Attackers behind the Stuxnet computer worm focused on targeting five organizations in Iran that they believed would get them to their final target in that country, according to a new report from security researchers.
The five organizations, believed to be the first that were infected with the worm, were targeted in five separate attacks over a number of months in 2009 and 2010, before Stuxnet was discovered in June 2010 and publicly exposed. Stuxnet spread from these organizations into other organizations on its way to its final target, which is believed to have been a nuclear enrichment facility or facilities in Iran.
“These five organizations were infected, and from those five computers Stuxnet spread out — not to just computers in those organizations, but to other computes as well,” says Liam O Murchu, manager of operations for Symantec Security Response. “It all started with those five original domains.”
If there were any doubts about who was the target, these two graphs from the Symantec paper should put such doubts to rest. The first graph shows total infections by country, the second total infections of Siemens controllers which apparently were the target of the malware. In each case, the malware hit Iran far beyone any other country.