Skip to main content

New research finds Stuxnet first went live in 2005

Researchers at Symantec have discovered a version of Stuxnet that pre-dates the earliest known appearance of the virus.

Stuxnet was first uncovered in July 2010, and researchers later said that the earliest version (1.001) made its debut in 2009. But Stuxnet was lurking on the web for much longer, apparently.

"Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001," Symantec said in a blog post. "Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005."

Stuxnet 0.5 was contained on 4 July, 2009, but Symantec said it has found a small number of dormant infections worldwide over the past year. Not surprisingly, most of those infections - 47 per cent - are in Iran, with another 21 per cent in the United States. A small number of infections were also found in Italy, Germany, and Luxembourg, as well as Malaysia, the Netherlands, Switzerland, and Brazil. Symantec also said a satellite provider was hit.

In June 2012, it was revealed that Stuxnet was likely crafted by the US and Israel to thwart the development of Iran's nuclear programme. The programme reportedly started under President Bush and continued under President Obama. Unfortunately, it was not adequately contained and spread to PCs worldwide.

According to Symantec, version 0.5 was built using the Flamer platform and spreads via infected USB keys. It does not contain Microsoft exploits, but has a full working payload against Siemens 417 Programmable Logic Controllers (PLCs) that was incomplete in later versions.

"After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges," Symantec said.

A few things changed between Stuxnet 0.5 and 1.001, Symantec said in a separate post. Later versions could inflict more widespread devastation, the Flamer platform code was replaced with the Tilded platform code, and later versions targeted centrifuge speed modification rather than uranium enrichment valve disruption.