“In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.
Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.
Key discoveries found while analyzing Stuxnet 0.5:
- Oldest variant of Stuxnet ever found
- Built using the Flamer platform
- Spreads by infecting Step 7 projects including on USB keys
- Stops spreading on July 4, 2009
- Does not contain any Microsoft exploits
- Has a full working payload against Siemens 417 PLCs that was incomplete in Stuxnet 1.x versions
As with version 1.x, Stuxnet 0.5 is a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.
Despite the age of the threat and kill date, Symantec sensors have still detected a small number of dormant infections (Stuxnet 0.5 files found within Step 7 project files) worldwide over the past year.
The following video explains how Stuxnet 0.5 attempts to sabotage the Natanz uranium enrichment facility.
More information on key aspects of Stuxnet 0.5 can be found in the following blogs and technical whitepaper:
- Stuxnet 0.5: How It Evolved
- Stuxnet 0.5: Command and Control Capabilities
- Stuxnet 0.5: Disrupting Uranium Processing at Natanz
“Yet eight years ago Iran was in the process of building its uranium enrichment facility, said Symantec researcher Liam O’Murchu, as the plant became operational in 2007.
“It is really mind-blowing that they were thinking about creating a project like that in 2005,” O’Murchu told Reuters ahead of the report’s release at the RSA security conference in San Francisco.
All versions of Stuxnet have allegedly been used to change the speeds of around 1,000 gas-spinning centrifuges without being detected, thus sabotaging the research process of Iranian scientists. Such manipulation, say some experts, could potentially lead to an explosion.
Symantic said that the new variant is the oldest version of Stuxnet found and is spread by “infecting Step 7 projects including USB keys.”
It also has a kill date which stopped it from spreading on July 4, 2009.
“The 0.5 version was a mixture of sabotage and espionage – affecting the valves and reporting back,” Sian John, Symantec’s director of security strategy for UK and Ireland Enterprise was quoted by The Guardian as saying. “This really goes to show that with the right impact and amount of research, these groups can create very targeted attacks.”