153 machines still infected with Stuxnet

“The threat that Stuxnet presents for nuclear power plants is far from over, as there are still 153 distinct machines infected with it around the world.

The discovery was made by researcher Peter Kleissner, whose company managed to acquired two domains used as a Stuxnet C&C server in 2013 and 2014. This allowed them to see how many systems are still infected and regularly “phone” back to the C&C.

The fact that Stuxnet’s C&C protocol is not adequately secured allowed the researchers to discover data about the infected machines, including whether Siemens SCADA software is installed on them, and the project path of a found SCADA program.

Nearly half (47 percent) of all these infected machines are located in Iran. The rest are located in India (23 percent), Indonesia (8 percent), Saudi Arabia (7 percent), and the rest of the world (click on the screenshot to enlarge it):

Of the 153 infected machines, 6 have SCADA development software installed. 5 of these are in Iran, and three of them have having a Siemens Step 7 project path set to C:\Program Files\Siemens\Step7\S7Proj\04082_19\040825.s7p – meaning they are likely an industrial machine (but not necessarily at a nuclear power plant).

“It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system,” Kleissner explained.

“Just as Kleissner & Associates’ C&C domain control enables us to control any remaining Stuxnet infected machines, any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infections.””