Stuxnet Older than We Think

Wednesday, February 27, 2013 @ 11:02 AM gHale


A form of the Stuxnet worm used to cripple Iran’s nuclear program was in existence two years longer than first believed.

In addition, there is also evidence the military-grade malware’s origins date back to 2005, and possibly earlier, a new report from Symantec said.

Members of the Symantec Security Response team found an earlier version of the highly sophisticated malcode called “Stuxnet 0.5.” Experts previously thought the earliest version dated back to 2007. Discovered in July 2010, the plan of the virus was to surreptitiously disrupt the Natanz uranium enrichment facility in Iran.

RELATED STORIES
Cyber War Stakes Rising
U.S., Israel behind New Iran Attack
Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack

First reports had Stuxnet getting its attack green light in the waning moments of George W. Bush’s presidency in 2009. At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, said former senior intelligence officials, one of whom worked for the National Intelligence office.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

Widely considered among the most complicated coding in the malware world, Stuxnet honed in on computers running the Siemens software at 14 known industrial sites. The malware shut off valves that supplied uranium hexafluoride gas into centrifuges, thereby damaging a uranium enrichment system by letting pressure build until the gas solidified.

“In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” the Symantec researchers said. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”

In analyzing the oldest known version of Stuxnet, researchers found the worm was in development as early as November 2005 and released in the wild two years later. Its programming called for it to stop communicating with its command-and-control servers on Jan. 11, 2009 and stop spreading via infected USB keys on July 4 of the same year. But a number of dormant infections ended up detected last year around the world, almost half in Iran and 21 percent in the United States.

Later versions became far more aggressive in propogating and exploiting vulnerabilities. It also appears its developers were people with access to Flamer source code, unlike later versions built on the Tilded platform.

“The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely,” according to a Symantec blog post.

As ISSSource reported back in October 2011, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

The groundwork for the attack plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.



Leave a Reply

You must be logged in to post a comment.