Kaspersky has identified the first victims of the infamous Stuxnet worm which attacked Iran's nuclear develpment program. More than four years have passed since the discovery of one of the most sophisticated and dangerous malicious programs — the Stuxnet worm.
According to Kaspersky, it is considered the world's first cyberweapon and is designed to target industrial control systems.
There are several mysteries around the story.
But the main question remains: What were the exact goals of the Stuxnet operation? After analysing more than 2,000 Stuxnet files collected over a two-year period, Kaspersky Lab researchers can now identify the first victims of the worm. Initially, security researchers had no doubt that the whole attack had a targeted nature.
The code of the Stuxnet worm looked professional and exclusive, with evidence that extremely expensive zero-day vulnerabilities were used.
However, it wasn't yet known what kinds of organisations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges of top secret facilities.
New analysis sheds light on these questions.
According to Kaspersky, all five of the organisations that were initially attacked operate within the Industrial Control Systems (ICS) area in Iran, developing ICS or supplying materials and parts.
The fifth organisation to be targeted is the most intriguing because, among other products for industrial automation, it produces uranium enrichment centrifuges.
This is precisely the kind of equipment that is believed to be the main target of Stuxnet. It is believed the attackers expected that these organisations would exchange data with their clients — such as uranium enrichment facilities — and this would make it possible to get the malware inside these target facilities.
The outcome suggests that the plan was indeed successful. Kaspersky Lab experts made another interesting discovery, revealing that the Stuxnet worm did not only spread via infected USB memory sticks plugged into PCs.
This factor shaped part of the initial theory, explaining how the malware could sneak into a place with no direct Internet connection. However, data gathered while analysing the very first attack showed that the first worm's sample (Stuxnet.a) was compiled just hours before it appeared on a PC in the first attacked organisation.
This tight timetable makes it hard to imagine that an attacker compiled the sample, put it on a USB memory stick and delivered it to the target organisation in just a few hours.
It is reasonable to assume that in this particular case, the people behind Stuxnet used other techniques instead of a USB infection. Kaspersky chief security expert, Alexander Gostev, said analysing the professional activities of the first organisations to fall victim to Stuxnet had given a better understanding of how the whole operation was planned.
"At the end of the day, this is an example of a supply-chain attack vector, where the malware is delivered to the target organisation indirectly via networks of partners that the target organisation may work with."
Sign up for Computerworld eNewsletters.