Iran was prime target of SCADA worm

The Stuxnet worm affecting SCADA systems may have been spreading since as early as January

Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.

According to data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn't sure why Iran and the other countries are reporting so many infections. "The most we can say is whoever developed these particular threats was targeting companies in those geographic areas," Levy said.

The U.S. has a long-running trade embargo against Iran. "Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don't have much AV right now," Levy said.

Siemens wouldn't say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Earlier this year, Siemens said it planned to wind down its Iranian business -- a 290-employee unit that netted €438 million (US$562.9 million) in 2008, according to the Wall Street Journal. Critics say the company's trade there has helped feed Iran's nuclear development effort.

Symantec compiled its data by working with the industry and redirecting traffic aimed at the worm's command and control servers to its own computers. Over a three-day period this week, computers located at 14,000 IP addresses tried to connect with the command and control servers, indicating that a very small number of PCs worldwide have been hit by the worm. The actual number of infected machines is probably in the 15,000 to 20,000 range, because many companies place several systems behind one IP address, according to Symantec's Levy.

Because Symantec can see the IP address used by machines that try to connect with the command and control servers, it can tell which companies have been infected. "Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers," the company said in its blog post Thursday.

Stuxnet spreads via USB devices. When an infected USB stick is viewed on a Windows machine, the code looks for a Siemens system and copies itself to any other USB devices it can find.

A temporary workaround for the Windows bug that allows Stuxnet to spread can be found here.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags symantecsecurityManufacturingenergyindustry verticalsmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?