Affiliated companies infected to spread malware inside nuclear plant.
Hackers behind the Stuxnet virus that hit Iranian nuclear centrifuges in 2010 used "waterholing" techniques to carry out the attack, according to a book by the journalist Kim Zetter.
‘Countdown to Zero Day’, which was released today, describes how the attackers targeted companies affiliated to the Natanz power plant in central Iran, rather than hit the organisation directly.
"To get their weapon into the plant, the attackers launched an offensive against four companies," Zetter wrote. "All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems.
"They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees."
Responding to the book’s release, the security company Symantec said that it could verify the path that Stuxnet took to enter Natanz because the virus recorded information on computers it executed on, leaving a trail of "breadcrumbs" for researchers.
"Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz," said Liam O Murchu, senior development manager at Symantec.
"In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work."
He added that the work proved Stuxnet spread into Natanz rather than escaping out of the facility, contradicting a previous account of the attack by the journalist David Sanger in his book ‘Confront and Conceal’ and in a piece for the New York Times.
However, O Murchu said such tracing was possible only on Stuxnet 1.x and could not be carried out on previous iterations of the virus.
"While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article," he added.