Iranian contractor named as Stuxnet 'patient zero'
Hell-worm targeted five companies before plundering Natanz
Malware researchers have named five Iranian companies infected with Stuxnet , identifying one as 'patient zero' from which the worm leaked to the world after causing havoc in the Natanz uranium plant.
Joint research by Kaspersky Lab and Symantec found the organisations, contractors to Natanz, were targeted between June 2009 and March 2010 and suffered 12,000 infections from 3280 Stuxnet samples.
The two companies' latest findings, also published in Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon do not agree with accounts in a New York Times article that Stuxnet was delivered straight to Natanz from where it escaped into the wild to be picked up by researchers and re-purposed by malware writers.
Researchers were able to glean the new information published in January and updated with victims' names today because Stuxnet code retained information about the targets it infected, creating new executables for each.
"Stuxnet remains one of the most interesting pieces of malware ever created," Kaspersky analysts wrote. "The targeting of certain high profile companies was the solution" to infect Natanz.
Symantec reverse engineer (@Liam O Murchu) said it was confident Stuxnet leaked from the initial targets.
"Based on the analysis of the bread crumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," O'Murchu said.
"... every sample can be traced back to specific companies involved in industrial control systems-type work."
The companies included Behpajooh identified as patient zero from where the worm leaked to the world; Foolad Technic Engineering Co which developed blueprints for Iran's industrial control systems; the sanctioned Neda Industrial Group; Control-Gostar Jahed Company, and Kala Electric a sanctioned firm that developed centrifuges.
The sophisticated malware was widely thought to be the work of the US and Israel created under Operation Olympic Games launched by the Bush Administration and continued under President Obama.
It contained four zero day vulnerabilities, making it both expensive in terms of the research typically required to discover the flaws, and highly targeted having been designed to target the specific systems used in the Natanz facility. ®