The Stuxnet computer worm that infected Iran’s Natanz uranium enrichment complex last year was first deployed against five Iranian organizations before reaching its target, according to a report from Symantec researchers.
Between June 2009 and May 2010, five companies in Iran were hit with the Stuxnet worm; the company’s names were not disclosed, but Symantec researcher Liam O Muchu told the New York Times, “All of the domains are involved in industrial processing.”
According to the Symantec report, Stuxnet recorded information on the location and type of each computer it infected, allowing researchers to chart its behavior. Researchers found that 12,000 infections were traced back to the five targeted organizations.
The report also suggests that these five plants were targeted because of their close business ties with Natanz, ties that would facilitate the spread of Stuxnet via removable USB drives to Natanz, which itself was likely to have been operating offline.
“One of the main propagation methods Stuxnet uses is to copy itself to inserted removable drives. Industrial control systems are commonly programmed by a Windows computer that is non-networked and operators often exchange data with other computers using removable drives,” the report reads.
Symantec’s report found that the dangerous malware was still being worked on just 12 hours before the first attack in June 2009.