Once machines in five partner networks had been infected, Stuxnet found its way into Iran’s Natanz refining plant where it forced automated control machines to run uranium enrichment centrifuges at speeds that would damage them, according to a blog written by Alex Gostev, Chief Security Expert, Kaspersky Lab.
The centrifuges are necessary to create weapons-grade uranium, something the U.S. wanted to block, and the country is considered a potential creator of Stuxnet.
The five targeted partners were three makers of automated systems for industrial use (Foolad Technic Engineering Co., Behpajooh Co. Elec & Comp. Engineering and Control-Gostar Jahed Co.), a steel company (Mobarakeh Steel Company), a company that made products for potential military use (Neda Industrial Group), and the main manufacturer of the centrifuges (Kalaye Electric Co.).
These companies and the manner in which they were attacked give some insight into the thought process that went into ultimately compromising the Siemens gear that controlled the centrifuges.
Two of the attacked companies, Neda and Gostar, were likely used just for intelligence gathering since they were infected with a Stuxnet variant that never left the companies.
Neda was attacked only in 2009 while some of the other sites were also hit in 2010. The company’s usefulness might have been to provide information about Siemens Step7 software that is used to give instructions to its programmable logic controllers – the devices directing the behaviour of the centrifuges, Gostev said. “[T]he capability of stealing information about Step 7 projects from infected systems was of special interest to the creators of Stuxnet,” he wrote.
Foolad, though, was hit twice in June 2009 and April 2010. “This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm’s final target, but as an exceptionally interesting object for collecting data on Iran’s industry,” Gostev said.
While it’s widely believed that Stuxnet spread via infected USB sticks, in at least one case it seems that some other method was used. One Stuxnet version was created on 22nd June 2009 and infected a Foolad computer at 4:40 a.m. the next day, too soon for it to have been introduced via USB stick, Gostev writes. He said in an that perhaps the exploitation of a particular Microsoft vulnerability on the attacked machine might have been exploited.
Known as MS08-067 or CVE-2008-4250, once exploited it allowed the attackers to create, read and delete files, download malware versions and install them, and to send the malware on to infect other machines.
Kaspersky was able to deduce the five companies victimised by Stuxnet because the malware logged the names and addresses of the machines it infected, and the names included clues that led to the names. For example, the name APPLSERVER NEDA was logged for a machine infected 7th July, 2009, which likely meant it was an application server within Neda Industrial Group.
Coincidentally, one of the compromised machines at Foolad was named KASPERSKY ISIE. “When we first saw the computer’s name, we were very much surprised,” Gostev said. “The name could mean that the initial infection affected some server named after our anti-malware solution installed on the machine.”