The Stuxnet saga rolls on. And while a lot of talented people have been poring over the code for a while, some questions are still unresolved at this time, despite all the coverage..

  • Who is responsible for it?
  • Was it really the work of a nation team rather than hackers? Well, our analysis of the code certainly indicates the participation of someone who knows SCADA, Siemens software, and SQL: not the skills we normally associate with the samurai (hackers for hire) that governments and certain military groups have often used in the past for cyber espionage. In fact, it's by no means unlikely that this malware project was put together by a team with a range of skills and backgrounds, not unlike the sort of multi-disciplinary tiger team that is often put together to counter attacks.
  • What exactly is its purpose? While we now know a great deal about the Stuxnet code, it's not possible to get the whole picture from code analysis.
  • Is it really aimed at Iran? Two sites in particular have been named as likely targets, but the fact that self-replicative malware was used to deliver the payload may have obscured the real targeting. Indeed, it's been reported that 1/3 of the SCADA sites known to have been affected are in Germany, which, unlike Iran, isn't indicated by our telemetry as experiencing a high volume of infections on other sites.

ESET doesn't claim to have all the answers at this point, but we have just published a lengthy analysis that considers many of these questions, as well as discussing some of the characteristics of this fascinating and multi-faceted malicious code. The report is already available here and here,

Thanks and kudos to the guys in Russia who did all the heavy lifting on this analysis. And yes, there's more to come.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

/2010/09/23/eset-stuxnet-paper/