Browse Definitions:


Contributor(s): Robert Richardson

The Stuxnet worm is a rootkit exploit that targets supervisory control and data acquisition (SCADA) systems. SCADA systems are used widely for industrial control systems, such as power, water and sewage plants, as well as in telecommunications and oil and gas refining. 

Discovery of Stuxnet

The first public awareness of Stuxnet dates to 2010, when Sergey Ulasen, then head of antivirus kernel development for VirusBlokAda Ltd., an antivirus company based in Belarus, discovered and described the malware (Ulasen went to work for Kaspersky Lab in 2011). Initially, the malware's purpose wasn't fully understood, but it was clear its design was complex, and it probably could not have been written without a team of expert programmers working over a period of several months. There are three separate code elements to Stuxnet; in fact, the first piece had already been noticed and remarked on. VirusBlokAda had found two malware samples in the wild that used a previously unknown flaw that enabled a fully patched Windows 7 computer to be compromised.

There was more to this attack than VirusBlokAda had initially seen, however.

Stuxnet contains code that can identify software used in the process of creating and deploying instructions for programmable logic controllers (PLCs) made by German manufacturer Siemens AG. Though malware that attacked PLCs had been seen before, this was the first instance of a rootkit that ran on a PLC.

Purpose of Stuxnet

Logic controllers automate the most critical parts of an industrial facility's processes, such as temperature, pressure, and the flow of water, chemicals and gasses. In the case of Stuxnet, malicious control of Siemens' PLCs was used to cause high-speed centrifuges to shake violently enough to cause physical damage.

Researchers who have closely examined the components and techniques used in Stuxnet believe work on developing the attack probably began around 2006. The primary attack on the Iran Natanz facility did not take place until the middle of 2009.

Stuxnet used a multistep attack sequence, beginning by exploiting Windows Autorun LNK files and spreading through removable storage devices, such as USB flash drives. It used four previously unknown Microsoft zero-day flaws to gain access to laptops and other machines, with the goal of gaining access to the network. In response, Microsoft issued two patches, and experts in SCADA security created a list of formal recommendations for facilities that use SCADA systems. 

Like the Zeus banking Trojan, Stuxnet code included stolen digital certificates, so the malware appeared legitimate and could avoid detection by traditional intrusion detection systems (IDS). After Stuxnet surfaced, researchers quickly began to reverse-engineer the malware. It is generally believed that Stuxnet was not designed for espionage, but rather to cause failures in the centrifuge infrastructure used for enriching uranium to weapons-grade at Iran's Natanz facility. Subsequent reports have estimated that about one-fifth of the centrifuges used at Natanz were brought offline by the malware.

Countries affected by Stuxnet

Because the target of the Stuxnet attack was Iran's nuclear facility at Natanz, it's not surprising the highest number of infected computers was found in Iran, according to statistics from an initial Symantec report. This degree of geographical targeting is unusual in malware design, however.


Share of infected computers









 United States




 Other countries


Stuxnet and the Equation Group

In 2015, Kaspersky Lab reported that a hacker organization dubbed Equation Group had deployed two of the same zero-day attacks used in Stuxnet and had done so prior to the likely date of Stuxnet's release. This led Kaspersky to conclude that "the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together."

Media coverage and movies based on Stuxnet

Reports in the New York Times published in July 2012 confirmed suspicions that the malware was jointly developed by the U.S. and Israel as part of a project code-named Olympic Games. Agents planted the Stuxnet malware initially in four engineering firms associated with Natanz, counting on careless use of USB thumb drives to transport the attack within the top-secret facility.

More comprehensive subsequent coverage includes the book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, by David Sanger, the reporter who covered U.S. involvement in Stuxnet development in the New York Times; Kim Zetter's 2014 book, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon; and the 2016 documentary by director Alex Gibney, Zero Days.

A scene from ZERO DAYS, a Magnolia Pictures release.
A scene from ZERO DAYS, a Magnolia Pictures release.
This was last updated in December 2017 ???publishDate.suggestedBy???

Continue Reading About Stuxnet

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think state-sponsored cyberattacks will eventually trigger a traditional, kinetic military conflict?


File Extensions and File Formats


  • smart contract

    A smart contract, also known as a cryptocontract, is a computer program that directly controls the transfer of digital currencies...

  • risk map (risk heat map)

    A risk map, also known as a risk heat map, is a data visualization tool for communicating specific risks an organization faces. A...

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine ...


  • cloud ecosystem

    A cloud ecosystem is a complex system of interdependent components that all work together to enable cloud services.

  • cloud services

    Cloud services is an umbrella term that may refer to a variety of resources provided over the internet, or to professional ...

  • uncloud (de-cloud)

    The term uncloud describes the action or process of removing applications and data from a cloud computing platform.


  • cyberextortion

    Cyberextortion is a crime involving an attack or threat of an attack coupled with a demand for money or some other response in ...

  • Cybercrime

    Cybercrime is any criminal activity that involves a computer, networked device or a network.

  • National Security Agency (NSA)

    The National Security Agency is the official U.S. cryptologic organization of the United States Intelligence Community under the ...


  • Practice Fusion

    Practice Fusion Inc. is a San Francisco-based company that developed a free electronic health record (EHR) system available to ...

  • RHIA (Registered Health Information Administrator)

    An RHIA, or registered health information administrator, is a certified professional who oversees the creation and use of patient...

  • 21st Century Cures Act

    The 21st Century Cures Act is a wide-ranging healthcare bill that funds medical research and development, medical device ...



  • storage medium (storage media)

    In computers, a storage medium is any technology -- including devices and materials -- used to place, keep and retrieve ...

  • Random Access Memory (RAM)

    Random Access Memory (RAM) is the hardware in a computing device where the operating system (OS), application programs and data ...

  • floating gate transistor (FGT)

    A floating gate transistor (FGT) is a complementary metal-oxide semiconductor (CMOS) technology capable of holding an electrical ...


  • hybrid hard disk drive (HDD)

    A hybrid hard disk drive is an electromechanical spinning hard disk that contains some amount of NAND Flash memory.