Want CNET to notify you of price drops and the latest stories?

Stuxnet expert: Other sites were hit but Natanz was true target

Researcher responding to Symantec report speculates that Kalaye Electric in Iran was infected.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
Symantec's report includes a graphical representation of Stuxnet infections linked to organizations in Iran.
Symantec's report includes a graphical representation of Stuxnet infections linked to organizations in Iran. Symantec

Stuxnet may have hit different organizations, but its main target was still the Natanz nuclear enrichment plant in Iran, an expert who has analyzed the code said today.

Ralph Langner, who has been analyzing the code used in the complicated Stuxnet worm that used a Windows hole to target industrial control systems used in gas pipelines and power plants last year and possibly earlier, said the initial distribution of Stuxnet was limited to a few key installations.

"My bet is that one of the infected sites is Kalaye Electric," he wrote in an e-mail to CNET. "Again, we don't have evidence for this, but this is how we would launch the attack - infecting a handful of key contractors with access to Natanz."

Langner was responding to a report (PDF)released late last week by Symantec that said five different organizations in Iran were targeted by a variant of Stuxnet, several of them more than once, dating back to June 2009.

"We have a total of 3,280 unique samples representing approximately 12,000 infections," the Symantec researchers write in a blog post about the report. "While this is only a percentage of all known infections, we were able to learn some interesting aspects of how Stuxnet spread and where it was targeted."

The Symantec researchers, who have made other important discoveries in the quest to de-code Stuxnet, don't name the organizations they suspect as targets. As of September 2010, they had estimated there were more than 100,000 infected hosts, nearly 60 percent of them in Iran.

"Unfortunately Symantec doesn't tell the geographic location of the targeted organizations," Langner said. "My theory is that not all may be in Iran since chances are that at least one significant contractor is a foreign organization (this is something we are researching presently)."

Langner said he and partners have been able to match data structures from one of the parts of the multi-pronged Stuxnet attack code with the centrifuge cascade structures in Natanz.

"The significance of this is that it is now 100 percent clear that Stuxnet is about Natanz, and Natanz only," he said. "Further evidence (that matches with the recent discoveries of Symantec) suggests that Stuxnet was designed as a long-term attack with the intention not only to destroy centrifuges but also to lower the output of enriched uranium."

Langner, based in Germany, offers more technical details of Stuxnet on his blog.