More than four years have passed since the discovery of Stuxnet worm, one of the most sophisticated and malicious malware, which is considered to be the first digital weapon. However, there are still many mysteries around this story. An important question is exactly what the goals of Stuxnet's overall action are. Now, after analyzing more of 2.000's Stuxnet files, collected over a two-year period, researchers Kaspersky Lab can identify the first victims of the worm.
Initially, the researchers had no doubt that as a whole, the attack ήταν στοχευμένη. Ο κώδικας του worm Stuxnet έμοιαζε επαγγελματικός και αποκλειστικός. Υπήρχαν αποδεικτικά στοιχεία ότι είχαν χρησιμοποιηθεί εξαιρετικά ακριβές ευπάθειες zero-day. Παρόλα αυτά, δεν ήταν ακόμη γνωστό τι είδους οργανισμοί είχαν δεχτεί αρχικά επιθέσεις και με ποιο τρόπο το κακόβουλο λογισμικό τελικά κατάφερε να πραγματοποιήσει το στόχο του, διαπερνώντας τις συσκευές φυγοκέντρησης για τον εμπλουτισμό ουρανίου σε συγκεκριμένες, απόρρητες εγκαταστάσεις.
The new analysis sheds light on the above questions. The work of the five organizations initially attacked are located in the same area as ICS in Iran and either develops ICS material or supplies materials and accessories from it. The fifth attacked organization is also of the greatest concern because it produces - besides industrial automation products - centrifuge devices for enrichment of uranium. Such equipment is considered to be the main objective of Stuxnet.
Obviously, the attackers expected these organizations to share data with their customers, such as uranium enrichment units, which would allow malicious software to enter target sites. The result shows that their plan was indeed successful.
«Η ανάλυση των επαγγελματικών δραστηριοτήτων των πρώτων οργανισμών που έπεσαν θύματα του Stuxnet μας επιτρέπει να κατανοήσουμε καλύτερα τον τρόπο που είχε σχεδιαστεί η εκστρατεία στο σύνολο της. Πρόκειται για ένα παράδειγμα ενός φορέα επίθεσης ενάντια σε μια εφοδιαστική αλυσίδα, όπου το κακόβουλο λογισμικό μεταδίδεται στους οργανισμούς-στόχους έμμεσα, μέσα από τα δίκτυα των συνεργατών του οργανισμού», δήλωσε ο Alexander Gostev, Chief Security Expert στην Kaspersky Lab.
However, Kaspersky Lab experts made another interesting discovery. Stuxnet was not only spread through "infected" USB sticks plugged into PCs. This was the original theory and explained how the malware could sneak into a location without a direct Internet connection. However, data gathered during the analysis of the first attack showed that the first worm sample (Stuxnet.a) had been created just hours before it appeared on a PC in the first organization attacked. Given this tight timeline, it's hard to imagine that an attacker assembled the sample, put it on a USB stick, and transferred it to the target organization within a few hours. It is reasonable to assume that in this case, those behind Stuxnet used different techniques, beyond USB infection.
The latest techniques information on some factors of the Stuxnet attack are available at Securelist, as well as in the new book, "Countdown to Zero Day", The journalist Kim Zetter. The book contains previously unknown information about Stuxnet. Some of this information is based on interviews with members of the Worldwide Research and Analysis Group of Kaspersky Lab.
