Stuxnet was attacking Iran's nuke program a year earlier than thought

The Stuxnet worm was at work sabotaging a uranium plant in Iran a year earlier than previously thought and before a U.S. covert program to disrupt the facility was officially authorized by former President George W. Bush, according to a report on a previously unknown version of the worm.

The early version of the worm - Stuxnet 0.5 - was found in the wild in November 2007 and stopped infecting July 4, 2009, according to a new Symantec blog post. Bush authorized the U.S. to use covert activities to target Iran's uranium works at Natanz in January 2009, just before he left office.

[BACKGROUND: Stuxnet a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says 

MORE: U.S. and Israel unleashed Stuxnet, says New York Times]

Previously the worm, whose existence came to public attention in June 2010, was thought to have been at work since 2008. It turns out that that was a later version called Stuxnet 1.001, which attacked centrifuges used to enrich uranium for Iran's nuclear program.

Like the previously known version, the earlier one used sophisticated means to disrupt machinery made by Siemens that was used to enhance uranium.

The worm would find Siemens programmable logic controllers (PLC) used to manipulate valves that fed a gaseous state of uranium ore into centrifuges for separating out the uranium. Closed at the right time the valves would disrupt the flow of the gas and possibly damage the centrifuges, the Symantec report says.

But first it would monitor the normal system state of the machinery so that after the worm closed the valves, it could simulate readouts that would mask the effects of the attack. "It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle," the blog post says. So even if the operator figured out something was wrong, there was nothing that could be done about it.

Stuxnet carefully probed potential target Siemens machines to make sure they were actually in the Natanz facility, the blog post says, and the criteria it used indicate that whoever wrote the worm had detailed intelligence about the configuration of the centrifuges at the site.

Thousands of centrifuges were arranged in groups called cascades that were identified by a code. The logic used by Stuxnet to parse these strings sought particular cascade modules, seeking those labeled between A21 and A28 and expecting to find a maximum of 18 cascades per module with each cascade consisting of 164 centrifuges grouped into 15 stages. That exactly matches the known configuration at Natanz.

[ALSO: U.S. and Israel unleashed Stuxnet, says New York Times

Stuxnet cyberattack by U.S. a 'destabilizing and dangerous' course of action, says security expert]

This process is called fingerprinting. "During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration," the blog post says. "Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information[.]"

The worm also had a state table that laid out how attacks would unfold. This is how Symantec describes it:

" State 0 - Wait: Perform system identification and wait for the enrichment process to reach steady-state before attacking (approximately 30 days).

" State 1 - Record: Take peripheral snapshots and build fake input blocks for replaying later.

" State 2 - Attack centrifuge valves: Begin replaying fake input signals. Close valves on most centrifuges with the exception of the initial feed stage valves.

" State 3 - Secondary pressure reading: Open valves in the final stage of a single cascade to obtain a low pressure reading.

" State 4 - Wait for pressure change: Wait for desired pressure change or time limit. This can take up to two hours.

" State 5 - Attack auxiliary valves: Open all auxiliary valves except valves believed to be near the first feed stage (stage 10). Wait for three minutes in this state.

" State 6 - Wait for attack completion: Wait for six minutes whilst preventing any state changes.

" State 7 - Finish: Reset and return to state zero.

If this workflow is carried out Stuxnet expects pressure in the enrichment system to increase five times normal, the blog post says, which could damage the system and cause the uranium hexafluoride gas to revert to a solid. Symantec says it's unclear how successful these attacks were since it was just looking at the code intended to carry them out, not data on what was actually carried out.

Stuxnet 0.5 had four command and control servers located in the U.S., Canada, France and Thailand, and all their IP addresses are either unavailable or registered to an unrelated party, according to a separate Symantec blog.

The command and control was rudimentary, enabling just downloads of new code and the ability to update itself. It seems intended to be deployed in closed networks and to receive updates from other machines on the same network that are newly infected with the worm via USB sticks. "Stuxnet 0.5 uses Windows mailslots for peer-to-peer communication. Mailslots allow a process to pass a message to another process on a remote computer," the blog post says.

The homepage for the command and control servers was for an entity called Media Suffix, whose motto was "Deliver What the Mind Can Dream".

(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter!/Tim_Greene.)

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags siemenssymantecsecurityWide Area Networkanti-malware

More about BushMicrosoftSiemensSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts