Stuxnet virus targets and spread revealed
Published: 15th Feb 2011 13:51:40
A powerful internet worm repeatedly targeted five industrial facilities in Iran over 10 months, ongoing analysis by security researchers shows.
Stuxnet, which came to light in 2010, was the first-known virus specifically designed to target real-world infrastructure, such as power stations.
Security firm Symantec has now revealed how waves of new variants were launched at Iranian industrial facilities.
Some versions struck their targets within 12 hours of being written.
"We are trying to do some epidemiology," Orla Cox of Symantec told BBC News. "We are trying to understand how and why it spread."
The worm first grabbed headlines late last year after initial analysis showed that the sophisticated piece of malware had likely been written by a "nation state" to target Iran's nuclear programme, including the uranium enrichment centrifuges at the Natanz facility.
Russia's Nato ambassador recently said the virus "could lead to a new Chernobyl," referring to the 1986 nuclear accident.
Although speculation surrounds which countries may have been involved in its creation, the origins of the worm still remain a mystery.
One organisation was attacked three times, another was targeted twice”
Iranian officials have admitted that the worm infected staff computers. However, they have repeatedly denied that the virus caused any major delays to its nuclear power programme, although its uranium enrichment programme is known to have suffered setbacks.
The new research, which analysed 12,000 infections collected by various anti-virus firms, shows that the worm targeted five "industrial processing" organisations in Iran.
"These were the seeds of all other infections," said Ms Cox.
The firm was able to identify the targets because Stuxnet collected information about each computer it infected, including its name, location and a time stamp of when it was compromised.
This allowed the researchers to track the spread of the virus.
Symantec declined to name the five organisations and would not confirm whether they had links to the country's nuclear programme.
However, Ms Cox, said that previous research confirmed that the worm could disrupt the centrifuges used to enrich uranium.
The five organisations were targeted repeatedly between June 2009 and April 2010, she said.
"One organisation was attacked three times, another was targeted twice," she said.
These waves of attacks used at least three different variants of the worm.
"We believe there was also a fourth one but we haven't seen it yet," she said.
Analysis of the different strains and the time it took between the code being written and it making its first infection suggested that the virus writers had "infiltrated" targeted organisations, she said.
The researchers drew this conclusion because Stuxnet targeted industrial systems not usually connected to the internet for security reasons.
Instead, it infects Windows machines via USB keys - commonly used to move files around and usually plugged into a computer manually.
The virus therefore had to be seeded on to the organisation's internal networks by someone, either deliberately or accidentally.
The virus could have been spread between the organisations by contractors that worked for more than one of them, she said.
"We see threads to contractors used by these companies," she said. "We can see links between them."
Once on a corporate network, the worm is designed to seek out a specific configuration of industrial control software made by Siemens.
The code can then reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.
Previous analysis suggests that it targeted PLCs operating at frequencies between 807 and 1210Hz, a range that includes those used to control uranium enrichment centrifuges.
Subverting PLCs requires detailed knowledge and, although security researchers had raised concerns about exploits in the past, had not been seen before Stuxnet.
Ms Cox said the firm's analysis revealed incomplete code in Stuxnet that looked like it was intended to target another type of PLC.
"The fact that it is incomplete could tell us that [the virus writers] were successful in what they had done," she said.
The novelty of the virus, combined with attack mechanisms that targeted several previously unknown and unpatched vulnerabilities in Windows, have led many to describe Stuxnet as "one of the most sophisticated pieces of malware ever".
However, research by Tom Parker from security firm Securicon says that elements of it were "not that advanced at all".
"I've compared this less advanced code to other malware and it does not score very highly," he said last year.
Ms Cox agrees that elements of the code and some of the techniques it uses are relatively simple. But, she says, that misses the bigger picture.
"If you look at the sum of its parts, then it is certainly very sophisticated," she said.
Harvard CitationBBC News, 2011. Stuxnet virus targets and spread revealed. [Online] (Updated 15 Feb 2011)
Available at: http://www.glasgowwired.co.uk/news.php/130800-Stuxnet-virus-targets-and-spread-revealed [Accessed 20th June 2013]
At 05:01:25 in OtherThe "father of industrial design" is being honoured in the Teesside town where he aimed to set up an art industry colony....
At 04:58:12 in OtherWebcams should be covered when not in use because hackers could be using them to spy on people, a charity advises....
At 00:01:54 in OtherA new website will be launched later to help businesses in Glasgow benefit from major events taking place in the city....
At 14:22:05 in OtherPrices for multiple-journey tickets on Glasgow's Subway system have had to be revised to cope with the introduction of new smartcard te...
At 13:42:22 in OtherThe leader of the Scottish Conservatives was refused alcohol at a Bruce Springsteen concert - because the barman did not believe she was ove...
At 13:25:07 in OtherA sheriff has described controversial legislation aimed at tackling bigotry at football matches as "confusing"....
At 13:17:48 in OtherA long lost music cabinet designed by Charles Rennie Mackintosh is coming back to Glasgow....
At 12:03:25 in OtherA man is being treated for slash wounds to his face, chest and abdomen after a fight at a flat in Inverclyde....
At 11:15:33 in OtherPolice are treating an attack on a woman who was stabbed in the neck in Glasgow as attempted murder....
At 00:03:47 in OtherRecommendations have been drawn up to improve support for people who have previously gone missing....
News In Other Categories
With the doors to its brand new £1million training centre officially open, one of the UK's leading apprentice training providers, Bristol ba...
The triple-Tony award winning actor Frank Langella is to play King Lear for the Chichester Festival Theatre. ...
A school librarian has discovered that a poem widely attributed to William Blake, including in school reading lists, was not really written ...
UK retail sales recorded a larger-than-expected rise last month, helped by a strong increase in food sales....
A successful "drop test" has been conducted on Europe's experimental re-entry vehicle, the IXV....
The International Criminal Court (ICC) has pushed back the trial of Kenyan President Uhuru Kenyatta to 12 November....