Last week, Symantec released the most detailed report on Stuxnet yet.
While there has been much speculation in the media about Stuxnet, its creators, and, most of all, the target of the attack, the report provides a solid foundation of facts. Overall, the report presents a picture of a complex and professionally crafted threat that targeted a specific subset of industrial systems.
[ InfoWorld's Roger Grimes calls Stuxnet smarter -- and deadlier -- than the average worm. | Find out how to block the viruses, worms, and other malware that threaten your business with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
"The code is professionally written; it is coded to a very high standard," says Liam O Murchu, a researcher with Symantec's Security Response, who spoke to reporters on Friday. "They were very careful not to leave traces in the code that could lead back to them."
Here are some salient facts from the report. Decide for yourself whether they support the speculation about Stuxnet.
The victims, especially industrial targets, were in Iran
While there was a lot of hype, and then some pooh-poohing, of the Iran angle, Stuxnet infections have mainly occurred in that country, according to Symantec's data. Of the approximately 100,000 compromised systems currently seen by Symantec's sensors, nearly 63,000 are in Iran. In addition, infected systems in Iran are dramatically more likely to have targeted Siemens control software installed: 58 percent do, compared to 8 percent of South Korean systems, the next highest proportion of industrial systems infected.
Of course, the primary problem with this data is that it's based only on what Symantec is seeing through its own network sensors. Other security firms have put India at the top of the infection heap, especially after the rate of Iran's infections plunged to zero in late August.
Over the weekend, Iran's intelligence agency arrested "spies" that it blamed for the attack.