Attackers behind the Stuxnet figurer worm focused on targeting 5 organizations inwards Islamic Republic of Iran that they believed would larn them to their lastly target inwards that country, according to a new study from safety researchers.
The 5 organizations, believed to live the rootage that were infected amongst the worm, were targeted inwards 5 dissever attacks over a publish of months inwards 2009 as well as 2010, before Stuxnet was discovered inwards June 2010 as well as publicly exposed. Stuxnet spread from these organizations into other organizations on its means to its lastly target, which is believed to convey been a nuclear enrichment facility or facilities inwards Iran.
“These 5 organizations were infected, as well as from those 5 computers Stuxnet spread out — non to merely computers inwards those organizations, but to other computes every bit well,” says Liam O Murchu, director of operations for Symantec Security Response. “It all started amongst those 5 master domains.”
The novel information comes inwards an updated report from researchers at Symantec , a figurer safety theater that has provided some of the leading analysis of the worm since it was discovered.
According to the report, Stuxnet’s rootage ready on against the 5 organizations occurred inwards June 2009, followed past times a minute ready on inwards July 2009. Eight months passed before subsequent attacks were launched inwards March, Apr as well as May 2010. The lastly ready on was merely ane calendar month before the code was discovered inwards June 2010 past times VirusBlokAda, a safety theater inwards Belarus, which said it had establish the malware on computers of unspecified clients inwards Iran.
Symantec didn’t position the names of the 5 organizations that were targeted; the companionship said solely that all 5 “have a presence inwards Iran” as well as are involved inwards industrial processes. One of the organizations (what Symantec refers to every bit Domain B) was targeted amongst the worm inwards 3 of the 5 attacks. Of the remaining organizations, 3 of them were striking once, as well as the lastly arrangement was targeted twice.
Symantec has thence far been able to count a constellation of 12,000 infections inwards the 5 organizations as well as exterior organizations to which the malware spread. The almost successful ready on occurred inwards March 2010 when 69 pct of these infections occurred. The March ready on targeted solely Domain B, as well as thence spread.
Domain Influenza A virus subtype H5N1 was targeted twice (Jun 2009 as well as Apr 2010). The same figurer appears to convey been infected each time.
Domain B was targeted 3 times (Jun 2009, Mar 2010, as well as May 2010).
Domain C was targeted ane time (Jul 2009).
Domain D was targeted ane time (Jul 2009).
Domain due east appears to convey been targeted ane time (May 2010), but had 3 initial infections. (I.e., the same initially infected USB fundamental was inserted into 3 unlike computers.)
O Murchu acknowledges that in that place could convey been before attacks that occurred before June 2009, but no ane has establish evidence of this yet.
Symantec establish that the shortest fourth dimension betwixt when the malware was compiled inwards ane illustration — that is turned from source code into a working slice of software — as well as the subsequent ready on using the code occurred, was merely 12 hours. This occurred inwards the June 2009 attack.
“This tells us that the attackers to a greater extent than than probable knew who they wanted to infect before they completed the code,” O Murchu says. “They knew inwards advance who they wanted to target as well as how they were going to larn it there.”
Stuxnet was non designed to spread via the network but via an infected USB stick or another targeted method within a local network. So the curt timeframe betwixt compilation as well as the launch of the June 2009 ready on likewise suggests that the attackers had immediate access to the figurer they attacked — either working amongst an insider or using an unwitting insider to innovate the infection.
“It could live they sent it to mortal who set it on a USB key, or it could convey been delivered via spear-phishing,” O Murchu says. “What nosotros produce come across is that the exploits inwards Stuxnet are all land-based, thence it is non going to spread wildly on the internet. From that, nosotros tin assume the attackers wanted to deliver Stuxnet to an arrangement that was really around whatever the lastly finish for Stuxnet was.”
Symantec, working amongst other safety firms, has thence far been able to collect as well as examine 3,280 unique samples of the code. Stuxnet has infected to a greater extent than than 100,000 computers inwards Iran, Europe as well as the United States, but it’s designed to solely deliver its malicious payload when it finds itself on the lastly scheme or systems it’s targeting.
On systems that are non targeted, the worm merely sits as well as finds ways to spread to other computers inwards search of its target. To date, 3 variants of Stuxnet convey been establish (dating to June 2009, March 2010 as well as Apr 2010). Symantec believes a 4th variant probable exists, but researchers convey non establish it yet.
One of the organizations, Domain B, was targeted each fourth dimension the attackers released a novel version of Stuxnet.
“So it looks similar they felt that if they got inwards there, Stuxnet would spread to the [system] they genuinely wanted to attack,” O Murchu says.
After the worm was discovered inwards June 2010, Symantec researchers worked on reverse-engineering the code to create upwards one's hear what it was designed to do. Two months later, the companionship stunned the safety community when it revealed that Stuxnet was designed to ready on Programmable Logic Controllers (PLCs), something that until as well as thence was considered a theoretical ready on but had never been proven done. PLCs are components that move amongst SCADA systems (supervisory command as well as information acquisition systems) that command critical infrastructure systems as well as manufacturing facilities.
Shortly after Symantec released this information lastly August, German linguistic communication researcher Ralph Langner disclosed that Stuxnet was non attacking merely whatever PLC, it was targeted to sabotage a specific facility or facilities. Speculation focused on Iran’s nuclear enrichment works life at Natanz every bit the probable target. Islamic Republic of Iran has acknowledged that malicious software struck computers at Natanz as well as affected centrifuges at the plant, but has non provided whatever details beyond this.
Share This :
comment 0 Comments
more_vert