Woburn, MA – November 11, 2014 –Kaspersky Lab today announced that after analyzing more than 2,000 Stuxnet files collected over a two-year period, it can identify the first victims of the Stuxnet worm. After Stuxnet was discovered over four years ago as one of the most sophisticated and dangerous malicious programs, Kaspersky Lab researchers can now provide insight intothe question: what were the goals of the Stuxnet operation?
Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn’t yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities.
Kaspersky Lab analysis sheds light on these questions. All five of the organizations that were initially attacked are working in the ICS area in Iran, developing ICS or supplying materials and parts. One of the more intriguing organizations was the one attacked fifth, since among other products for industrial automation, it produces uranium enrichment centrifuges. This is precisely the kind of equipment that is believed to be the main target of Stuxnet.
Apparently, the attackers expected that these organizations would exchange data with their clients – such as uranium enrichment facilities – and this would make it possible to get the malware inside these target facilities. The outcome suggests that the plan was indeed successful.
“Analyzing the professional activities of the first organizations to fall victim to Stuxnet gives us a better understanding of how the whole operation was planned. At the end of the day this is an example of a supply-chain attack vector, where the malware is delivered to the target organization indirectly via networks of partners that the target organization may work with,” said Alexander Gostev, chief security expert, Kaspersky Lab.
Kaspersky Lab experts made another interesting discovery: the Stuxnet worm did not only spread via infected USB memory sticks plugged into PCs. That was the initial theory, and it explained how the malware could sneak into a place with no direct Internet connection. However, data gathered while analyzing the very first attack showed that the first worm’s sample (Stuxnet.a) was compiled just hours before it appeared on a PC in the first attacked organization. This tight timetable makes it hard to imagine that an attacker compiled the sample, put it on a USB memory stick and delivered it to the target organization in just a few hours. It is reasonable to assume that in this particular case the people behind Stuxnet used other techniques instead of a USB infection.
The latest technical information about some previously unknown aspects of the Stuxnet attack can be read on Securelist and journalist Kim Zetter’s new book, “Countdown to Zero Day.” The book includes previously undisclosed information about Stuxnet; some of this information is based on the interviews with members of the Kaspersky Lab Global Research and Analysis Team.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter