First Stuxnet victims were five Iranian industrial automation companies

To reach the uranium enrichment plant at Natanz, Stuxnet's creators likely targeted Iranian companies tied to it, researchers said

For the first time since Stuxnet was discovered in 2010, researchers have publicly named the worm's original victims: five Iranian companies involved in industrial automation.

Stuxnet is considered to be the first known cyberweapon. It is believed to have been created by the U.S. and Israel in order to attack and slow down Iran's nuclear program.

The worm, which has both espionage and sabotage functionality, is estimated to have destroyed up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran. It eventually spread out of control and infected hundreds of thousands of systems worldwide, leading to its discovery in June 2010.

Security researchers from Kaspersky Lab and Symantec reported Tuesday that while the nuclear facility at Natanz might have been the ultimate target of Stuxnet's creators, the initial victims were five Iranian companies with likely ties to the country's nuclear program. Their reports coincided with the release of "Countdown to Zero Day", a book about Stuxnet by journalist Kim Zetter, that is partially based on interviews with researchers who investigated the threat.

Every time Stuxnet executes on a computer it saves information about that computer inside its executable file. This information includes the computer's name, its IP address and the workgroup or domain it's part of. When the worm spreads to a new computer it adds information about the new system to its main file as well, creating a trail of digital breadcrumbs.

"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," Symantec researcher Liam O Murchu said in a blog post. "In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work. This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz."

The Kaspersky Lab researchers reached the same conclusion and they even named the companies they believe might have served as "patient zero."

The 2009 version of Stuxnet, dubbed Stuxnet.a, was compiled on June 22, 2009, based on a date found in the collected samples. A day later it infected a computer that, according to the Kaspersky researchers, belonged to a company called Foolad Technic Engineering Co. that's based in Isfahan, Iran.

This company creates automated systems for Iranian industrial facilities and is directly involved with industrial control systems, the Kaspersky researchers said. "Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems."

On July 7, 2009, Stuxnet infected computers at another Iranian company called Neda Industrial Group, which according to the Iran Watch website, was put on the sanctions list by the U.S. Ministry of Justice for illegally manufacturing and exporting commodities with potential military applications.

On the same day, Stuxnet infected computers on a domain name called CGJ. The Kaspersky researchers are confident that those systems belonged to Control-Gostar Jahed, another Iranian company operating in industrial automation.

Another Iranian industrial automation vendor infected in 2009 with Stuxnet.a was Behpajooh Co. Elec & Comp. Engineering. This company was infected again in 2010 with Stuxnet.b and is considered patient zero for the 2010 Stuxnet global epidemic, the Kaspersky researchers said.

"On April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO," the researchers said. "A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above -- Behpajooh and Foolad Technic -- are based."

"Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months," the Kaspersky researchers said.

Another company infected in 2010 with Stuxnet.b was Kalaye Electric Co., based on a domain name called KALA that was recorded in malware samples. This was the ideal target for Stuxnet, because it is the main manufacturer of the Iranian uranium enrichment centrifuges IR-1.

"Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target," the Kaspersky researchers said. "It is in fact surprising that this organization was not among the targets of the 2009 attacks."

The attackers behind Stuxnet had one problem to solve -- how to infect computers in a facility like the one at Natanz that had no direct Internet connections, the Kaspersky researchers said. "The targeting of certain 'high profile' companies was the solution and it was probably successful."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsymantecsecurityspywaremalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?