In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.
Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.
Key discoveries found while analyzing Stuxnet 0.5:
- Oldest variant of Stuxnet ever found
- Built using the Flamer platform
- Spreads by infecting Step 7 projects including on USB keys
- Stops spreading on July 4, 2009
- Does not contain any Microsoft exploits
- Has a full working payload against Siemens 417 PLCs that was incomplete in Stuxnet 1.x versions
As with version 1.x, Stuxnet 0.5 is a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.
Despite the age of the threat and kill date, Symantec sensors have still detected a small number of dormant infections (Stuxnet 0.5 files found within Step 7 project files) worldwide over the past year.
Figure 1. Dormant infections detected in the past year
The following video explains how Stuxnet 0.5 attempts to sabotage the Natanz uranium enrichment facility.
More information on key aspects of Stuxnet 0.5 can be found in the following blogs and technical whitepaper:
For further details on Stuxnet 0.5 you can download a copy of our whitepaper.
Symantec would like to thank the Institute for Science and International Security (ISIS) for their continued assistance in understanding centrifugal uranium enrichment systems.