Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Stuxnet Still Present in Some Organizations: Researchers

The notorious Stuxnet malware is still actively running on some computers and while the threat cannot be controlled by the original attackers, its presence demonstrates the weak security posture of these organizations.

The notorious Stuxnet malware is still actively running on some computers and while the threat cannot be controlled by the original attackers, its presence demonstrates the weak security posture of these organizations.

Stuxnet, reportedly developed by the United States and Israel, is a worm designed to target industrial systems. The malware became known as the world’s first cyber weapon after it caused serious damage at Iranian nuclear facilities.

Now, five years after it was first discovered, Stuxnet infections still exist, according to Czech Republic-based security firm Kleissner & Associates, which operates the botnet monitoring system Virus Tracker.

In a paper published last week, titled “Internet Attacks Against Nuclear Power Plants,” the company provided some Stuxnet-related statistics from Virus Tracker. Kleissner & Associates has the ability to monitor Stuxnet infections because it has acquired two of the command and control (C&C) domains used by the worm and pointed them to Virus Tracker sinkhole servers.

According to Kleissner, there were at least 153 unique machines infected with Stuxnet in 2013 and 2014. Nearly half of these infections were traced back to Iran, but some infected devices had also been spotted in India, Indonesia, Saudi Arabia, Kazakhstan and China. Experts determined that six of the infected computers had SCADA development software installed.

While these statistics are from 2013 and 2014, even today there are a few organizations that have failed to remove Stuxnet from their systems. Peter Kleissner, founder and CEO of Kleissner & Associates, told SecurityWeek that Virus Tracker shows more than 200 Stuxnet infection records in 2015.

India accounts for roughly 45 percent of infection records, followed by Iran with 33 percent, and Indonesia with 10 percent. Kleissner has pointed out that the number of infection records doesn’t indicate the number of unique infected devices because the same infection can generate multiple records.

Stuxnet infections

Kleissner noted that while the malware is still actively running in the background on these machines, it cannot be controlled by the original attackers because the C&C domains are owned by the security company. However, this shows that some organizations are not doing a good job when it comes to cleaning up malware.

Advertisement. Scroll to continue reading.

The statistics presented by the security firm are meant to show that there is a risk of Stuxnet-like operations and that nuclear plants might not be difficult to breach.

“It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system,” reads Kleissner & Associates’ researcher paper. “Just as Kleissner & Associates’ C&C domain control enables us to control any remaining Stuxnet infected machines, any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infections.”

According to the security firm, many nuclear facilities host administrative systems infected with common malware. Attackers can leverage access to these administrative systems to mount attacks on industrial control systems.

Virus Tracker shows malware infections at IP ranges that appear to belong to nuclear facilities, but experts cannot determine if the infected device is a worker’s laptop, a guest Wi-Fi, or a machine controlling the entire nuclear power plant. On the other hand, Kleissner has pointed out that any malware connecting from the facility to external C&C servers can be problematic.

Kleissner told SecurityWeek that they have identified Conficker B and Ramdo infections on IP addresses that appear to belong to an energy provider in the United States. Other examples include Conficker and Sality infections on IP addresses apparently associated with atomic energy research organizations in China and Korea.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.