On July 7, 2009, Stuxnet infected computers at another Iranian company called Neda Industrial Group, which according to the Iran Watch website, was put on the sanctions list by the U.S. Ministry of Justice for illegally manufacturing and exporting commodities with potential military applications.
On the same day, Stuxnet infected computers on a domain name called CGJ. The Kaspersky researchers are confident that those systems belonged to Control-Gostar Jahed, another Iranian company operating in industrial automation.
Another Iranian industrial automation vendor infected in 2009 with Stuxnet.a was Behpajooh Co. Elec & Comp. Engineering. This company was infected again in 2010 with Stuxnet.b and is considered patient zero for the 2010 Stuxnet global epidemic, the Kaspersky researchers said.
"On April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO," the researchers said. "A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above -- Behpajooh and Foolad Technic -- are based."
"Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months," the Kaspersky researchers said.
Another company infected in 2010 with Stuxnet.b was Kalaye Electric Co., based on a domain name called KALA that was recorded in malware samples. This was the ideal target for Stuxnet, because it is the main manufacturer of the Iranian uranium enrichment centrifuges IR-1.
"Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target," the Kaspersky researchers said. "It is in fact surprising that this organization was not among the targets of the 2009 attacks."
The attackers behind Stuxnet had one problem to solve -- how to infect computers in a facility like the one at Natanz that had no direct Internet connections, the Kaspersky researchers said. "The targeting of certain 'high profile' companies was the solution and it was probably successful."
Sign up for Computerworld eNewsletters.