How the Stuxnet Worm Formed Its Attacks—and Who Might Have It Now

By Andrew Moseman | February 15, 2011 1:57 pm

Stuxnet seems to become scarier every time you hear about it. The sophisticated piece of malware came to the world’s attention in September; shortly thereafter we heard that it was perfectly designed to attack nuclear centrifuges, and in fact had disrupted some nuclear research in Iran. Now comes more news about how it works, and who might be using it next.

The security group Symantec has been trying to analyze and understand the waves of Stuxnet attacks against Iran, and now its researchers have found the base of the attacks, according to Symantec’s Orla Cox.

The new research, which analysed 12,000 infections collected by various anti-virus firms, shows that the worm targeted five “industrial processing” organisations in Iran. “These were the seeds of all other infections,” said Ms Cox. The firm was able to identify the targets because Stuxnet collected information about each computer it infected, including its name, location and a time stamp of when it was compromised. [BBC News]

Though Symantec isn’t naming the five targets in Iran, another security expert studying Stuxnet’s code, Ralph Langner, told CNET the likely target of the whole attack was the Natanz nuclear enrichment plant.

“My bet is that one of the infected sites is Kalaye Electric,” he wrote… “Again, we don’t have evidence for this, but this is how we would launch the attack – infecting a handful of key contractors with access to Natanz.” [CNET]

The news turning heads today, though, is that Anonymous, the “hacktivist” group in the news recently for coordinated attacks on behalf of WikiLeaks and Egyptian protesters, claims to have a version of Stuxnet.

“It would be possible [for Anonymous to use Stuxnet in an attack],” Cox said. “But it would require a lot of work, it’s certainly not trivial. “The impressive thing about Stuxnet is the knowledge its creators had about their target. So even if you have got access to it you need to understand the target – that requires a lot of research.” [The Guardian]

In addition, The Guardian quotes other security experts as saying Anonymous doesn’t have the key pieces of coding needed to launch an attack like last year’s on Iran. But that doesn’t mean the group couldn’t cause some mayhem.

“There is the real potential that others will build on what is being released,” Michael Gregg, chief operating officer of cybersecurity firm Superior Solutions, [said]. Gregg was quick to clarify that the group hasn’t released the Stuxnet worm itself, but rather a decrypted version of it HBGary had been studying — which could act almost like a building block for cybercrooks. [Fox News]

Related Content:
80beats: Iran’s Nuclear Program: Scientists Attacked, Documents Wiki-Leaked
80beats: Internet Intrigue: China Reroutes the Web, Stuxnet Is Even Scarier
80beats: Iran Close to Completing Its First Nuclear Reactor. Should We Worry?
80beats: Super-Sophisticated Computer Virus Apparently Targeted Iran’s Power Plants

Image: iStockphoto

  • TerryS.

    C’mon, haven’t we run this “news” into the ground. I’m so sick of hearing statements such as “only a nation state would have the capabilities to produce it” and “the entirety of the Stuxnet code has not yet been understood.” Security experts like Symantec and Kaspersky (and Siemens) have had at least six months to figure this out. Is it written in some unknown language or use some until-now unknown technology. Of course not! It’s just journalistic hype.

    The Guardian article this blog references has sensational statements such as “reportedly developed as a joint Israeli-US cyber attack” and “The worm, reportedly tested at Israel’s nuclear development centre at Dimona…” Huh? Reportedly? Reportedly from where? Oh, they’re not facts, just sensational jornalism.


  • Esther Haman

    If we could use such things as Stuxnet then we could permanently stop the Russia, China and any other nation from operating their nuclear facilities. Now why people are trying to promote this fictitious idea that this tool ” Stuxnet” is used and working in Iran?! This is just another Zionist propaganda and feel good jargon that is spreading Mis-information about Iran and her nuclear program. Total B.S.

    Get Real.

  • Mr Z

    TerryS is right… We don’t need to worry about stuxnet and what people will do with it. We should be worrying about the author(s) and others like them who have written other well targeted viruses. Consider stuxnet a Sputnik moment. What comes after it will not be as sloppy as stuxnet and may in fact already be in the wild with stuxnet as the cover.

  • Iain

    Oh Esther you are so naive it hurts.
    Iran has enough oil to generate a few hundred million megawatts forever. Yet they want to develop nuclear power to export more oil! BUT nuclear power costs more than fossil fuel power.
    Maybe you should have a good dump and clear your brain!

    PS How many terror orginizations has Iran funded over the years?

  • nick

    @TerryS: the code Symantec et al. have been studying is the decompiled binary code. If you know anything about programming, you’ll know that reverse engineering decompiled binaries is very very tough to do – moreso when you don’t have access to or much knowledge about the type of equipment that binary is supposed to be running on. Pretty sure anti-virus companies don’t have nuclear centrifuges lying around to test out the code on…

    pretty sure, anyway…

  • TerryS.

    Brad: I have used disassemblers since the 80’s to understand and modify code delivered only in executable form. While Symantek, Kaspersky, et al might not have access to, as you say, nuclear centrifuges (in actuality the virus is written for the Siemens Supervisory Control And Data Acquisition PLC’s, not the equipment it controls), I’m sure Siemens has been working closely with one or more of these companies to figure this out, as the virus also has a substantial Windows component. I understand that these AV companies might not understand the PLC section of the code, but Siemens sure does.

    The Guardian article also mentions that Anonymous has a decompiled version of the virus “rather than the original source code”. Of course they don’t have the original source code.

    Maybe it’s just that no one can read assembly language any more :-)

  • TerryS.

    Sorry…my previous post was to Nick. Where I got Brad I have no idea. Must be too early in the morning…

  • Anonymous

    U mad?

  • Doug


    You are severely mistaken in your assumptions. Iran does not have nearly enough oil refineries to meet half of its countries gasoline and fuel demands. Iran has to sell it’s oil on the market and then buy back the refined gasoline and fuel oils. It then uses those fuel oils as part of it’s electrical grid. It makes tremendous sense to get off oil as soon as they can and get onto nuclear from an economic perspective.

    From a nation state perspective, Iran would be extremely naive not to develop nuclear weapons as soon as it can. Its the major Shia led nation in the Arab world. There is Iraq but that is still under US control for now. There already is one Sunni nation with nukes, Pakistan and then there is Israel as well with Nukes. Now look at the sanctions placed on Iran as well. Now look at what happened to Iraq, a country with Oil and no WMD’s. As oil gets more scarce and your country happens to not get along with the US, I do not blame Iran working on nuclear weapons. Lastly, Shia and Sunni they don’t mix, think of the South vs the North in the US civil war except make it about 100x’s worse in the hate and both sides have legitimate disagreements in their own faiths logical reasoning. An infidel is one thing (US) however a heretic (someone who doesn’t believe exactly what the beards tell them to believe) is someone who has to be exterminated to keep the faith pure.

    I am an American citizen and if the tables were turned, and the US was in Iran’s position, I’d be highly advocating the US develop nuclear weapons to protect us from Sharia law and nation change to an Islam theocracy.

  • Joseph

    There’s a much more compelling story behind the Anonymous vs. HBGary hacking debacle. Is Discover covering it?

    Briefly, Anonymous leaked all of HBGary Federal’s emails, and journalists started to pour through them. They discovered — by chance — corporate plots to attack and destroy Wikileaks, journalists such as Glenn Greenwald, ThinkProgress, unions and others.

  • Ayatollah Ali Khamenei


  • Barry Johnstone.

    It doesn’t WHAT way one turns it, it always comes back to religion. That’s what really effs things up for EVERYBODY!

  • Musouka
  • Hurry

    This information will be useful to a greater extent. I am sure it gives some more idea on the feel.

  • Hulk

    Yes, detailed as in more deep.

  • Dennis Fistler

    Hi people, this might not be the best place to ask this, but I need to find a skilled electrician in Tucson and I don’t know who is good and who isn’t… I have heard this local electrician is good. They’re based out of located in Tucson, not too far from my place I can’t find many reviews on them — Holy Ground Electric, 9420 E Golf Links Rd #252, Tucson, AZ 85730, (520) 971-6710


Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!


80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.

See More

Collapse bottom bar