New York Times
POSTED: 01:30 a.m. HST, Feb 13, 2011
The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.
The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected.
Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points.
Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year.
The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company's privacy policies, they would not disclose the domain names.
"All of the domains are involved in industrial processing," O Murchu said in an interview.
It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz.
At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-held USB device that carried the attack code.
When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled part of the complex.
In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran.
The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled.
Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system.
The New York Times reported in January that Israel had built an elaborate test facility at a classified nuclear weapons site that contained a replica array of the Iranian uranium enrichment plant. Such a test site would have been necessary for the design of the attack software.
"We know the exact configuration of the system they were looking for," O Murchu said. "We know they were looking for a certain number of frequency converters. And each of those frequency converters controls a certain number of motors. And those numbers fit in with what you expect to see in an uranium enrichment facility."