For the first time since Stuxnet was discovered in 2010, researchers have publicly named the worm's original victims: five Iranian companies involved in industrial automation.
Stuxnet is considered to be the first known cyberweapon. It is believed to have been created by the U.S. and Israel in order to attack and slow down Iran's nuclear program.
The worm, which has both espionage and sabotage functionality, is estimated to have destroyed up to 1,000 uranium enrichment centrifuges at a nuclear plant near the city of Natanz in Iran. It eventually spread out of control and infected hundreds of thousands of systems worldwide, leading to its discovery in June 2010.
Security researchers from Kaspersky Lab and Symantec reported Tuesday that while the nuclear facility at Natanz might have been the ultimate target of Stuxnet's creators, the initial victims were five Iranian companies with likely ties to the country's nuclear program. Their reports coincided with the release of "Countdown to Zero Day", a book about Stuxnet by journalist Kim Zetter, that is partially based on interviews with researchers who investigated the threat.
Every time Stuxnet executes on a computer it saves information about that computer inside its executable file. This information includes the computer's name, its IP address and the workgroup or domain it's part of. When the worm spreads to a new computer it adds information about the new system to its main file as well, creating a trail of digital breadcrumbs.
"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," Symantec researcher Liam O Murchu said in a blog post. "In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work. This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz."
The Kaspersky Lab researchers reached the same conclusion and they even named the companies they believe might have served as "patient zero."
The 2009 version of Stuxnet, dubbed Stuxnet.a, was compiled on June 22, 2009, based on a date found in the collected samples. A day later it infected a computer that, according to the Kaspersky researchers, belonged to a company called Foolad Technic Engineering Co. that's based in Isfahan, Iran.
This company creates automated systems for Iranian industrial facilities and is directly involved with industrial control systems, the Kaspersky researchers said. "Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems."
Sign up for Computerworld eNewsletters.