Researchers on Tuesday said they have proof the Stuxnet worm used to cripple Iran’s nuclear program has been in the wild two years longer than first believed. There’s also now evidence the military-grade malware’s origins date back to 2005, and possibly earlier.
According to an 18-page report, members of the Symantec Security Response team found an earlier version of the highly sophisticated malcode called “Stuxnet 0.5.” Until today, the earliest version dated back to 2007. Discovered in July 2010, the virus was developed to surreptitiously disrupt the Natanz uranium enrichment facility in Iran.
Widely considered among the most complicated coding in the malware world, Stuxnet honed in on computers running Siemens software at 14 known industrial sites. The malware shut off valves that supplied uranium hexafluoride gas into centrifuges, thereby damaging a uranium enrichment system by letting pressure build until the gas solidified.
“In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” according to Symantec researchers. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”
In analyzing the oldest known version of Stuxnet, researchers found the worm was in development as early as November 2005 and released in the wild two years later. It was programmed to stop communicating with its command-and-control servers on Jan. 11, 2009 and stop spreading via infected USB keys on July 4 of the same year. But a number of dormant infections were detected last year around the world, almost half in Iran and 21 percent in the United States.
Later versions became far more aggressive in propogating and exploiting vulnerabilities. It also appears to be originally developed by people with access to Flamer source code, unlike later versions built on the Tilded platform.
“The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely,” according to a blog post.
The researchers have not been able to determine who was behind the complex cyber weapon tied to espionage and warfare. Fingers last summer pointed to the United States and Israel, which have been highly critical of Iran’s nuclear program.