Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Stuxnet Still Present in Some Organizations: Researchers

The notorious Stuxnet malware is still actively running on some computers and while the threat cannot be controlled by the original attackers, its presence demonstrates the weak security posture of these organizations.

The notorious Stuxnet malware is still actively running on some computers and while the threat cannot be controlled by the original attackers, its presence demonstrates the weak security posture of these organizations.

Stuxnet, reportedly developed by the United States and Israel, is a worm designed to target industrial systems. The malware became known as the world’s first cyber weapon after it caused serious damage at Iranian nuclear facilities.

Now, five years after it was first discovered, Stuxnet infections still exist, according to Czech Republic-based security firm Kleissner & Associates, which operates the botnet monitoring system Virus Tracker.

In a paper published last week, titled “Internet Attacks Against Nuclear Power Plants,” the company provided some Stuxnet-related statistics from Virus Tracker. Kleissner & Associates has the ability to monitor Stuxnet infections because it has acquired two of the command and control (C&C) domains used by the worm and pointed them to Virus Tracker sinkhole servers.

According to Kleissner, there were at least 153 unique machines infected with Stuxnet in 2013 and 2014. Nearly half of these infections were traced back to Iran, but some infected devices had also been spotted in India, Indonesia, Saudi Arabia, Kazakhstan and China. Experts determined that six of the infected computers had SCADA development software installed.

While these statistics are from 2013 and 2014, even today there are a few organizations that have failed to remove Stuxnet from their systems. Peter Kleissner, founder and CEO of Kleissner & Associates, told SecurityWeek that Virus Tracker shows more than 200 Stuxnet infection records in 2015.

India accounts for roughly 45 percent of infection records, followed by Iran with 33 percent, and Indonesia with 10 percent. Kleissner has pointed out that the number of infection records doesn’t indicate the number of unique infected devices because the same infection can generate multiple records.

Stuxnet infections

Kleissner noted that while the malware is still actively running in the background on these machines, it cannot be controlled by the original attackers because the C&C domains are owned by the security company. However, this shows that some organizations are not doing a good job when it comes to cleaning up malware.

The statistics presented by the security firm are meant to show that there is a risk of Stuxnet-like operations and that nuclear plants might not be difficult to breach.

“It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system,” reads Kleissner & Associates’ researcher paper. “Just as Kleissner & Associates’ C&C domain control enables us to control any remaining Stuxnet infected machines, any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infections.”

According to the security firm, many nuclear facilities host administrative systems infected with common malware. Attackers can leverage access to these administrative systems to mount attacks on industrial control systems.

Virus Tracker shows malware infections at IP ranges that appear to belong to nuclear facilities, but experts cannot determine if the infected device is a worker’s laptop, a guest Wi-Fi, or a machine controlling the entire nuclear power plant. On the other hand, Kleissner has pointed out that any malware connecting from the facility to external C&C servers can be problematic.

Kleissner told SecurityWeek that they have identified Conficker B and Ramdo infections on IP addresses that appear to belong to an energy provider in the United States. Other examples include Conficker and Sality infections on IP addresses apparently associated with atomic energy research organizations in China and Korea.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.