By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    GPS trackers: Cyberpoaching paradise
    8 months ago
    What is Zero-Day Exploit?
    8 months ago
    How to Get Rid of a Virus on Phone? | Android and iPhone
    8 months ago
    Latest News
    Safeguards against firmware signed with stolen MSI keys
    1 day ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    1 day ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
    6 days ago
    Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    What’s included in the ‘Battle of Shadow and Light’ update for Halo 5: Guardians
    8 months ago
    How to fix printer spooler problems on Windows 10
    8 months ago
    How to fix error 0x80004005 starting VirtualBox VM on Windows 10
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    What is two-factor authentication | Kaspersky official blog
    2 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    4 days ago
    NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
    4 days ago
    How Oxy uses hooks for maximum extensibility
    How Oxy uses hooks for maximum extensibility
    5 days ago
    The personal threat landscape: securing yourself smartly
    5 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    The dream of a designer and web developer
    7 months ago
    Google Drive Public File Search
    8 months ago
    Chrome Tab Preview
    8 months ago
    Latest News
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    2 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    2 days ago
    How to check USB4 devices specs from Settings on Windows 11
    2 days ago
    How to enable new header UI for File Explorer on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Stuxnet: industrial systems’ isolation alone will no longer do
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
ThreatsWordpress Threats

Stuxnet: industrial systems’ isolation alone will no longer do

Vitus White
Last updated: 13 October
Vitus White 8 months ago
Share
8 Min Read

The story of the Stuxnet worm made a lot of headlines a year ago and gave information security folks chills. Who created it, and why, is still a mystery. However, rumor has it that American and Israeli Intelligence wanted to use it to sabotage the Iranian nuclear program. The story is very feasible as malware indeed made the uranium enrichment centrifuges inoperable, throwing the Iranian nuclear program years behind.

Contents
First victims or ‘victims zero’Domain ADomain BDomains C, D and EEpilogue

Stuxnet creators succeeded in attacking disconnected protected machines and executing massive-scale subversion. Then the worm, as seen by many specialists, lost control and started to actively distribute itself, without any visible damage to home and corporate PCs, as it initially targeted industrial systems of a specified type.

First victims or ‘victims zero’

Kim Zetter, an American journalist, published her book, Countdown to Zero Day, on November 11. Therefore, we have taken this opportunity to publish a few lesser-known facts about Stuxnet taken from the book, to a wider audience. We won’t dwell too long on the early days of the worm, but rather, we would like to focus on its iterations, which triggered an abundance of compromising cases in 2009-2010.

It was easy to reproduce the event that took place thanks to one of the malware’s interesting attributes: it keeps a history of the compromised machines, including name, domain name and IP-address, in its body. Since this data is constantly updated, we could track down the origins.

Symantec, which published “W32.Stuxnet Dossier” back in February 2011, was able to identify that the distribution started with five organizations (with two of them, in fact, being attacked twice – in 2009 and 2010), by then undisclosed. To identify them, we worked for about two years, analyzing about 2,000 files.

#Stuxnet Zero Victims
The identity of the companies targeted by the first known cyber-weapon https://t.co/W8PVyGp7b3 pic.twitter.com/BWDkVqWPLq

— Dmitry Bestuzhev (@dimitribest) November 11, 2014

Domain A

The first notable iteration of Stuxnet 2009 (referred to as Stuxnet.a) was created on June 22, 2009. In several hours’ time following compilation, the malware infected an “ISIE”-hosted PC. It is unlikely that culprits used a detachable storage device, as it is highly improbable that it could be delivered inside the facility in such a short timeframe.

It was easy to reproduce the event that took place thanks to one of the malware’s interesting attributes: it keeps a history of the compromised machines, including name, domain name and IP-address, in its body.

We were unable to officially identify the compromised organization having scarce data like this. However, we were highly positive that it was Foolad Technic Engineering Co (FIECO) — an Iranian producer of automation systems for heavy industrial companies.

Besides the ability to affect the rotors of the centrifuge, Stuxnet featured a spyware module, and FIECO was a good target for its creators. It is likely that they considered the company to be a sort of shortcut to their final target and an interesting object through which to mine data on the Iranian nuclear industry – in 2010 the computer was attacked again by the third iteration of Stuxnet.

Domain B

The next ‘patient’ was attacked three times: in June 2009, as well as in March and May of 2010. It was the second attack that triggered the global Stuxnet 2010 (a.k.a. Stuxnet.b) epidemic. The “behpajooh” domain allowed us to immediately identify the victim: Behpajooh Co. Elec & Comp. Engineering. It was also involved in industry automation and was linked to many companies.

great_stuxnet_09In 2006, the Khaleej Times reported, that a Dubai-based newspaper wrote that one of the domestic entities was involved in the illegal shipping of nuclear bomb components to Iran, naming “Bejpajooh INC”, based in Isfakhana, as an intended recipient.

On April 24, 2010, Stuxnet travelled from the Behpajooh to the MSCCO domain. The most likely candidate was the major Iran-based metallurgy facility, Mobarakeh Steel Company (MSC). It employed a very large number of PCs and was connected to many companies around the world. With such connections in its arsenal, Stuxnet was able to start a global epidemic: by the summer of 2010, the worm reached companies in Russia and Belarus.

Domains C, D and E

On July 7, 2009, Stuxnet infected the “applserver” PC in the NEDA domain. In this case, we encountered no problem with identifying the victim: Neda Industrial Group. As of 2008, the company was included in the US Ministry of Justice and was charged with the illegal export of prohibited substances to Iran.

One more organization in the “CGJ” domain was infected along with Neda. Having spent some time on the analysis, we found out that it was once again an organization dealing with industry automation, based in Iran – Control-Gostar Jahed Company. This is where the malware distribution stopped, despite the company’s considerably wide portfolio and significant reach.

The last ‘patient zero’ was responsible for a large number of compromised machines: on May 11, 2010 Stuxnet ended up in three computers in the “KALA” domain. It was likely Kala Electric, a.k.a. Kalaye Electric Co. The company was considered a major developer of IR-1 uranium enrichment centrifuges and one of the key pillars of the Iranian uranium program. It seems strange that it had not been attacked before that.

Epilogue

For such a sophisticated damage vector (it is not easy to make uranium enrichment centrifuges inoperable), Stuxnet was distributed pretty primitively. Moreover, there was a moment when it simply got off-task; otherwise, it would be problematic to try to explain the scale of the epidemic that drove the worm so far from its original targets.

With all of the drawbacks in mind, the malware turned out to be pretty productive: its creators succeeded in executing the world’s largest act of cyber-subversion, and introducing a new era of cyber weapons.

Before #Stuxnet, no one thought about proactively securing industrial facilities

Tweet

Before Stuxnet, no one thought about proactively securing industrial facilities: it was widely accepted that isolating facilities from the global networks alone, was an effective approach. By successfully attacking disconnected machines, the creators of the worm introduced a new era of information security. The importance of Stuxnet can be compared solely to the so-called Great Worm or Morris Worm, created back in 1988.


Source: kaspersky.com

Translate this article

TAGGED: Malware, Security, Social engineering, SQL injection, Threats
Vitus White October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats 1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats 1 day ago
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News 2 days ago
How to enable Taskbar End Task option to close apps on Windows 11
News 2 days ago
How to check USB4 devices specs from Settings on Windows 11
News 2 days ago

Recent Posts

  • Safeguards against firmware signed with stolen MSI keys
  • WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
  • How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
  • How to enable Taskbar End Task option to close apps on Windows 11
  • How to check USB4 devices specs from Settings on Windows 11

You Might Also Like

Threats

Safeguards against firmware signed with stolen MSI keys

1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

1 day ago
News

How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11

2 days ago
How To

What is two-factor authentication | Kaspersky official blog

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

What is two-factor authentication | Kaspersky official blog
Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
How Oxy uses hooks for maximum extensibility
The personal threat landscape: securing yourself smartly
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Previous Next
Hot News
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?