According to Symantec, by September 29, 2010, there were 100,000 infected hosts in the world with approximately 60% of those residing in Iran. The next five countries to experience the most infections were Indonesia, India, the United States, Australia and the United Kingdom respectively.4 Although the infection spread through computers around the world, it was programmed to only activate on computers that ran Siemens Supervisory Control and Data Acquisition (SCADA) software, specifically the S7-400 PLC and WinCC. The worm took advantage of five vulnerabilities to carry out its operations. Of the five vulnerabilities four were zero-day exploits, which are previously unpatched vulnerabilities. The previously patched vulnerability in Stuxnet was the same vulnerability, MS08-067, that was used in the Conficker attack. Kaspersky Lab's Alexander Gostev stated, "The fact that Stuxnet targets four previously unidentified vulnerabilities makes the worm a real standout among malware."
The use of four zero day exploits, the first ever programmable logic controller (PLC) rootkit, a Windows rootkit, peer-to-peer updates, command-and-control interfaces, use of two stolen signed digital certificates, and the amount of testing required for the worm on a mirrored environment has many experts hailing it as the most advanced malware ever to be released.
Although the Stuxnet worm is incredibly advanced, to bypass the security controls set up around and within the Iranian nuclear facilities, it is believed that the worm had to have been placed onto the systems via a USB memory device. This lends credence to the idea that there was someone within the nuclear facilities in Iran that sabotaged the facility, knowingly or not, or that the PLCs were compromised before they were sent to Iran. The worm was then able to direct itself to two command-and-control servers through the websites www.mypremierfutbol.com and www.todaysfutbol.com. One server was located in Denmark and the other in Malaysia; the servers functioned to update Stuxnet and send commands. Symantec stated in its dossier that the earliest version of Stuxnet penetrated the nuclear facility to steal the ICS's schematics for the specific configuration of the PLCs. Once Stuxnet obtained the schematics, they were uploaded to the command-and-control server, where an updated version of Stuxnet was created specifically for the ICS in use at that facility. Once the two websites were discovered, they were redirected, which disabled the command-and-control servers from interacting with the worm. However, Stuxnet also has a peer-to-peer function that allows it to communicate with any other copy of itself to update itself and receive commands.6
After the Stuxnet worm infected the nuclear facilities in Iran, information about the worm's success becomes more speculative.5 Iran has been careful about releasing exactly what damage the worm did, although there are some verified conclusions. One confirmed effect of the worm was the destruction of 1,000 centrifuges at the Natanz facility by slowly increasing and decreasing their motor speed.7 Considering the known damage, Stuxnet has been credited with setting Iran's nuclear program back by at least two years.8
The worm has been described as a one-shot weapon that has already had its intended effects. However, Stuxnet is capable of causing much deadlier outcomes, including a nuclear meltdown. We know the worm acted slowly, for example, making small changes to the centrifuges to degrade them over time, after spreading in the Iranian nuclear facility. This slow method of attack points to an effort by the attacker to remain covert. Everything Stuxnet did during its time on the nuclear facility networks though is unknown. Without knowing the intentions of the creator of the worm, whether or not Stuxnet was "successful" in its mission is purely speculative. Given the highly sophisticated coding of Stuxnet, the money required to develop it and the time it had to operate, one can assume that much more damage other than destroying 1,000 centrifuges could have been caused if that had been a desired outcome.
At the writing of this paper, there has been no attribution for the Stuxnet worm. However, it is still important to think about who may be responsible for the worm so that we may look at possible agendas for the attack. By looking at the signature of the code, we can gain hints on possible future uses and, in general, understand the worm more fully. At this point, attributing Stuxnet to any group of nation-states or corporations would be an ill-advised move, given the known evidence. This is because it is easy to leave false evidence behind in cyberspace.
That being said, two pieces of evidence found in the Stuxnet code itself supposedly link Israel in the creation of the worm. The number 19790509 was found, and some news sources and analysts state that it represents the date May 9, 1979. Further speculation puts the date as representing the execution in Tehran by firing squad of Habib Elghanian, a Jewish Iranian. The death of Elghanian, one of the first civilian executions by the new Islamic Iranian government, is credited with prompting a mass exodus out of Iran of the 100,000 person Jewish community. However, if the number is a date (which it does seem to represent), it could be related to any number of events, including the Stuxnet author's birthday. The second piece of evidence from the code itself is the file location name "Myrtus," which has been suggested is a reference to the Book of Esther in the Bible's Old Testament. Again, though, this word could represent many things, including the words "My RTUs," which stands for Remote Terminal Units and are commonly used in SCADA systems and with PLCs.