The Stuxnet worm was at work sabotaging a uranium plant in Iran a year earlier than previously thought and before a U.S. covert program to disrupt the facility was officially authorized by former President George W. Bush, according to a report on a previously unknown version of the worm.
The early version of the worm - Stuxnet 0.5 - was found in the wild in November 2007 and stopped infecting July 4, 2009, according to a new Symantec blog post. Bush authorized the U.S. to use covert activities to target Iran's uranium works at Natanz in January 2009, just before he left office.
Previously the worm, whose existence came to public attention in June 2010, was thought to have been at work since 2008. It turns out that that was a later version called Stuxnet 1.001, which attacked centrifuges used to enrich uranium for Iran's nuclear program.
Like the previously known version, the earlier one used sophisticated means to disrupt machinery made by Siemens that was used to enhance uranium.
The worm would find Siemens programmable logic controllers (PLC) used to manipulate valves that fed a gaseous state of uranium ore into centrifuges for separating out the uranium. Closed at the right time the valves would disrupt the flow of the gas and possibly damage the centrifuges, the Symantec report says.
But first it would monitor the normal system state of the machinery so that after the worm closed the valves, it could simulate readouts that would mask the effects of the attack. "It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle," the blog post says. So even if the operator figured out something was wrong, there was nothing that could be done about it.
Stuxnet carefully probed potential target Siemens machines to make sure they were actually in the Natanz facility, the blog post says, and the criteria it used indicate that whoever wrote the worm had detailed intelligence about the configuration of the centrifuges at the site.
Thousands of centrifuges were arranged in groups called cascades that were identified by a code. The logic used by Stuxnet to parse these strings sought particular cascade modules, seeking those labeled between A21 and A28 and expecting to find a maximum of 18 cascades per module with each cascade consisting of 164 centrifuges grouped into 15 stages. That exactly matches the known configuration at Natanz.
This process is called fingerprinting. "During fingerprinting, Stuxnet keeps a counter for each device that matches the expected configuration," the blog post says. "Once the counter surpasses a particular threshold, Stuxnet considers the system that is being fingerprinted to match the target system configuration and will inject the attack PLC code. Stuxnet also determines which six cascades out of the possible 18 are the highest value targets and saves this information along with device addresses and configuration information[.]"
Sign up for Computerworld eNewsletters.