousands of systems offline in the Iranian nuclear program. It is widely thought that the authors of the malcode are likely the Israeli and US governments. And, it appears to still be active. On Christmas Day last year, reports emerged that Iran had successfully repelled a new Stuxnet attack, this time primarily aimed at an electricity utility in the southern province of Hormozgan.
“A power plant and other industries in southern Iran have been targeted by the Stuxnet computer worm,” reported the BBC. “Accounts of the attacks in the official press did not specify who was responsible, when they were carried out or how they were thwarted. But they strongly suggested that the attacks had originated in the United States and Israel, which have been engaged in a shadowy struggle of computer sabotage with Iran."