Stuxnet’s First Five Victims Provided Path to Natanz

Researchers at Kaspersky Lab published a report identifying by name the first five victims of Stuxnet.

Stuxnet’s first five victims were a carefully crafted list of targets that ultimately provided the attackers with the road map they needed to get inside a uranium enrichment plant in Natanz, Iran and disrupt the country’s nuclear program.

Cobbled together from clues left behind by the infamous malware since it was detected in mid-2010, researchers at Kaspersky Lab’s Global Research & Analyst Team have identified five organizations inside Iran they believe are the attack’s first victims.

“We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm’s different variants in 2009 and 2010,” Kaspersky researchers wrote in a report released today.

This is not the first effort to uncover Stuxnet’s first targets; researchers at Symantec pinned down that Stuxnet was distributed from five organizations based on data collected which showed that Stuxnet saves its victims’ system name, Windows domain and IP address in an internal log.

Additional data studied by Kaspersky Lab led it to identify the first five, a mix of industrial control systems suppliers, engineering firms, and a centrifuge maker—all likely with partner ties to Natanz, including two placed on a sanctions list by the United States Department of Justice.

“For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections?” the Kaspersky Lab report says. “The targeting of certain ‘high profile’ companies was the solution and it was probably successful.”

As has now been determined, Stuxnet was not contained to its target companies; the malware leaked out and spread within months of the first infections to organizations worldwide.

Analysis of code found on systems inside the first victim, Foolad Technic Engineering Co. in Isfahan, Iran, indicate Stuxnet’s appetite for Siemens Step 7 projects in addition to affecting the operation of centrifuge motors. The malware found at Foolad was compiled June 22, 2009 and had infected its first computer within hours, ruling out the possibility it was carried out via USB stick, Kaspersky researcher wrote.

Foolad, which was attacked again in April 2010 by the third version of Stuxnet, builds automation systems for Iranian industrial companies, in particular in the steel and power industries. It also has strong ties to industrial control systems operators.

“Clearly, the company has data, drawings and plans for many of Iran’s largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.

“The persistence on the part of the Stuxnet creators may indicate that they regarded Foolad not only as one of the shortest paths to the worm’s final target,” Kaspersky researchers wrote, “but as an exceptionally interesting object for collecting data on Iran’s industry.”

Behpajooh Co. Elec & Comp. Engineering, another industrial automation company in Isfahan, is also suspected to be among the first five victims. It too was attacked multiple times—once in 2009 and twice more in 2010 by all three Stuxnet variants. Kaspersky researchers call Bahpajooh “Patient Zero,” leading to the widest distribution of Stuxnet.

The company was implicated in a U.S. investigation of a Dubai firm smuggling bomb components into Iran. Its connection to Iran’s largest steel maker Mobarakeh Steel Company is of more significance, Kaspersky researchers said. The company was infected shortly after Behpajooh and could be the answer as to why Stuxnet burst out of containment.

“Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months,” Kaspersky researchers wrote, who added that by July 2010, Stuxnet had already infected computers in Russia and Belarus.

The third of the first five victims, Neda Industrial Group, was infected on July 7, 2009. The organization is on a U.S. Justice Department sanctions list after being charged with illegally exporting materials that could be used in military applications. Neda is a branch organization of Nedaye Micron Electronics Company in Tehran and Neda Overseas Electronics LLC in Dubai, which are industrial automation service providers for power plants, cement and oil gas petroleum industries. Neda was attacked only once and Stuxnet never left the organization according to infection logs.

“However, to leave the organization may have not been its purpose in this case,” the researchers wrote. “As noted earlier, the capability of stealing information about STEP 7 projects from infected systems was of special interest to the creators of Stuxnet.”

On the same date as the Neda infection, Control-Gostar Jahed, another Iranian industrial automation company, was attacked. It was attacked only once, the researchers said, adding that it had the smallest propagation line.

Clues toward the final victim were found in Stuxnet files logging an attack that started May 11, 2010 on three computers named KALASERVER, ANTIVIRUSPC, and NAMADSERVER. Kaspersky researchers deduced that the final victim is likely Kala Electric, Iran’s principal manufacturer of uranium enrichment centrifuges; it’s at Kala Electric where the centrifuges are developed and tested.

“Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target,” Kaspersky researchers wrote. “It is in fact surprising that this organization was not among the targets of the 2009 attacks.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.