Stuxnet: Zero victims


The identity of the companies targeted by the first known cyber-weapon

The Stuxnet cyber-sabotage operation stays one of the vital favorite dialogue subjects of protection researchers in all places. Considered the first recognized cyber-weapon, Stuxnet designated the Iranian nuclear application making use of a refined and well designed mechanism.

We are particularly interested by the booklet which includes new and beforehand undisclosed information about Stuxnet. Probably the most understanding is absolutely founded on interviews performed by Kim Zetter with participants of Kaspersky Lab’s global study and evaluation crew. To counterpoint the e-book release, we’ve made up our minds to also submit new technical expertise about some earlier unknown elements of the Stuxnet assault.

Although Stuxnet was once found out greater than four years ago, and has been studied in detail with the newsletter of many study papers. Nonetheless, is still now not recognized for detailed what object was once at first detailed by means of the worm. It is most likely that Stuxnet used to be supposed to affect the motors that drive uranium enrichment centrifuges. But the place were these centrifuges placed – in the Natanz plant or, possibly, in Fordow? Or every other situation?

The story of the earliest identified variant of the worm – “Stuxnet 0.5” – is outside the scope of this post; we’re going to center of attention on the satisfactory recognized variations created in 2009 and 2010. (the differences between them are discussed in our 2012 newsletter – back to Stuxnet

In February 2011, Symantec published a brand new variation of its W32.Stuxnet file file. After examining more than three,000 records of the worm, Symantec founded that Stuxnet was distributed by way of five corporations, some of which were attacked twice – in 2009 and 2010.

Screenshot from the Symantec record

The Symantec authorities were able extract this know-how due to a curious feature of the worm. When infecting a new laptop, Stuxnet saves know-how concerning the infected system’s title, home windows area and IP handle. This expertise is stored within the worm’s internal log and is augmented with new knowledge when the next victim is infected. For this reason, knowledge on the path travelled via the worm can be determined inside Stuxnet samples and used to establish from which computer the contamination commenced to unfold.

example of information discovered in a Stuxnet file

at the same time Symantec didn’t divulge the names of the businesses in its report, this understanding is fundamental for a correct working out of how the worm used to be allotted.

We accrued Stuxnet records for 2 years. After analyzing more than 2,000 of those documents, we have been able to determine the organizations that had been the first victims of the worm’s different variations in 2009 and 2010. Maybe an evaluation of their pastime can explain why they grew to be “sufferers zero” (the customary, or zero, victims).

“domain A”

The Stuxnet 2009 variation (we will be able to refer to it as Stuxnet.A) used to be created on June 22, 2009. This know-how is gift in the worm’s body – within the type of the essential module’s compilation date. Only a few hours after that, the worm infected its first pc. This type of quick time interval between growing the file and infecting the first pc practically fully rules out contamination through USB force – the USB stick with no trouble cannot have passed from the worm’s authors to the group underneath attack in this sort of quick time.

The infected desktop had the name “KASPERSKY” and it was a part of the “ISIE” domain.


when we first noticed the computer’s name, we were very much surprised. The title might imply that the initial contamination affected some server named after our anti-malware solution hooked up on it. Nevertheless, the title of the local domain, ISIE, provided us with slightly bit of expertise that could help to verify the institution’s real identify.

Assuming that the victim used to be placed in Iran, we conjectured that it could be the Iranian Society of business Engineers (ISIE) or an group affiliated with it, the Iranian institute of commercial Engineering (IIIE). But could it had been every other ISIE placed in some situation rather than Iran? Due to the fact that our anti-malware answer had been used on the contaminated pc, we regarded the possibility that ISIE would even be a Russian enterprise.

It took us a long time to set up what institution it fairly was, however eventually we succeeded in opting for it with a excessive degree of certainty.

It is known as Foolad Technic Engineering Co (FIECO). It’s an Iranian corporation with headquarters in Isfahan. The organization creates automated systems for Iranian industrial facilities (quite often these producing steel and vigor) and has over 300 staff.

Screenshot from the manufacturer’s internet site

The enterprise is straight concerned with industrial manipulate techniques.

– imposing bench scale and pilot scale projects, similar to knowledge

communication between percentexisting in a plant and a far flung factor
by way of web, by defining home page on a CP (conversation Processor)
card linked to a S7 CPU.
– enforcing one-of-a-kind network constructions, similar to, As interface, profibus
DP, Ethernet, MPI, profibus PA In digital and light verbal exchange channels.
Clearly, the company has knowledge, drawings and plans for many of Iran’s greatest industrial enterprises on its community. It should be stored in mind that, additionally to affecting motors, Stuxnet incorporated espionage performance and picked up information on STEP 7 tasks found on infected systems.

In 2010, that same organization used to be attacked once more – this time using the 1/3 version of Stuxnet, created on April 14, 2010. On April 26, the same computer as in 2009 – “KASPERSKY.ISIE” – was once infected again.


This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. Now not simplest as some of the shortest paths to the worm’s ultimate target, but as an above all intriguing object for gathering data on Iran’s industry.

“domain B”

yet another organization was attacked multiple times – as soon as in 2009 and twice in 2010. Pretty much, each of the three Stuxnet variants was used to infect this goal. In this case, the attackers had been even more  power than in the case of Foolad Technical Engineering Co.

It should be noted that it used to be this victim that was the patient zero of the 2010 world epidemic. This group’s illness in the path of the 2nd assault (in March 2010) led to the widest distribution of Stuxnet – first in Iran, then across the globe. Curiously, when that identical group was once contaminated in June 2009 and in may 2010, the worm rarely spread at all. We share our ideas on the factors for that below.

Take probably the most trendy variant – Stuxnet 2010 (a.Okay.A. Stuxnet.B). It used to be compiled on March 1, 2010. The first illness took situation three weeks later – on March 23.


in addition to the computer’s title and the area title, Stuxnet has recorded the computing device’s IP number. The fact that the handle transformed on March 29, could indicate, albeit not directly, that it was a computer which related to the organization’s neighborhood community as soon as in a even as.

However what company is it? The domain name –”behpajooh” – instantly gives us the answer: Behpajooh Co. Elec & Comp. Engineering.

Like Foolad Technic, this manufacturer is located in Isfahan and it additionally develops industrial automation methods. Certainly, we’re also dealing with SCADA/percentgurus right here.

Screenshot from the corporation’s website

at the same time gathering know-how about Behpajooh Co, we discovered yet another curious thing – a 2006 article published in a Dubai (UAE) newspaper known as Khaleej times.


in line with the article, a Dubai company used to be accused of smuggling bomb components into Iran. The Iranian recipient of the cargo was additionally named – it was a detailed “Bejpajooh Inc” from Isfahan.


So why did Stuxnet unfold most actively for this reason of the March 2010 Behpajooh infection? We suppose the reply lies in the second institution within the chain of infections that began from Behpajooh.


because the screenshot above indicates, on April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to one other community, which had the domain name MSCCO. A seek for all possible options led us to the conclusion that the certainly the victim is Mobarakeh steel organization (MSC), Iran’s greatest steel maker and some of the largest industrial complexes working in Iran, which is placed now not a ways from Isfahan, the place the two victims stated above – Behpajooh and Foolad Technic – are headquartered.

Stuxnet infecting the commercial complicated, which is naturally connected to dozens of alternative firms in Iran and makes use of an massive number of computers in its construction amenities, triggered a chain response, resulting within the worm spreading across hundreds and hundreds of techniques in two or three months. For example, the evaluation of logs suggests that via July 2010 this department of the infection reached computers in Russian and Belarusian businesses.

“domain С”

On July 7, 2009, Stuxnet 2009 hit yet one more goal. With it, it was designed to start the path to its ultimate meant mission. The sufferer laptop was once named “applserver” (application server?), placed in the domain NEDA.


on this case, it was once beautiful handy to identify the victim group. Beyond any doubt, it used to be the Neda Industrial crew, an group that used to be placed on the sanctions record by the U.S. Ministry of Justice, and charged with the illegal export of prohibited entities into Iran with expertise military functions. This enterprise’s complete dossier is to be had on the Iran Watch web page.


When monitoring the chain of Stuxnet propagation, one of the most workforce’s department corporations raises designated interest: “Allegedly the controlling entity of Nedaye Micron digital enterprise in Tehran, Iran and Neda overseas Electronics LLC in Dubai, UAE; presents offerings in industrial automation for power vegetation, the cement industry, and the oil, gasoline and petrochemical sector; situated in the mid Eighties below the title NEDA pc merchandise incorporated as a absolutely personal joint inventory manufacturer”.

Neda was once attacked most effective as soon as, in July 2009, and Stuxnet on no account left that organization, consistent with the illness logs to be had to us. Nevertheless, to leave the group will have now not been its motive on this case. As noted earlier, the ability of stealing knowledge about STEP 7 tasks from infected programs used to be of distinct interest to the creators of Stuxnet.

“domain D”

The fourth sufferer in 2009 was once contaminated on July 7, the identical day when Neda was once compromised. Curiously, the contamination started with the server, if we decide with the aid of the laptop identify – SRV1 in area CGJ, just like it did in the Neda case.


So, what is CGJ? We spent fairly some time combing through search engines and social networks, and we’re just about positive that is control-Gostar Jahed company, one more Iranian corporation operating in industrial automation.


manage Gostar Jahed (CGJ) (private Joint stock, due to the fact that 1383) centered with the aim of localization of industrial automation science, and employing the technical understanding and execution vigor of 30 full-time personnel in the Tehran office and more than 50 workshop personnel, has completed a excessive potential in delivering engineering and technical services.

The companys primary focal point over the years has been on the next domains:
– Design, procurement, construction, programming and commissioning of manage systems (DCS, PLC, ESD, F&G)
– Design, manufacture and installation of low voltage constant and sliding panels (utilizing the merchandise of CUBIC Denmark)
– Upgrading hardware, software and optimization of industrial automation techniques
– Consulting offerings and common and particular design of electrical and instrumentation techniques
– set up of electrical and control systems
in contrast to Neda workforce, control-Gostar Jahed manufacturer isn’t on the sanctions record. It was commonly chosen as a target when you consider that of its impressive cooperation ties with the biggest Iranian companies in oil production, metallurgy and power supplies.

This organization was attacked most effective as soon as in 2009. That infection did not go away the goal’s company network and makes up the smallest a part of all recognized Stuxnet propagation traces.

“domain E”

The fifth and the last “sufferer Zero” sufferer stands out when judged with the aid of the numbers of originally contaminated methods. Unlike in all above cases, the assault in this case started from three desktops without delay, on the identical day (may just eleven, 2010), however at one of a kind instances.

Know-how from three distinct Stuxnet files

KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by way of the names, there have been at least two servers involved on this case too.

Such an sample of illness makes us practically confident that e mail used to be now not used because the most important illness vector. The possibilities are very small that the illness began from a user receiving an e-mail containing an attachment with an take advantage of.

So what’s Kala? There are two most verisimilar answers to this, and we do not know which is the proper one. Each are about companies littered with sanctions and instantly related to Iran’s nuclear software.

Well, one possibility could be Kala Naft. A dossier for this manufacturer is available on the Iran Watch website.

Nevertheless, Kala electric (a.K.A. Kalaye electrical Co.) looks like essentially the most probable victim. That is correctly an excellent goal for an attack, given Stuxnet’s fundamental function (which is to render uranium enrichment centrifuges inoperable), to be had understanding on Iran’s nuclear software, and the common sense of the worm’s propagation.

Of all different firms, Kala electric is known as as the foremost company of the Iranian uranium enrichment centrifuges, IR-1.

The manufacturer does now not have an internet-website, however there is fairly some expertise available about its movements: that is among the key buildings within the entire Iranian nuclear program.


additionally, particularly special expertise is to be had on the ISIS (Institute for Science and global security) website at www.Isisnucleariran.Org.

Centered on Iran’s revised assertion about this web page, in the beginning, Kalaye electric used to be a exclusive manufacturer that used to be purchased with the aid of the Atomic vigor organization of Iran (AEOI). The title “Kalaye electric” approach “electric goods,” implying that Iran kept the fashioned name to support disguise the actual intent of the power.

Iran declared that Kalaye electrical became the essential IR-1 centrifuge development and trying out web site after such work was once moved in 1995 from the Tehran Nuclear study center. The IAEA has said that between 1997 and 2002, Iran assembled and demonstrated IR-1 centrifuges at Kalaye
considering the fact that moving many centrifuge research and development pursuits to the Pilot gas Enrichment Plant (PFEP) at Natanz, Kalaye electric has remained an foremost centrifuge research and progress web page.
Satellite pictures of Kala electrical operation amenities are also available; these are viewed to be the web site where the centrifuges had been developed and confirmed.


for that reason, it appears really reasonable that this organization of all others was chosen as the first link in the infections chain meant to deliver the worm to its perfect target. It’s actually shocking that this institution used to be not among the ambitions of the 2009 assaults.


Stuxnet stays one of the vital intriguing portions of malware ever created. Within the digital world, one might say it’s the cyber similar of the atomic assaults on Nagasaki and Hiroshima from 1945.

For Stuxnet to be effective and penetrate the enormously guarded installations the place Iran was establishing its nuclear application, the attackers had a hard trouble to clear up: tips on how to sneak the malicious code into a place with out a direct internet connections? The targeting of unique “high profile” organizations used to be the solution and it was more commonly positive.


sadly, due to detailed errors or design flaws, Stuxnet started infecting different organizations and propagate over the internet. The attackers misplaced control of the worm, which contaminated 1000’s of 1000’s of computer systems additionally to its distinct pursuits.

Of direction, one of the vital largest closing questions is – were there another malware like Stuxnet, or used to be it one-of-a-sort test? The longer term will inform for definite.

Leave a reply