First Stuxnet victims were five Iranian industrial automation companies

To reach the uranium enrichment plant at Natanz, Stuxnet's creators likely targeted Iranian companies tied to it, researchers said

For the first time since Stuxnet was discovered in 2010, researchers have publicly named the worm's original victims: five Iranian companies involved in industrial automation.

Stuxnet is considered to be the first known cyberweapon. It is believed to have been created by the U.S. and Israel in order to attack and slow down Iran's nuclear program.

The worm, which has both espionage and sabotage functionality, is estimated to have destroyed up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran. It eventually spread out of control and infected hundreds of thousands of systems worldwide, leading to its discovery in June 2010.

Security researchers from Kaspersky Lab and Symantec reported Tuesday that while the nuclear facility at Natanz might have been the ultimate target of Stuxnet's creators, the initial victims were five Iranian companies with likely ties to the country's nuclear program. Their reports coincided with the release of "Countdown to Zero Day", a book about Stuxnet by journalist Kim Zetter, that is partially based on interviews with researchers who investigated the threat.

Every time Stuxnet executes on a computer it saves information about that computer inside its executable file. This information includes the computer's name, its IP address and the workgroup or domain it's part of. When the worm spreads to a new computer it adds information about the new system to its main file as well, creating a trail of digital breadcrumbs.

"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," Symantec researcher Liam O Murchu said in a blog post. "In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work. This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz."

The Kaspersky Lab researchers reached the same conclusion and they even named the companies they believe might have served as "patient zero."

The 2009 version of Stuxnet, dubbed Stuxnet.a, was compiled on June 22, 2009, based on a date found in the collected samples. A day later it infected a computer that, according to the Kaspersky researchers, belonged to a company called Foolad Technic Engineering Co. that's based in Isfahan, Iran.

This company creates automated systems for Iranian industrial facilities and is directly involved with industrial control systems, the Kaspersky researchers said. "Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems."

On July 7, 2009, Stuxnet infected computers at another Iranian company called Neda Industrial Group, which according to the Iran Watch website, was put on the sanctions list by the U.S. Ministry of Justice for illegally manufacturing and exporting commodities with potential military applications.

On the same day, Stuxnet infected computers on a domain name called CGJ. The Kaspersky researchers are confident that those systems belonged to Control-Gostar Jahed, another Iranian company operating in industrial automation.

Another Iranian industrial automation vendor infected in 2009 with Stuxnet.a was Behpajooh Co. Elec & Comp. Engineering. This company was infected again in 2010 with Stuxnet.b and is considered patient zero for the 2010 Stuxnet global epidemic, the Kaspersky researchers said.

"On April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO," the researchers said. "A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above -- Behpajooh and Foolad Technic -- are based."

"Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months," the Kaspersky researchers said.

Another company infected in 2010 with Stuxnet.b was Kalaye Electric Co., based on a domain name called KALA that was recorded in malware samples. This was the ideal target for Stuxnet, because it is the main manufacturer of the Iranian uranium enrichment centrifuges IR-1.

"Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target," the Kaspersky researchers said. "It is in fact surprising that this organization was not among the targets of the 2009 attacks."

The attackers behind Stuxnet had one problem to solve -- how to infect computers in a facility like the one at Natanz that had no direct Internet connections, the Kaspersky researchers said. "The targeting of certain 'high profile' companies was the solution and it was probably successful."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionsymantecsecurityspywaremalwarekaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?