Stuxnet: Victims Zero

November 18, 2014

The story of the Stuxnet worm made a lot of headlines a year ago and gave information security folks chills. Who created it, and why, is still a mystery. However, rumor has it that American and Israeli Intelligence wanted to use it to sabotage the Iranian nuclear program. The story is very feasible as malware indeed made the uranium enrichment centrifuges inoperable, throwing the Iranian nuclear program years behind.

Stuxnet-First-Victims-of-the-First-Cyberweapon

Stuxnet creators succeeded in attacking disconnected protected machines and executing massive-scale subversion. Then the worm, as seen by many specialists, lost control and started to actively distribute itself, without any visible damage to home and corporate PCs, as it initially targeted industrial systems of a specified type.

First victims or ‘victims zero’

Kim Zetter, an American journalist, published her book, Countdown to Zero Day, on November 11. Therefore, we have taken this opportunity to publish a few lesser-known facts about Stuxnet taken from the book, to a wider audience. We won’t dwell too long on the early days of the worm, but rather, we would like to focus on its iterations, which triggered an abundance of compromising cases in 2009-2010.

It was easy to reproduce the event that took place thanks to one of the malware’s interesting attributes: it keeps a history of the compromised machines, including name, domain name and IP-address, in its body. Since this data is constantly updated, we could track down the origins.

Symantec, which published “W32.Stuxnet Dossier” back in February 2011, was able to identify that the distribution started with five organizations (with two of them, in fact, being attacked twice – in 2009 and 2010), by then undisclosed. To identify them, we worked for about two years, analyzing about 2,000 files.

Domain A

The first notable iteration of Stuxnet 2009 (referred to as Stuxnet.a) was created on June 22, 2009. In several hours’ time following compilation, the malware infected an “ISIE”-hosted PC. It is unlikely that culprits used a detachable storage device, as it is highly improbable that it could be delivered inside the facility in such a short timeframe.

It was easy to reproduce the event that took place thanks to one of the malware’s interesting attributes: it keeps a history of the compromised machines, including name, domain name and IP-address, in its body.

We were unable to officially identify the compromised organization having scarce data like this. However, we were highly positive that it was Foolad Technic Engineering Co (FIECO) — an Iranian producer of automation systems for heavy industrial companies.

Besides the ability to affect the rotors of the centrifuge, Stuxnet featured a spyware module, and FIECO was a good target for its creators. It is likely that they considered the company to be a sort of shortcut to their final target and an interesting object through which to mine data on the Iranian nuclear industry – in 2010 the computer was attacked again by the third iteration of Stuxnet.

Domain B

The next ‘patient’ was attacked three times: in June 2009, as well as in March and May of 2010. It was the second attack that triggered the global Stuxnet 2010 (a.k.a. Stuxnet.b) epidemic. The “behpajooh” domain allowed us to immediately identify the victim: Behpajooh Co. Elec & Comp. Engineering. It was also involved in industry automation and was linked to many companies.

great_stuxnet_09In 2006, the Khaleej Times reported, that a Dubai-based newspaper wrote that one of the domestic entities was involved in the illegal shipping of nuclear bomb components to Iran, naming “Bejpajooh INC”, based in Isfakhana, as an intended recipient.

On April 24, 2010, Stuxnet travelled from the Behpajooh to the MSCCO domain. The most likely candidate was the major Iran-based metallurgy facility, Mobarakeh Steel Company (MSC). It employed a very large number of PCs and was connected to many companies around the world. With such connections in its arsenal, Stuxnet was able to start a global epidemic: by the summer of 2010, the worm reached companies in Russia and Belarus.

Domains C, D and E

On July 7, 2009, Stuxnet infected the “applserver” PC in the NEDA domain. In this case, we encountered no problem with identifying the victim: Neda Industrial Group. As of 2008, the company was included in the US Ministry of Justice and was charged with the illegal export of prohibited substances to Iran.

One more organization in the “CGJ” domain was infected along with Neda. Having spent some time on the analysis, we found out that it was once again an organization dealing with industry automation, based in Iran – Control-Gostar Jahed Company. This is where the malware distribution stopped, despite the company’s considerably wide portfolio and significant reach.

The last ‘patient zero’ was responsible for a large number of compromised machines: on May 11, 2010 Stuxnet ended up in three computers in the “KALA” domain. It was likely Kala Electric, a.k.a. Kalaye Electric Co. The company was considered a major developer of IR-1 uranium enrichment centrifuges and one of the key pillars of the Iranian uranium program. It seems strange that it had not been attacked before that.

Epilogue

For such a sophisticated damage vector (it is not easy to make uranium enrichment centrifuges inoperable), Stuxnet was distributed pretty primitively. Moreover, there was a moment when it simply got off-task; otherwise, it would be problematic to try to explain the scale of the epidemic that drove the worm so far from its original targets.

With all of the drawbacks in mind, the malware turned out to be pretty productive: its creators succeeded in executing the world’s largest act of cyber-subversion, and introducing a new era of cyber weapons.

Before Stuxnet, no one thought about proactively securing industrial facilities: it was widely accepted that isolating facilities from the global networks alone, was an effective approach. By successfully attacking disconnected machines, the creators of the worm introduced a new era of information security. The importance of Stuxnet can be compared solely to the so-called Great Worm or Morris Worm, created back in 1988.