The sophisticated cyberweapon which targeted an Iranian nuclear plant is older than previously believed, an anti-virus firm said Tuesday, peeling back another layer of mystery on a series of attacks attributed by The New York Times to U.S. and Israeli intelligence.
The Stuxnet worm, aimed at the centrifuges in Iran's Natanz plant, transformed the cybersecurity field because it was the first known computer attack specifically designed to cause physical damage. The precise origins of the worm remain unclear, but until now the earliest samples of Stuxnet had been dated to 2009, and the Times — in the fullest account of the attack so far published — traced the origins of the top-secret program back to 2006.
In a new report issued late Tuesday, Symantec Corp. pushed that timeline further back, saying it had found a primitive version of Stuxnet circulating online in 2007 and that elements of the program had been in place as far back as 2005.
One independent expert who examined the report said it showed that the worm's creators were particularly far-sighted.
"What it looks like is that somebody's been thinking about this for a long, long time — the better part of a decade," said Alan Woodward, a computer science professor at the University of Surrey. "It really points to a very clever bunch of people behind all of this."
Security experts generally agree that Stuxnet was an attempt to sabotage Iran's uranium enrichment centrifuges, which can be used to make fuel for reactors or weapons-usable material for atomic bombs. Iran maintains its nuclear program is for peaceful purposes.
Last year, the Times reported that President George W. Bush ordered the deployment of Stuxnet against Iran in a bid to put the brakes on its atomic energy program, detailing how the worm tampered with the operation of Natanz's centrifuge machines to send them spinning out of control.
President Barack Obama, who succeeded Bush shortly after the first attacks, expanded the campaign, the report said.
U.S. and Israeli officials have long declined to comment publicly on Stuxnet or their alleged involvement in creating and deploying the computer worm.
Symantec's report suggests that an intermediate version of the worm — Stuxnet 0.5 — was completed in November 2007. That worm lacked some of the sophistication of its descendant, Symantec said, and was designed to interfere with the centrifuges by opening and closing the valves which control the flow of uranium gas, causing a potentially damaging buildup in pressure.
That approach was dropped in later, improved versions of the Stuxnet code.
Symantec said the servers used to control the primitive worm were set up in November 2005, suggesting that Stuxnet's trailblazing authors were plotting out their attack at a time when many parts of the Internet now taken for granted were not yet in place. Twitter did not exist, Facebook was still largely limited to U.S. college campuses, and YouTube was in its infancy.
Woodward said that had troubling implications.
"Clearly these were very forward-thinking, clever people that were doing this," he said. "There's no reason to think that they're less forward-thinking now. What are they up to?"