Attackers behind the Stuxnet computer worm focused on targeting five organizations in Iran that they believed would get them to their final target in that country, according to a new report from security researchers.
The five organizations, believed to be the first that were infected with the worm, were targeted in five separate attacks over a number of months in 2009 and 2010, before Stuxnet was discovered in June 2010 and publicly exposed. Stuxnet spread from these organizations into other organizations on its way to its final target, which is believed to have been a nuclear enrichment facility or facilities in Iran.
“These five organizations were infected, and from those five computers Stuxnet spread out — not to just computers in those organizations, but to other computes as well,” says Liam O Murchu, manager of operations for Symantec Security Response. “It all started with those five original domains.”
The new information comes in an updated report from researchers at Symantec (.pdf), a computer security firm that has provided some of the leading analysis of the worm since it was discovered.
According to the report, Stuxnet’s first attack against the five organizations occurred in June 2009, followed by a second attack in July 2009. Eight months passed before subsequent attacks were launched in March, April and May 2010. The last attack was just one month before the code was discovered in June 2010 by VirusBlokAda, a security firm in Belarus, which said it had found the malware on computers of unspecified clients in Iran.
Symantec didn’t identify the names of the five organizations that were targeted; the company said only that all five “have a presence in Iran” and are involved in industrial processes. One of the organizations (what Symantec refers to as Domain B) was targeted with the worm in three of the five attacks. Of the remaining organizations, three of them were hit once, and the last organization was targeted twice.
Symantec has so far been able to count a constellation of 12,000 infections in the five organizations and outside organizations to which the malware spread. The most successful attack occurred in March 2010 when 69 percent of these infections occurred. The March attack targeted only Domain B, then spread.
Domain A was targeted twice (Jun 2009 and Apr 2010). The same computer appears to have been infected each time.
Domain B was targeted three times (Jun 2009, Mar 2010, and May 2010).
Domain C was targeted once (Jul 2009).
Domain D was targeted once (Jul 2009).
Domain E appears to have been targeted once (May 2010), but had three initial infections. (I.e., the same initially infected USB key was inserted into three different computers.)
O Murchu acknowledges that there could have been earlier attacks that occurred before June 2009, but no one has found evidence of this yet.
Symantec found that the shortest time between when the malware was compiled in one case — that is turned from source code into a working piece of software — and the subsequent attack using the code occurred, was just 12 hours. This occurred in the June 2009 attack.
“This tells us that the attackers more than likely knew who they wanted to infect before they completed the code,” O Murchu says. “They knew in advance who they wanted to target and how they were going to get it there.”