Rivers of words have been written on the popular Stuxnet virus, there have been many hypotheses, sometimes contradictory, about its paternity but the only certainty seemed to be the date of its creation, but suddenly the certainty as happens in the best thriller movies has been called into question.
The authors of Stuxnet, the malware that hit Iranian nuclear plant in 2010 interfering with nuclear program of the Government of Teheran, started the operations earlier than previously demonstrated according to a new research proposed by Symantec firm.
According to the study conducted by Symantec, there was a predecessor of the final version of the virus, a development version that was spread in 2005 and the was designed to manipulate the nuclear facility’s gas valves.
The cyber attack was planned to induce serious damage in the nuclear plant targeted, the manipulation of the valves that could cause an explosion, due to this reason Stuxnet is considered the first example of cyber weapon in the history able to cause physical destruction of the critical infrastructures.
The computer attack in 2010 was one of the first known examples of a cyber weapon used to destroy physical infrastructure, according to many experts and to revelation of New Your Times, Stuxnet has been produced by a joint venture of US and Israel experts to hit centrifuges used in the uranium enrichment process in nuclear plant of the country.
Francis deSouza, Symantec’s president of products and services, commented to Bloomberg:
“It looks like now the weapon tried a few things before it hit on what would actually work,”‘ “It is clear that this has been a sophisticated effort for longer than people thought.”
Symantec researchers detected a Stuxnet the early version has a version number within its code, the version is 0.5 and analyzing the date of website domain registration Stuxnet 0.5 may have been used as early as 2005. Another interesting information on this version of Stuxnet is that he stopped to infect computers on July 4th, 2009, few days before version 1.001 was created.
Symantec highlighted the differences of version 0.5 with subsequent instances of Stuxnet:
The most important change between the two versions was the strategy of attack of the different versions, earlier Stuxnet had the ability to shut critical gas valves potentially causing an explosion later version replaced this capability with the one to alter the speed of centrifuges, anyway Stuxnet significantly increased in time its spreading capabilities introducing exploits for various vulnerabilities.
Another serious implication is on beliefs of relationship between Flame and Stuxnet until now security community believed that Stuxnet authors have had access to Flame modules but not to whole Flame platform source code. The discovery of Stuxnet 0.5 demonstrates that Stuxnet’s authors had access to the complete Flamer platform source code.
The study states:
“Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform. The developers actually re-implemented Flamer platform components using the Tilded platform in later versions.
Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved.”
The revelations have unimaginable repercussion on the study conducted since now on the agent, in particular, to better understand the strategy of the attackers and probably to give more clues on its identity.
(Security Affairs – Stuxnet, ICS)