Malware researchers have named five Iranian companies infected with Stuxnet and found the first one from which the worm leaked after wrecking the Natanz uranium plant.
Kaspersky and Symantec found the ocontractors to Natanz, were targeted between June 2009 and March 2010 and suffered 12,000 infections from 3280 Stuxnet samples. In a report with the catchy title Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon the two security experts provide a different attack scenario from the official one.
It had been believed that Stuxnet was delivered straight to Natanz from where it escaped into the wild to be picked up by researchers and re-purposed by malware writers. But Kaspersky and Symantec found new information within the Stuxnet code. Stuxnet created new executables for each of its victims.
Every sample can be traced back to specific companies involved in industrial control systems-type work. Behpajooh identified as patient zero from where the worm leaked to the world. Others infected were the Foolad Technic Engineering which developed blueprints for Iran's industrial control systems, Neda Industrial Group; Control-Gostar Jahed Company, and Kala Electric which developed centrifuges.
The sophisticated malware was widely thought to be the work of the US and Israel created under Operation Olympic Games launched by the Bush Administration and continued under President Obama. It contained four zero day vulnerabilities, making it both expensive in terms of the research typically required to discover the flaws, and highly targeted having been designed to target the specific systems used in the Natanz facility.