First Stuxnet victims were five Iranian industrial automation companies

To reach the uranium enrichment plant at Natanz, Stuxnet's creators likely targeted Iranian companies tied to it, researchers said

For the first time since Stuxnet was discovered in 2010, researchers have publicly named the worm's original victims: five Iranian companies involved in industrial automation.

Stuxnet is considered to be the first known cyberweapon. It is believed to have been created by the U.S. and Israel in order to attack and slow down Iran's nuclear program.

The worm, which has both espionage and sabotage functionality, is estimated to have destroyed up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran. It eventually spread out of control and infected hundreds of thousands of systems worldwide, leading to its discovery in June 2010.

Security researchers from Kaspersky Lab and Symantec reported Tuesday that while the nuclear facility at Natanz might have been the ultimate target of Stuxnet's creators, the initial victims were five Iranian companies with likely ties to the country's nuclear program. Their reports coincided with the release of "Countdown to Zero Day", a book about Stuxnet by journalist Kim Zetter, that is partially based on interviews with researchers who investigated the threat.

Every time Stuxnet executes on a computer it saves information about that computer inside its executable file. This information includes the computer's name, its IP address and the workgroup or domain it's part of. When the worm spreads to a new computer it adds information about the new system to its main file as well, creating a trail of digital breadcrumbs.

"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," Symantec researcher Liam O Murchu said in a blog post. "In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work. This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz."

The Kaspersky Lab researchers reached the same conclusion and they even named the companies they believe might have served as "patient zero."

The 2009 version of Stuxnet, dubbed Stuxnet.a, was compiled on June 22, 2009, based on a date found in the collected samples. A day later it infected a computer that, according to the Kaspersky researchers, belonged to a company called Foolad Technic Engineering Co. that's based in Isfahan, Iran.

This company creates automated systems for Iranian industrial facilities and is directly involved with industrial control systems, the Kaspersky researchers said. "Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems."

On July 7, 2009, Stuxnet infected computers at another Iranian company called Neda Industrial Group, which according to the Iran Watch website, was put on the sanctions list by the U.S. Ministry of Justice for illegally manufacturing and exporting commodities with potential military applications.

On the same day, Stuxnet infected computers on a domain name called CGJ. The Kaspersky researchers are confident that those systems belonged to Control-Gostar Jahed, another Iranian company operating in industrial automation.

Another Iranian industrial automation vendor infected in 2009 with Stuxnet.a was Behpajooh Co. Elec & Comp. Engineering. This company was infected again in 2010 with Stuxnet.b and is considered patient zero for the 2010 Stuxnet global epidemic, the Kaspersky researchers said.

"On April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO," the researchers said. "A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above -- Behpajooh and Foolad Technic -- are based."

"Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months," the Kaspersky researchers said.

Another company infected in 2010 with Stuxnet.b was Kalaye Electric Co., based on a domain name called KALA that was recorded in malware samples. This was the ideal target for Stuxnet, because it is the main manufacturer of the Iranian uranium enrichment centrifuges IR-1.

"Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target," the Kaspersky researchers said. "It is in fact surprising that this organization was not among the targets of the 2009 attacks."

The attackers behind Stuxnet had one problem to solve -- how to infect computers in a facility like the one at Natanz that had no direct Internet connections, the Kaspersky researchers said. "The targeting of certain 'high profile' companies was the solution and it was probably successful."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsymantecsecurityspywaremalwarekaspersky lab

More about KasperskySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts