Stuxnet worm entered Iran's nuclear facilities through hacked suppliers

Iranian nuclear reactor

You may have heard the common story of how Stuxnet spread: the United States and Israel reportedly developed the worm in the mid-2000s to mess with Iran's nuclear program by damaging equipment, and first unleashed it on Iran's Natanz nuclear facility through infected USB drives. It got out of control, however, and escaped into the wild (that is, the internet) sometime later. Relatively straightforward, right? Well, you'll have to toss that version of events aside -- a new book, Countdown to Zero Day, explains that this digital assault played out very differently.

Researchers now know that the sabotage-oriented code first attacked five component vendors that are key to Iran's nuclear program, including one that makes the centrifuges Stuxnet was targeting. These companies were unwitting Trojan horses, security firm Kaspersky Lab says. Once the malware hit their systems, it was just a matter of time before someone brought compromised data into the Natanz plant (where there's no direct internet access) and sparked chaos. As you might suspect, there's also evidence that these first breaches didn't originate from USB drives. Researchers saw that Stuxnet's creators compiled the first known worm mere hours before it reached one of the affected companies; unless there was someone on the ground waiting to sneak a drive inside one of these firms, that code reached the internet before it hit Natanz.

This attack-a-trusted-user technique isn't shocking in light of the National Security Agency's frequent use of malware against network administrators, and it supports leaks suggesting that Stuxnet has American roots. That's reinforced by additional claims in the book; it notes that the closely linked Duqu worm may have served as a "forward scout," swiping security certificate technology that could be used to make rogue code (possibly including Stuxnet) appear legitimate. With that said, Kaspersky and other investigators have yet to confirm the origins of the cyberattacks. They can tell you where Stuxnet and Duqu went, but not where they started.

[Image credit: IIPA via Getty Images]