February 26, 2013
Evidence Suggests Stuxnet Goes Back As Far As 2005
Michael Harper for redOrbit.com — Your Universe Online
New evidence suggests the developers behind the powerful trojan worm known as Stuxnet may have begun work on the virus as early as 2005, five years before it was first deployed. Though no one has officially claimed ownership of this trojan, it is widely believed Stuxnet was commissioned by Israel and the U.S. to attack Iran´s nuclear plans.
Security firm Symantec first found these early roots of Stuxnet, dubbed Stuxnet 0.5, and now claim the earliest versions of the trojan could have been used to blow up Iran´s nuclear facilities, as opposed to simply causing them to malfunction.
Symantec´s new report adds further proof the creators of this cyber weapon were sophisticated and likely hired by an outside organization, rather than a band of hackers with a cause of vengeance.
"There isn't any really new evidence of the people behind this attack were but these were not just a bunch or hacktivists or someone with vendetta," explained Eric Chien, technical director for Symantec´s Security Response Team, speaking with Cnet.
The Stuxnet virus was so sophisticated, the Symantec team say it took several months to analyze and understand its threat potential.
Until now, the earliest known version of the virus had been dated back to 2009. Stuxnet 0.5, which Symantec is calling the “Missing Link,” could have been in operation between 2007 and 2009.
When Stuxnet attacked in 2010, it was one of the first known examples of a cyber attack to bring down a physical building. The virus was used to spin up the centrifuges in Iran´s Natanz´s uranium enrichment facility, thus causing it to malfunction.
After reviewing the code of Stuxnet 0.5, the Symantec team has found evidence which suggests this trojan could have been capable of manipulating gas valves. These valves were used to deliver uranium hexafluoride gas to the centrifuges. Forcing these valves closed would have built up such an intense pressure in the system the gas would have turned into a solid mass. This, in turn, could have created an explosion in the system. According to Chien, Stuxnet 0.5 was complete and carrying out this attack. However, later evidence suggests the author(s) of this virus decided to change their mode of attack to inflict even greater damage on the Natanz facility.
"It appears that it didn't work according to their liking so they got more aggressive. The results didn't work to their liking or didn't fill all their strategic goals. So they changed (Stuxnet) in the 1.x version,” said Chien in an interview.
Symantec has also found the earliest versions of Stuxnet were created on the “Flamer” platform, another piece of malicious software used to target Iranian computers. Investigators have even found bits of the Flame malware embedded in the Stuxnet code, suggesting the same author wrote both of these viruses.
"With version 0.5 of Stuxnet, we can say that the developers had access to the exact same code. They were not just using shared components. They were using the exact same code to build the projects. And then, at some point, the development [of Stuxnet and Flame] went in two different directions,” explained Liam O´Murchu, manager of operations for Symantec Security Response, speaking to Ars Technica.