Security researchers have revealed five Iranian organizations which they say were the primary targets of the infamous Stuxnet campaign, including one described as the “patient zero” of the 2010 global epidemic.
The updates from Symantec and Kaspersky Lab come after the publication of a new book, Countdown to Zero Day, which is said to include new information about the notorious malware attack on Iran’s nuclear program.
They claim for the first time that Stuxnet’s 2009 and 2010 variants were initially targeted at five firms — contractors at the Natanz plant involved mainly in industrial automation. This would seem to indicate that its final target was indeed a uranium enrichment facility at Natanz.
The researchers were able to work out the identities of the initial targets of the 2009 and 2010 Stuxnet versions because of a quirk of the worm, as Kaspersky Lab explained:
“When infecting a new computer, Stuxnet saves information about the infected system's name, Windows domain and IP address. This information is stored in the worm's internal log and is augmented with new data when the next victim is infected. As a result, information on the path travelled by the worm can be found inside Stuxnet samples and used to establish from which computer the infection began to spread.”
The five Iranian organizations in question were industrial automation systems manufacturer Foolad Technic Engineering; SCADA/PLC firm Behpajooh; Neda Industrial Group; Control-Gostar Jahed Company; and Kala Electric — which is said to manufacture Iran’s uranium enrichment centrifuges.
From June 2009 to May 2010, three organizations were targeted once, one was targeted twice, and another was targeted three times. They suffered 12,000 infections over the period from 3,280 Stuxnet samples, according to Symantec.
Kaspersky Lab said it was an attack on Behpajooh in March 2010 that led to Stuxnet “leaking” into the wild after it infected other organizations in Iran and then elsewhere around the world — ultimately leading to its public discovery.
It is thought that, due to a programming error, Stuxnet managed to spread from Behpajooh to the corporate network of Iran’s largest steelmaker, the Mobarakeh Steel Company.
“Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months,” Kaspersky Lab wrote.
“For example, the analysis of logs shows that by July 2010 this branch of the infection reached computers in Russian and Belarusian companies.”