First Stuxnet Victims Unmasked in Research

Researchers with Kaspersky Lab say they have identified the first victims of the infamous Stuxnet worm discovered in 2010.

As many would suspect, all five of the organizations are involved in the industrial control system (ICS) industry in Iran and either develop ICS products or supply materials and parts for them. The fifth organization to be attacked produces uranium enrichment centrifuges – the type of equipment believed to be the main target of Stuxnet.

“Analyzing the professional activities of the first organizations to fall victim to Stuxnet gives us a better understanding of how the whole operation was planned,” said Alexander Gostev, chief security expert at Kaspersky Lab, in a statement. “At the end of the day this is an example of a supply-chain attack vector, where the malware is delivered to the target organization indirectly via networks of partners that the target organization may work with.”

The five organizations identified by Kaspersky Lab are: Foolad Technic Engineering Co., Beh Pajooh Co. Elec & Comp. Engineering, Neda Industrial Group, Control-Gostar Jahed Company and Kala Electric (Kalaye Electric Co.). Kaspersky Lab identified the organizations after examining more than 2,000 Stuxnet files collected over a two-year period. The earliest known version of Stuxnet was outside the scope of the research, which focused on the best known variants created in 2009 and 2010.

Stuxnet’s discovery touched off increased chatter about the security of critical infrastructure. The sophistication of the attack, which exploited multiple zero-day vulnerabilities, almost immediately led to speculation of nation-state involvement, and many have pointed fingers at the United States and Israel. Earlier this year, Kaspersky Lab researchers found that one of the zero-day flaws exploited in the attack, CVE-2010-2568, remained a widely exploited security hole despite having been patched four years ago. 

“Stuxnet remains one of the most interesting pieces of malware ever created. In the digital world, one might say it is the cyber equivalent of the atomic attacks on Nagasaki and Hiroshima from 1945,” blogged Kaspersky Lab’s Global Research and Analysis Team (GReAT). “For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain “high profile” companies was the solution and it was probably successful.”

“Unfortunately, due to certain errors or design flaws, Stuxnet started infecting other organizations and propagate over the internet,” the researchers continued. “The attacks lost control of the worm, which infected hundreds of thousands of computers in addition to its designated targets. Of course, one of the biggest remaining questions is – were there any other malware like Stuxnet, or was it one-of-a-kind experiment? The future will tell for sure.”