New Stuxnet whodunit: Malware existed two years earlier than anyone knew
Symantec researchers report uncovering an earlier version of the computer virus -- one from 2005. The virus was later found to have inflicted damage on Iran's nuclear enrichment program.
Cybersecurity professionals -- especially in Iran -- woke up today to the latest twist in the history of cyberwarfare when researchers at Symantec said they discovered a version of the Stuxnet computer virus which predates by two years the cyber weapon that was used to sabotage Iran's main nuclear enrichment facilities.
The U.S. and Israel are widely believed to be behind Stuxnet, though neither country has claimed authorship publicly. (The New York Times reported that President George W. Bush initiated the attacks, a program which has continued in the Obama administration.) Stuxnet first came to public light for the role it played in a 2007 attack against Iran's uranium enrichment facility. But in an 18-page report released today, Symantec said it had found a string of code it called "Stuxnet 0.5," which dates back to 2005.
"There isn't any really new evidence of who the people behind this attack were, but these were not just a bunch or hactivists or someone with a vendetta," said Eric Chien, technical director of Symantec's Security Response Team.
Whoever the author -- or authors -- are, Symantec paid them a compliment for creating "a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce" with Stuxnet 0.5, which Symantec termed "the missing link." When Stuxnet got discovered in July 2010, it was recognized as one of the most sophisticated pieces of malware ever written. What's more, it proved that malicious programs could successfully wreak havoc on critical national infrastructure.
The virus targeted computers running Siemens software used in industrial control systems. All told, it infected software in at least 14 industrial sites in Iran and is thought to be the first known malware that targeted the controls at industrial facilities.
Symantec said that Stuxnet became more aggressive in subsequent incarnations. The original attack code was used to sabotage valves important to the uranium enrichment process with the intent of damaging the centrifuges and the system as a whole, according to Symantec. But the virus didn't go after the uranium enrichment centrifuges directly. Instead, it was created to shut off the valves that supplied uranium hexafluoride gas into the centrifuges. That, in turn, inflicted damage on the centrifuges and the uranium enrichment system as pressure in the system built up to five times the normal operating pressure, causing gas in the centrifuges to turn solid. Later versions released in 2009 and 2010 were deployed against attacks on the Natanz facility.
It's unclear how effective or what level of success Stuxnet 0.5 achieved. Chien noted that the code in the 2005 version was complete and did not resemble a beta copy that escape into the wild. He suggested, however, that the later evolution of Stuxnet indicated that the authors adjusted their attack strategy in order to inflict wider damage. "It appears that it didn't work according to their liking so they got more aggressive. The results didn't work to their liking or didn't fill all their strategic goals. So they changed (Stuxnet) in the 1.x version."