March 1, 2013

Stuxnet: The Missing Link

Today social media are spreading a shocking news, authors of Stuxnet virus that hit Iranian nuclear program in 2010 according a new research proposed by Symantec security company started in 2005 and contrary to successive instance of the malware it was designed to manipulate the nuclear facility’s gas valves. The attacker’s strategy was to destroy the nuclear plant causing an explosion due the sabotage of gas valves, the hacker’s purpose was physical destruction of the targets, due to this reason the press and security community labeled Stuxnet as first cyber weapon of the history.

Francis deSouza, Symantec’s president of products and services, during an interview with Bloomberg revealed that the version detected was a sort of beta version of the final weapon and that in the period between 2005 and 2009 the authors were testing its capabilities.

“It looks like now the weapon tried a few things before it hit on what would actually work,”‘ “It is clear that this has been a sophisticated effort for longer than people thought.” Said deSouza.

Symantec experts have found in the code of earlier version of Stuxnet a version reference 0.5 and crossing this information with date of website domain registration Stuxnet 0.5 concluded that it may have been used as early as 2005 until July 4th, 2009, few days before the version 1.001 was created.

Symantec report revealed the differences of version 0.5 with subsequent ones of Stuxnet, later versions significantly increased their spreading capability exploiting an increased number of vulnerabilities, but has described before the most important change is related to the strategy pursued by the attackers moved their attention from gas valve disruption to centrifuge speed modification.

The discovery is intended to reveal many other interesting backstage, let’s think to the link between Flame and Stuxnet, until now security community believed that authors have had access to Flame components but not to whole Flame Platform source code. The discovery of Stuxnet 0.5 demonstrates that its authors had access to the complete Flamer platform source code.

Following the statements proposed on the topic in the report: “Stuxnet 0.5 is partly based on the Flamer platform whereas 1.x versions were based primarily on the Tilded platform. Over time, the developers appear to have migrated more towards the Tilded platform. The developers actually re-implemented Flamer platform components using the Tilded platform in later versions.

Both the Flamer and Tilded platform code bases are different enough to suggest different developers were involved.”