Stuxnet Patient Zero: First Victims of the Infamous Worm Revealed

More than four years have passed since the discovery of one of the most Kaspersky_Lab_infographics_stuxnet5victims_finalsophisticated and dangerous malicious program– the Stuxnet worm, considered to be the first cyber-weapon– but many mysteries still swirl around the story. One major question is: what were the exact goals of the whole Stuxnet operation?Now, after analyzing more than 2,000 Stuxnet files collected over atwo–year period, Kaspersky Lab researchers can identify the first victims of the worm.

Initially security researchers had no doubt that the whole attack hadatargeted nature. The code of the Stuxnet worm looked professional and exclusive;there was evidence that extremely expensive zero-day vulnerabilities were used.However, it wasn’t yet known what kind of organizations wereattacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities.

This new analysis sheds light on these questions. All fiveof the organizations thatwere initially attacked are working in the ICS areain Iran,developing ICS or supplying materials and parts. The organizationattacked fifth is the most intriguing because, among other products for industrial automation, it produces uranium enrichment centrifuges.This is precisely the kind of equipment thatis believed to be the main target of Stuxnet.

Apparently, the attackers expectedthat these organizations would exchange data with theirclients – such as uranium enrichment facilities– and this would make it possible to getthe malware inside these targetfacilities. The outcome suggests that the plan was indeed successful.
“Analyzing the professional activities of the first organizations to fall victim to Stuxnet gives us a better understanding of how the whole operation was planned. At the end of the day this is an example of a supply-chain attack vector, where the malware is delivered to the target organization indirectly via networks of partners that the target organization may work with,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

Kaspersky Lab experts made another interesting discovery: the Stuxnet worm did not only spread via infected USB memory sticks plugged into PCs. That was the initial theory, and it explained how the malware could sneak into a place with no direct Internet connection. However,data gathered while analyzing the very first attack showed that the first worm’s sample (Stuxnet.a) was compiled just hours before it appeared on aPC in the first attacked organization. Thistight timetable makes it hard to imagine that an attacker compiled the sample, put it on a USB memory stickand delivered it to the target organization in just a fewhours.It is reasonable to assume that in this particular casethe people behind Stuxnet used other techniques instead of a USB infection.

The latesttechnical information about some previously unknown aspects of the Stuxnet attack can be readina blog post on Securelist and in anew book – “Countdown to Zero Day” – by journalist Kim Zetter. The book includes previously undisclosed information about Stuxnet; some of this information is based on the interviews with members of the Kaspersky Lab Global Research and Analysis Team.