Stuxnet Malware Aimed at Iran Hit Five Sites


The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected.

Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points.

Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year.

The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company’s privacy policies, they would not disclose the domain names.

“All of the domains are involved in industrial processing,” Mr. O Murchu said in an interview.

It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz.

At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-held USB device that carried the attack code.

When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled part of the complex.

In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran.

The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled.

Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system.

The New York Times reported in January that Israel had built an elaborate test facility at a classified nuclear weapons site that contained a replica array of the Iranian uranium enrichment plant. Such a test site would have been necessary for the design of the attack software.

“We know the exact configuration of the system they were looking for,” Mr. O Murchu said. “We know they were looking for a certain number of frequency converters. And each of those frequency converters controls a certain number of motors. And those numbers fit in with what you expect to see in an uranium enrichment facility.”

February 13, 2011 | 2 Comments »

Subscribe to Israpundit Daily Digest

Leave a Reply

2 Comments / 2 Comments

  1. Well,Iran made a fatal mistake by engaging its self into nuclear activities instead of developing its citizens.Iran will live to regret this.Bisides that, i predict that however much Iran hates Israel they will never prevail against that God chosen nation.Their war is too spiritual and their God is with them.They will always triumph over their enemies as long as the Almighty God reigns on his Zion throne.No one will ever destroy the Israelite nation.I bet my Soul on this with no regrets at all.

  2. Any team of programmers ingenious enough to dream up such a piece of malware, and backed by the secret services of a modern state, could almost certainly destroy an enemy air force, naval vessels at sea, electric power grid, orbiting space hardware, or just about anything else controlled by computers. But the most interesting piece of evidence from the Symantec investigation is that Stuxnet recorded information on the location and type of each computer it infected. Such information can be used as feedback to someone monitoring progress of the malware in getting its job done, and that feedback can later be used for other strategic purposes.

    Very interesting.

    I note that cell phones receiving calls, which when answered by a live human voice, can transmit a signal that causes the phone to blow up and destroy the side of the head against which the cell phone is placed.

    But my all-time favorite was the umbrella tip with the poisoned needle tip thin enough that its intended recipient could hardly feel it being inserted in his or her back.

    I wonder how many old-time Tcheka/GB dirty tricks specialists from Moscow now work for Mossad.

    Empires large and small striking back. With ingenuity, focus and panache. The future shall mark the age of the talented saboteur as well as that of the all but invisible assassin and the bandits who rob banks they never even set foot into. (John Dillinger and Willie Sutton would truly be amazed.)

    Arnold Harris
    Mount Horeb WI