More than four years have passed since the discovery of Stuxnet worm, ενός από τα πιο εξελιγμένα και επικίνδυνα κακόβουλα programs, που θεωρείται ότι ήταν και το πρώτο ψηφιακό όπλο. Ωστόσο, υπάρχουν ακόμη αρκετά μυστήρια γύρω από αυτήν την ιστορία. Ένα σημαντικό ερώτημα είναι ποιοι ήταν ακριβώς οι στόχοι της συνολικής δράσης του Stuxnet. Πλέον, έπειτα από την ανάλυση περισσότερων από 2.000 αρχείων του Stuxnet, τα οποία συγκεντρώθηκαν μέσα σε περίοδο δύο ετών, οι ερευνητές της Kaspersky Lab can identify the first victims of the worm.
Initially, the researchers had no doubt that as a whole, the attack it was targeted. The Stuxnet worm code looked professional and proprietary. There was evidence data that extremely expensive zero-day vulnerabilities had been used. However, it was not yet known what kind of organizations were initially attacked and how malicious software finally succeeded in accomplishing its goal by penetrating the uranium enrichment centrifuges at specific, secret facilities.
The new analysis sheds light on the above questions. The work of the five organizations initially attacked are located in the same area as ICS in Iran and either develops ICS material or supplies materials and accessories from it. The fifth attacked organization is also of the greatest concern because it produces - besides industrial automation products - centrifuge devices for enrichment of uranium. Such equipment is considered to be the main objective of Stuxnet.
Obviously, the attackers expected these organizations to share data with their customers, such as uranium enrichment units, which would allow malicious software to enter target sites. The result shows that their plan was indeed successful.
"Analyzing the business activities of the first organizations that fell victim to Stuxnet allows us to better understand how the campaign as a whole was designed. This is an example of an attack vector against a logistics chain, where malware is transmitted to target organizations indirectly, through the organization's partner networks," said Alexander Gostev, Chief Security Expert at Kaspersky Lab.
However, Kaspersky Lab experts made another interesting discovery. Stuxnet was not only spread through "infected" USB sticks plugged into PCs. This was the original theory and explained how malware could sneak into a location without a direct Internet connection. However, data gathered during the analysis of the first attack showed that the first worm sample (Stuxnet.a) had been created just hours before it appeared on a PC in the first organization attacked. Given this tight timeline, it's hard to imagine that an attacker assembled the sample, put it on a USB stick, and transferred it to the target organization within a few hours. It is reasonable to assume that in this case, those behind Stuxnet used different techniques, beyond USB infection.
The latest technical information about some Stuxnet attack agents is available at Securelist, as well as in the new book, "Countdown to Zero Day", The journalist Kim Zetter. The book contains previously unknown information about Stuxnet. Some of this information is based on interviews with members of the Worldwide Research and Analysis Group of Kaspersky Lab.
