February 15, 2011

Stuxnet Repeatedly Targeted Iranian Industrial Facilities

Security researchers have found that a powerful Internet worm repeatedly targeted five industrial facilities in Iran over 10 months.

Stuxnet was the first-known virus specifically designed to target real-world infrastructure, such as power stations.

Security firm Symantec revealed how waves of new variants were launched at Iranian industrial facilities.

Some versions struck their targets within 12 hours of being written.

"We are trying to do some epidemiology," Orla Cox of Symantec told BBC News. "We are trying to understand how and why it spread."

The worm made the news late last year after an analysis showed that the sophisticated piece of malware had likely been written by a "nation state" to target Iran's nuclear program, including the uranium enrichment centrifuges at the Natanz facility.

Russia's NATO ambassador said the virus "could lead to a new Chernobyl," referring to the 1986 nuclear accident.

The origin of the worm still remains a mystery, although many have speculated which countries may have been involved.

Iranian officials said the worm infected staff computers.  However, they denied that the virus caused any major delays to its nuclear program.

The new research shows that the worm targeted five "industrial processing" organizations in Iran.

"These were the seeds of all other infections," Cox told BBC.

The firm was able to identify the targets because Stuxnet collected information about each computer it infected.

This helped researchers track the spread of the virus.

Symantec declined to name the five organizations and would not confirm whether they had links to the country's nuclear program.

However, Cox told BBC that previous research confirmed that the worm could disrupt the centrifuges used to enrich uranium.

She said that the five organizations were targeted repeatedly between June 2009 and April 2010.

"One organization was attacked three times, another was targeted twice," she told BBC.

These waves of attacks used at least three different variants of the worm.

"We believe there was also a fourth one but we haven't seen it yet," she told BBC.

She said that an analysis of the different strains and the time it took between the code being written and it making its first infection suggested the virus writers had "infiltrated" targeted organizations.

The researchers discovered this because Stuxnet targeted industrial systems not usually connected to the Internet for security reasons.

It infects Windows machines through USB keys instead.

The virus had to be seeded on the organization's internal networks by someone.

She said that the virus could have been spread between the organizations by contractors.

"We see threads to contractors used by these companies," she told BBC. "We can see links between them."

The worm is designed to seek out a specific configuration of industrial control software made by Siemens once it is on a corporate network.

The code can then reprogram programmable logic control (PLC) software to give attached industrial machinery new instructions.

Previous studies targeted PLCs operating at frequencies between 807 and 1201Hz, which is a range that includes those used to control uranium enrichment centrifuges.

Subverting PLCs requires detailed knowledge and had not been seen before Stuxnet.

Cox told BBC that the firm's analysis revealed incomplete code in Stuxnet that looked like it was intended to target another type of PLC.

"The fact that it is incomplete could tell us that [the virus writers] were successful in what they had done," she told BBC.

The novelty of the virus have led many to describe Stuxnet as "one of the most sophisticated pieces of malware ever."

However, Tom Parker, a researcher from security firm Securicon, told BBC that elements of it were "not that advanced at all."

"I've compared this less advanced code to other malware and it does not score very highly," he said last year.

Cox agrees that the element of the code and some of the techniques it uses are relatively simple.  However, she said that misses the bigger picture.

"If you look at the sum of its parts, then it is certainly very sophisticated," she said.


On the Net: