Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Victims of the Stuxnet Worm Revealed

Posted by Soulskill on from the patient-zero dept.

An anonymous reader writes: Analyzing more than 2,000 Stuxnet files collected over a two-year period, Kaspersky Lab can identify the first victims of the Stuxnet worm. Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn't yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities. Kaspersky Lab analysis sheds light on these questions.

39 comments

  1. It was Bob in accounting. by halivar · · Score: 3, Funny

    You can always count on Bob to open any email he sees that has "Miley Cyrus" in the subject line. Had to clean out is system three times this month. Damn you, Bob. This is all your fault.

    1. Re:It was Bob in accounting. by Anonymous Coward · · Score: 1

      what's his email again?

    2. Re:It was Bob in accounting. by Zanadou · · Score: 2

      "Birdman, did ya get dat thing I sent ya??"

    3. Re:It was Bob in accounting. by ArcadeMan · · Score: 1

      bob@dumbassusers.com

      --
      Get free satoshi (Bitcoin) and Dogecoins
    4. Re:It was Bob in accounting. by Anonymous Coward · · Score: 0

      The CIA and NSA has tried this exact thing before, only without computer program to do their bidding. I suggest you look up operation Merlin. Sound familiar to anyone? Mystery solved. You're welcome /.

    5. Re:It was Bob in accounting. by binarylarry · · Score: 1

      bob@microsoft.com

      --
      Mod me down, my New Earth Global Warmingist friends!
    6. Re:It was Bob in accounting. by Anonymous Coward · · Score: 0

      Nice :)

    7. Re:It was Bob in accounting. by antdude · · Score: 1

      Fire Bob already! :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    8. Re:It was Bob in accounting. by hairyfeet · · Score: 1

      Nope because while the "Bobs" (or as we call 'em locally "Velma the disaster area" after a particularly bad case that works at a local insurance firm) can cause some serious damage they don't hold a candle to "Chuck Porn" when it comes to sheer mountains of malware!

      You see with Chuck Porn all you have to do is HINT that you will POSSIBLY give him some of his fetish of choice? he'll happily run any program from any website, follow any instructions said website gives him, even go so far as to uninstall his antivirus and disable his firewall, and all you have to do is give him a single JPG scraped from the CDUniverse porn section that matches whatever fetish he is looking for at that instant. You see with Bob or Velma you have to actually shoot an email with a subject that might catch their attention (and get past the spam filters) whereas with Chuck all you have to do is have a simple script return the name of whatever he is looking for with the thumbnail of the DVD, something like "Sure Chuck you can watch Tranny gangbang 47 for absolutely free! Just download and run "Iz_Not_Viruz_Iz_Codex.exe and be sure to disable your AV if it bitches, you don't want to miss seeing the gangbang do you?" and voila! Hook, line, and sinker.

      the record for the most malware ever seen in my days of working shops was a Chuck that came into the previous shop I worked for, he had taken an i5 Toshiba laptop and turned it into a Pentium 3 when it came to performance by ending up with....drumroll....over 2400 active running malware infections on a single laptop! It took over an hour to boot the thing, but Doug wanted to see if it beat the previous record (also claimed by a Chuck) of 21 seventy something, which it beat by damned near 400 running infections. The final total was something like 2497, just nuts and nowhere near the 600-800 on average you'd see from a Bob or Velma.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    9. Re:It was Bob in accounting. by Anonymous Coward · · Score: 0

      Oh, you mean Microsoft Bob?

  2. Answer: whoever Israel meant to target by Rujiel · · Score: 2

    Why is it surprising that itneventually co-opted uranium enrichment facilities? Wasn't it developed for such a purpose?

    1. Re:Answer: whoever Israel meant to target by Anonymous Coward · · Score: 0

      Who said it was surprising?

  3. You might want to look for consistent articles by Anonymous Coward · · Score: 0

    First article: First victims of the Stuxnet worm revealed
    Second article: Stuxnet: Zero Victims

  4. Boom by Anonymous Coward · · Score: 0

    To bad their was not a big boom in Iran!!

    1. Re:Boom by Anonymous Coward · · Score: 0

      "No boom today. Boom tomorrow. There's always a boom tomorrow."

  5. Save the suspense by jbmartin6 · · Score: 4, Informative
    Why is the summary being coy about the first thing anyone will ask upon reading it? That is pointless. Here:

    It took us a long time to establish what organization it really was, but ultimately we succeeded in identifying it with a high degree of certainty. It is called Foolad Technic Engineering Co (FIECO). It is an Iranian company with headquarters in Isfahan. The company creates automated systems for Iranian industrial facilities (mostly those producing steel and power) and has over 300 employees. The company is directly involved with industrial control systems.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Save the suspense by Anonymous Coward · · Score: 1

      Thanks. It seemed clearly clickbait. Now that you extracted the relevant part, I don't have to give them the click-through.

    2. Re:Save the suspense by Anonymous Coward · · Score: 0

      No mod points since last week, so I'm giving you a virtual +1, Informative.

      Not that real mod points aren't virtual either, but you know what I mean.

    3. Re:Save the suspense by Anonymous Coward · · Score: 0

      Thank you. This is useful.

      Had the summary not been so coy ("clickbaity"), I may have actually given them the click, despite knowing the punchline. But the clickbaityness of the summary smacks of desperation.

      Summaries on Slashdot don't need suspense. It's disrespectful.

    4. Re: Save the suspense by n3r0.m4dski11z · · Score: 5, Informative

      Maybe if you RTFA you would notice that it is a bit more complicated than that. The organization or individual who went after the centrifuges infected at least 5 different companies. An electric company, a steel manufacturer, 2 different industrial supply companies and a military importer /exporter company. These targets were all brand new infections, not passed from org to org. So they would have had to break security at at least 5 firms independently. Not too shabby.

      You should read the second link, because it is quite fascinating. Who ever did it exploited the servers directly (as opposed to laptop vectors or smart phones or whathave you), and even went so far in two of the companies as first infecting the virus scan servers (one machine named kaspersky, another avserver...). Must have been awfully ballsy and confident about their viruses stealth.

      So we have learned that it was a directed attack, over multiple targets, the initial infection was most likely delivered by network access and not by USB.

      I think your summary misses most of the interesting parts. The name of the one company with hardly any context would not have added to the slashdot summary at all and would most likely make people miss out on nice simple deconstruction which the second link provides.

      --
      -
    5. Re: Save the suspense by GigaplexNZ · · Score: 1

      With a clickbait summary like this, I actively avoided RTFA.

  6. clickbate much by Anonymous Coward · · Score: 0

    I just love all the sensationalism and all, but this isn't reporting, its clickbating.

  7. Expensive ? by Zebai · · Score: 1

    I think i lost interest in anything this article says when I read " extremely expensive zero-day vulnerabilities".

    1. Re:Expensive ? by Anonymous Coward · · Score: 0

      I think i lost interest in anything this article says when I read " extremely expensive zero-day vulnerabilities".

      I think their meaning was: "could have been sold for a great deal of money to shady folk but seemingly wasn't or was purchased from very shady folk who knew about them therefore making this exploit one in which making money was hardly a key goal which conforms with the characterization of this as a state-sponsored attack".

    2. Re:Expensive ? by Anonymous Coward · · Score: 0

      "extremely lucrative zero-day vulnerabilities" would work. As sometimes they can sell for a high price.

    3. Re:Expensive ? by cold+fjord · · Score: 1

      You do know that there is a black market that sells infomration on exploitable vulnerabilites in computer software, right?

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    4. Re:Expensive ? by Wraithlyn · · Score: 4, Informative

      Ummm... why? You think it's preposterous that software exploits are bought and sold?

      "It is common for individuals or companies who discover zero-day attacks to sell them to government agencies for use in cyberwarfare." - Zero-day attack

      References:
      - Zero-day exploit in Apple’s iOS operating system 'sold for $500,000'
      - Nations Buying as Hackers Sell Flaws in Computer Code
      - How Spies, Hackers, and the Government Bolster a Booming Software Exploit Market
      - Cyberwar’s Gray Market

      --
      "Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
  8. Easy to forget the people ... by BoRegardless · · Score: 3, Insightful

    There are those who are spies and paid well to do their work.

    1. Re:Easy to forget the people ... by Anonymous Coward · · Score: 0

      Stuxnet is technically sabotage and not spying.
      While there are some retarded spy apologists around here sabotage is a lot harder to justify.

  9. A well-done hack by sirwired · · Score: 3, Insightful

    No matter which "side" you are on, you have to admire how well it worked; doing exactly what it was designed to for quite a while before being discovered. I'd put it on a level with the legendary DirectTV "Black Sunday" program.

    1. Re:A well-done hack by lippydude · · Score: 1

      @sirwired: 'No matter which "side" you are on, you have to admire how well it worked; doing exactly what it was designed to for quite a while before being discovered. I'd put it on a level with the legendary DirectTV "Black Sunday" program.'

      Yes, all it required was a USB socket and Windows :)

  10. It was Omar in accounting. by cold+fjord · · Score: 0

    You can always count on Omar to open any email he sees that has "Miley Cyrus" in the subject line. He has a a weakness for women that do not wear a veil, as well as women that only wear a veil ... as underwear. Had to clean out is system three times this month. Damn you, Omar. This is all your fault.

    FTFY

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  11. Well done by s.petry · · Score: 1

    Like you, I found the investigation to be interesting. I have read a lot previously on this infection and the virus itself since it was very unique (kernel can load and unload modules on the fly, polymorphic and encrypted traffic), etc.. This just make it even more interesting in my opinion.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  12. Re:And the first victims were... by lippydude · · Score: 0

    @AC: "Microsoft Windows users. No surprise there."

    No, no, no, Kaspersky says it's a computer worm, fifteen times :)

    I would have thought it's the Operating System that gets infected :)

  13. Re:bennett please share your thoughts by Anonymous Coward · · Score: 0

    You should be able to afford treatment under Obamacare. Just think, you're only a pill or two per day away from sanity. Wouldn't that be so much better?