Stuxnet reached its target via the networks of trusted business partners

Early versions of the malware seemed dedicated to intelligence gathering, later versions to attacking

Stuxnet, the powerful malware that wormed its way in and hobbled Iran’s uranium enrichment efforts, infiltrated the secure networks of the nuclear program via trusted partners, newly public information reveals.

Once machines in five partner networks had been infected, Stuxnet found its way into Iran’s Natanz refining plant where it force automated control machines to run uranium enrichment centrifuges at speeds that would damage them, according to a blog written by Alex Gostev, Chief Security Expert at Kaspersky Lab.

+ Also on Network World: Apple was warned about WireLurker months ago, Georgia Tech researcher says |Raids cast doubt on the integrity of TOR +

The centrifuges are necessary to create weapons-grade uranium, something the U.S. and Israel wanted to block, and both countries are considered the most likely creators of Stuxnet.

The five targeted partners were three makers of automated systems for industrial use (Foolad Technic Engineering Co., Behpajooh Co. Elec & Comp. Engineering and Control-Gostar Jahed Co.), a steel company (Mobarakeh Steel Company), a company that made products for potential military use (Neda Industrial Group), and the main manufacturer of the centrifuges (Kalaye Electric Co.).

These companies and the manner in which they were attacked give some insight into the thought process that went into ultimately compromising the Siemens gear that controlled the centrifuges.

Two of the attacked companies, Neda and Gostar, were likely used just for intelligence gathering since they were infected with a Stuxnet variant that never left the companies.

Neda was attacked only in 2009 while some of the other sites were also hit in 2010. The company’s usefulness might have been to provide information about Siemens Step7 software that is used to give instructions to its programmable logic controllers – the devices directing the behavior of the centrifuges, Gostev says. “[T]he capability of stealing information about Step 7 projects from infected systems was of special interest to the creators of Stuxnet,” he writes.

Foolad, though, was hit twice in June 2009 and April 2010. “This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry,” Gostev writes.

While it’s widely believed that Stuxnet spread via infected USB sticks, in at least one case it seems that some other method was used. One Stuxnet version was created June 22, 2009 and infected a Foolad computer at 4:40 a.m. the next day, too soon for it to have been introduced via USB stick, Gostev writes. He said in an email interview that perhaps exploitation of a particular Microsoft vulnerability on the attacked machine might have been exploited.

Known as MS08-067 or CVE-2008-4250, once exploited it allows the attackers to create, read and delete files, download malware versions and install them, and to send the malware on to infect other machines.

Kaspersky was able to deduce the five companies victimized by Stuxnet because the malware logs the names and addresses of the machines it infects, and the names included clues that led to the names. For example, the name APPLSERVER NEDA was logged for a machine infected July 7, 2009, which likely meant it was an application server within Neda Industrial Group.

Coincidentally, one of the compromised machines at Foolad was named KASPERSKY ISIE. “When we first saw the computer's name, we were very much surprised,” says Kaspersky’s Gostev. “The name could mean that the initial infection affected some server named after our anti-malware solution installed on the machine.”


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022