Stuxnet industrial worm was written over a year ago

The first confirmed attacks were in January 2010, Symantec says

A sophisticated worm designed to steal industrial secrets has been around for much longer than previously thought, according to security experts investigating the malicious software.

Called Stuxnet, the worm was unknown until mid-July, when it was identified by investigators with VirusBlockAda, a security vendor based in Minsk, Belarus. The worm is notable not only for its technical sophistication, but also for the fact that it targets the industrial control system computers designed to run factories and power plants.

Now researchers at Symantec say that they've identified an early version of the worm that was created in June 2009, and that the malicious software was then made much more sophisticated in the early part of 2010.

This earlier version of Stuxnet acts in the same way as its current incarnation -- it tries to connect with Siemens SCADA (supervisory control and data acquisition) management systems and steal data -- but it does not use some of the newer worm's more remarkable techniques to evade antivirus detection and install itself on Windows systems. Those features were probably added a few months before the latest worm was first detected, said Roel Schouwenberg, a researcher with antivirus vendor Kaspersky Lab. "This is without any doubt the most sophisticated targeted attack we have seen so far," he said.

After Stuxnet was created, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also somehow managed to get their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware, so that antivirus scanners would have a harder time detecting it.

Realtek and JMicron both have offices in the Hsinchu Science Park in Hsinchu, Taiwan, and Schouwenberg believes that someone may have stolen the keys by physically accessing computers at the two companies.

Security experts say these targeted attacks have been ongoing for years now, but they only recently started gaining mainstream attention, after Google disclosed that it had been targeted by an attack known as Aurora.

Both Aurora and Stuxnet leverage unpatched "zero-day" flaws in Microsoft products. But Stuxnet is more technically remarkable than the Google attack, Schouwenberg said. "Aurora had a zero-day, but it was a zero-day against IE6," he said. "Here you have a vulnerability which is effective against every version of Windows since Windows 2000."

On Monday, Microsoft rushed out an early patch for the Windows vulnerability that Stuxnet uses to spread from system to system. Microsoft released the update just as the Stuxnet attack code started to be used in more virulent attacks.

Although Stuxnet could have been used by a counterfeiter to steal industrial secrets -- factory data on how to make golf clubs, for example -- Schouwenberg suspects a nation state was behind the attacks.

To date, Siemens says four of its customers have been infected with the worm. But all those attacks have affected engineering systems, rather than anything on the factory floor.

Although the first version of the worm was written in June 2009, it's unclear if that version was used in a real-world attack. Schouwenberg believes the first attack could have been as early as July 2009. The first confirmed attack that Symantec knows about dates from January 2010, said Vincent Weafer, Symantec's vice president of security technology and response.

Most infected systems are in Iran, he added, although India, Indonesia and Pakistan are also being hit. This in itself is highly unusual, Weaver said. "It is the first time in 20 years I can remember Iran showing up so heavily."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags wormsecurityStuxnetmalware

More about GoogleIDGKasperskyKasperskyMicronMicrosoftSiemensSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts