Stuxnet reached its target via the networks of trusted business partners

Stuxnet, the powerful malware that wormed its way in and hobbled Iran's uranium enrichment efforts, infiltrated the secure networks of the nuclear program via trusted partners, newly public information reveals.

Stuxnet, the powerful malware that wormed its way in and hobbled Iran's uranium enrichment efforts, infiltrated the secure networks of the nuclear program via trusted partners, newly public information reveals.

Once machines in five partner networks had been infected, Stuxnet found its way into Iran's Natanz refining plant where it force automated control machines to run uranium enrichment centrifuges at speeds that would damage them, according to a blog written by Alex Gostev, Chief Security Expert at Kaspersky Lab.

+ Also on Network World: Apple was warned about WireLurker months ago, Georgia Tech researcher says |Raids cast doubt on the integrity of TOR +

The centrifuges are necessary to create weapons-grade uranium, something the U.S. and Israel wanted to block, and both countries are considered the most likely creators of Stuxnet.

The five targeted partners were three makers of automated systems for industrial use (Foolad Technic Engineering Co., Behpajooh Co. Elec & Comp. Engineering and Control-Gostar Jahed Co.), a steel company (Mobarakeh Steel Company), a company that made products for potential military use (Neda Industrial Group), and the main manufacturer of the centrifuges (Kalaye Electric Co.).

These companies and the manner in which they were attacked give some insight into the thought process that went into ultimately compromising the Siemens gear that controlled the centrifuges.

Two of the attacked companies, Neda and Gostar, were likely used just for intelligence gathering since they were infected with a Stuxnet variant that never left the companies.

Neda was attacked only in 2009 while some of the other sites were also hit in 2010. The company's usefulness might have been to provide information about Siemens Step7 software that is used to give instructions to its programmable logic controllers the devices directing the behavior of the centrifuges, Gostev says. "[T]he capability of stealing information about Step 7 projects from infected systems was of special interest to the creators of Stuxnet," he writes.

Foolad, though, was hit twice in June 2009 and April 2010. "This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry," Gostev writes.

While it's widely believed that Stuxnet spread via infected USB sticks, in at least one case it seems that some other method was used. One Stuxnet version was created June 22, 2009 and infected a Foolad computer at 4:40 a.m. the next day, too soon for it to have been introduced via USB stick, Gostev writes. He said in an email interview that perhaps exploitation of a particular Microsoft vulnerability on the attacked machine might have been exploited.

Known as MS08-067 or CVE-2008-4250, once exploited it allows the attackers to create, read and delete files, download malware versions and install them, and to send the malware on to infect other machines.

Kaspersky was able to deduce the five companies victimized by Stuxnet because the malware logs the names and addresses of the machines it infects, and the names included clues that led to the names. For example, the name APPLSERVER NEDA was logged for a machine infected July 7, 2009, which likely meant it was an application server within Neda Industrial Group.

Coincidentally, one of the compromised machines at Foolad was named KASPERSKY ISIE. "When we first saw the computer's name, we were very much surprised," says Kaspersky's Gostev. "The name could mean that the initial infection affected some server named after our anti-malware solution installed on the machine."

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityGeorgia TechStuxnetkaspersky lab

More about AppleKasperskyMicrosoftSiemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place