Malware Aimed at Iran Hit Five Sites, Report Says

By JOHN MARKOFF

The Stuxnet software worm repeatedly sought to infect five

industrial facilities in Iran over a 10-month period, a new report
says, in what could be a clue into how it might have infected the
Iranian uranium enrichment complex at Natanz.
The report, released Friday by Symantec, a computer security software firm, said there were
three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able
to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded
information on the location and type of each computer it infected.

Such information would allow the authors of Stuxnet to determine if they had successfully
reached their intended target. By taking samples of Stuxnet they had collected from various
computers, the researchers were able to build a model of the spread of the infection. They
determined that 12,000 infections could be traced back to just five initial infection points.

Between June 2009 and May 2010, the program took aim at specific organizations in Iran on
three occasions, Symantec research noted in an update of a research report the company
published last year.

The Symantec team said it had collected five Internet domains that were linked to industrial
organizations within Iran. They said because of the company’s privacy policies, they would not
disclose the domain names.

“All of the domains are involved in industrial processing,” Mr. O Murchu said in an interview.

It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore,
an attacker might try to infect industrial organizations that would be likely to share information,
and the malware, with Natanz.

At least three and possibly four versions of the program were probably written, and the
researchers discovered that the first version had been completed just 12 hours before the first
successful infection in June 2009. The researchers speculated that the first step in the infection
was either an infected e-mail sent to an intended victim or a hand-held USB device that carried
the attack code.

When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas
centrifuges had been taken offline, leading to speculation that the attack may have disabled part
of the complex.

In April 2010, the attackers again tried to distribute the program. This time they found a new
vulnerability in Windows-based computers to be infected with a USB device and most likely
successfully inserted the program that way at an unknown location inside Iran.
The Symantec researchers also said they had determined that the malware program carried two
different attack modules aimed at different centrifuge arrays, but that one of them had been
disabled.

Stuxnet first infected Windows-based industrial control computers while it hunted for particular
types of equipment made by the Siemens Corporation. It was programmed to then damage a
uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack
from the control computers by sending false information to displays that monitored the system.

The New York Times reported in January that Israel had built an elaborate test facility at a
classified nuclear weapons site that contained a replica array of the Iranian uranium enrichment
plant. Such a test site would have been necessary for the design of the attack software.

“We know the exact configuration of the system they were looking for,” Mr. O Murchu said. “We
know they were looking for a certain number of frequency converters. And each of those
frequency converters controls a certain number of motors. And those numbers fit in with what
you expect to see in an uranium enrichment facility.”

http://www.nytimes.com/2011/02/13/science/13stuxnet.html?_r=1&scp=1&sq=%20Stuxnet%2
0Software%20Worm%20Hit%205%20In&st=cse