RSA 2013: Stuxnet Attacks On Iran May Have Been Active In 2005

Thomas Brewster,

Stuxnet is older than previously thought and had a different attack vector than the finished product, Symantec reveals

Symantec today claimed to have found the oldest sample of the super-sophisticated malware Stuxnet, which eventually disrupted Iranium nuclear activities, and it may have first been pushed out as early as 2005.

Calling it Stuxnet 0.5, Francis deSouza, the security giant’s president of products and services, took to the stage this morning at RSA 2013 to announce the findings. The malware was believed to have been built on the ‘Flamer’ platform, used to create the Flame surveillance software, which also targeted Iranian systems. Both Flame and Stuxnet were believed to have been the work of the US and Israel governments.

Stuxnet attack flow

“Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005,” a blog post from Symantec read. “Until now Stuxnet was believed to be a project developed by people with access to Flamer components and not necessarily the whole Flamer platform source code.

“As with version 1.x, Stuxnet 0.5 is a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.”

Yet Stuxnet 0.5 used an entirely different attack mechanism to its successors, which managed to make centrifuges used for uranium enrichment spin out of control. The eventual aim of the malware was to close valves that fed uranium hexafluoride gas into the centrifuges, damaging them and the uranium enrichment system as a whole. It did some incredibly smart stuff before delivering the payload, however.

“The code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” Symantec noted. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”

The old version of Stuxnet was also able to analyse the systems it was sitting on, profiling all the relevant devices it sought to disrupt.

It remains unclear if the attempts to close off valves were successful, before strategy was shifted. There remain a number of dormant infections, the majority of which reside in Iran.

Below is Symantec’s infographic on the development of Stuxnet 0.5:

Stuxnet attack strategy

 

Are you a security expert? Try our quiz!