14 DAY TRIAL // New research suggests that Stuxnet was planted on computers at five different organizations in Iran in the hope that it will spread towards the final target.
By analyzing the timestamps collected by 3,280 Stuxnet samples, security researchers from Symantec were able to determine that the original infections were part of a targeted attack.
In total, 12,000 infections corresponding to those samples were traced back to five separate organizations with a presence in Iran.
"These five organizations were infected, and from those five computers Stuxnet spread out — not to just computers in those organizations, but to other computes as well. It all started with those five original domains," explains Symantec's Liam O Murchu, according to Wired.
The first round of infections was in June 2009 and targeted two sites, one of them just twelve hours after the sample was compiled.
The malware was introduced via USB devices and the short time period from compilation to infection suggests that attackers had everything planned. In July 2009 another two organizations were infected with the same sample.
A new variant was compiled in March 2010 and infected a single organization, while a third was created one month later and affected three sites.
One of the organizations was targeted in all three attacks, another one in two of them and the rest one time each.
Even though it targeted a single organization, the March 2010 variant spread most successfully, accounting for 69% of all 12,000 infections.
Security researchers have reason to believe that there is a fourth version, but they haven't been able to identify it yet.
There is consensus that since Stuxnet spreads from computer to computer through local area networks, the five initial organizations are connected to the final target.
The final target was likely the nuclear installation at Natanz, where Stuxnet is believed to have destroyed as much as 1,000 uranium enrichment centrifuges.