For the first time since Stuxnet was discovered in 2010, researchers have publicly named the worm’s original victims: five Iranian companies involved in industrial automation.
Stuxnet is considered to be the first known cyberweapon. It is believed to have been created by the U.S. and Israel in order to attack and slow down Iran’s nuclear program.
The worm, which has both espionage and sabotage functionality, is estimated to have destroyed up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran. It eventually spread out of control and infected hundreds of thousands of systems worldwide, leading to its discovery in June 2010.
Security researchers from Kaspersky Lab and Symantec reported Tuesday that while the nuclear facility at Natanz might have been the ultimate target of Stuxnet’s creators, the initial victims were five Iranian companies with likely ties to the country’s nuclear program. Their reports coincided with the release of “Countdown to Zero Day”, a book about Stuxnet by journalist Kim Zetter, that is partially based on interviews with researchers who investigated the threat.
Every time Stuxnet executes on a computer it saves information about that computer inside its executable file. This information includes the computer’s name, its IP address and the workgroup or domain it’s part of. When the worm spreads to a new computer it adds information about the new system to its main file as well, creating a trail of digital breadcrumbs.
“Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz,” Symantec researcher Liam O Murchu said in a blog post. “In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work. This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.”
The Kaspersky Lab researchers reached the same conclusion and they even named the companies they believe might have served as “patient zero.”
The 2009 version of Stuxnet, dubbed Stuxnet.a, was compiled on June 22, 2009, based on a date found in the collected samples. A day later it infected a computer that, according to the Kaspersky researchers, belonged to a company called Foolad Technic Engineering Co. that’s based in Isfahan, Iran.
This company creates automated systems for Iranian industrial facilities and is directly involved with industrial control systems, the Kaspersky researchers said. “Clearly, the company has data, drawings and plans for many of Iran’s largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.”
On July 7, 2009, Stuxnet infected computers at another Iranian company called Neda Industrial Group, which according to the Iran Watch website, was put on the sanctions list by the U.S. Ministry of Justice for illegally manufacturing and exporting commodities with potential military applications.
On the same day, Stuxnet infected computers on a domain name called CGJ. The Kaspersky researchers are confident that those systems belonged to Control-Gostar Jahed, another Iranian company operating in industrial automation.
Another Iranian industrial automation vendor infected in 2009 with Stuxnet.a was Behpajooh Co. Elec & Comp. Engineering. This company was infected again in 2010 with Stuxnet.b and is considered patient zero for the 2010 Stuxnet global epidemic, the Kaspersky researchers said.
“On April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO,” the researchers said. “A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran’s largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above—Behpajooh and Foolad Technic—are based.”
“Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months,” the Kaspersky researchers said.
Another company infected in 2010 with Stuxnet.b was Kalaye Electric Co., based on a domain name called KALA that was recorded in malware samples. This was the ideal target for Stuxnet, because it is the main manufacturer of the Iranian uranium enrichment centrifuges IR-1.
“Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target,” the Kaspersky researchers said. “It is in fact surprising that this organization was not among the targets of the 2009 attacks.”
The attackers behind Stuxnet had one problem to solve—how to infect computers in a facility like the one at Natanz that had no direct Internet connections, the Kaspersky researchers said. “The targeting of certain ‘high profile’ companies was the solution and it was probably successful.”