Stuxnet: five companies used as spring-boards

In an updated version of its Stuxnet dossier, Symantec writes that ten initial infections via five consecutive attacks were the starting points for the propagation of the Stuxnet worm. According to the paper, the creators of the worm targeted five specific companies in order to disseminate Stuxnet. Many indicators appear to point towards the conclusion that experts in the US and in Israel jointly developed Stuxnet over a two-year period.

The attacked companies were apparently service providers or other contractors connected with the Natanz uranium enrichment facility. While Symantec didn't provide any further details such as the names or nationalities of the attacked companies, all of the targets reportedly maintain a presence in Iran.

The worm then appears to have been introduced into Natanz via infected laptops or USB drives. There, Stuxnet infected the Siemens control systems and, specialists say, manipulated centrifugal speeds to a degree that caused permanent damage to the motors.

Symantec managed to trace the worm's dissemination pathways and infection figures because Stuxnet itself apparently logs the computers it infects. The logged information contained exact timings and served as the basis for Symantec's analyses. According to the AV vendor, 3,280 unique samples of the worm were responsible for approximately 12,000 infections.

Reportedly, the first attack took place in June 2009, and further attacks followed in July 2009, March 2010, April 2010 and May 2010. Various organisations were targeted repeatedly by the Stuxnet authors, and some computers were successfully infected several times.

The creators of the worm deployed three variants of Stuxnet via targeted attacks, but only the variant deployed in March contained what was a zero-day exploit for the LNK hole in Windows at that time. Using the timestamps in the compiled code, Symantec concluded that the first infection was already successful only 12 hours after the first version of Stuxnet was completed.

The new analyses show that Stuxnet actually contained two sabotage routines to infect and manipulate two separate types of control, but that the second routine was incomplete and disabled. Experts assume that the developers ran out of time.

(djwm)