View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 11, 2014

Stuxnet virus used waterholing to strike Iran

Affiliated companies infected to spread malware inside nuclear plant.

By Jimmy Nicholls

Hackers behind the Stuxnet virus that hit Iranian nuclear centrifuges in 2010 used "waterholing" techniques to carry out the attack, according to a book by the journalist Kim Zetter.

‘Countdown to Zero Day’, which was released today, describes how the attackers targeted companies affiliated to the Natanz power plant in central Iran, rather than hit the organisation directly.

"To get their weapon into the plant, the attackers launched an offensive against four companies," Zetter wrote. "All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems.

"They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees."

Responding to the book’s release, the security company Symantec said that it could verify the path that Stuxnet took to enter Natanz because the virus recorded information on computers it executed on, leaving a trail of "breadcrumbs" for researchers.

"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," said Liam O Murchu, senior development manager at Symantec.

"In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work."

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

He added that the work proved Stuxnet spread into Natanz rather than escaping out of the facility, contradicting a previous account of the attack by the journalist David Sanger in his book ‘Confront and Conceal’ and in a piece for the New York Times.

However, O Murchu said such tracing was possible only on Stuxnet 1.x and could not be carried out on previous iterations of the virus.

"While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article," he added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.