There has been no shortage of claims that Iran was the intended target of the Stuxnet worm. But the reality is, these claims are completely unfounded. Here are a few of the true facts behind Stuxnet.
Stuxnet was over a year old before anyone even knew it existed. Antivirus software did not detect Stuxnet for at least a year after it's initial appearance. How do we know that? Once the Belarus-based VirusBlokAda discovered Stuxnet in July 2010, antivirus vendors were able to comb through their sample databases and find even earlier samples of the worm. These samples date back to as far as June 2009.
Infection statistics are from 13 months after Stuxnet first appeared. Antivirus vendor Symantec made the claim that "The concentration of infections in Iran likely indicates that this was the initial target for infections and was where infections were initially seeded."
Unfortunately, Symantec based this claim on infection figures that were collected after July 20, 2010 - at least 13 months after the first known variant of Stuxnet. Given that Stuxnet is a worm with steroidal propagation techniques, where it was 13 months after its initial appearance is immaterial. The first verified victim of Stuxnet was discovered in a plant in Germany. But even that was 13 months after the fact. The plain truth is, unglamorous as it may be, no one - except the Stuxnet author - knows the actual target.
Iran has the most poorly protected control systems in the world. If not a matter of origin, what do the high numbers of Stuxnet infections in Iran demonstrate? For obvious security reasons, best practices dictate that industrial control system computers not be connected to the Internet. That Iran has so many ICS computers with live Internet connections is a concern. Further, antivirus software is fully capable of detecting and preventing a Stuxnet infection. Such a large number of infected machines in Iran seems to demonstrate that these critical infrastructure computers aren't just exposed by being Internet-connected, but that they aren't even protected by rudimentary antivirus protection.
The high number of infections in Iran aren't a byproduct of targeting. They are the natural byproduct of a lack of protection combined with not following security best practices.
Clues in the Stuxnet code were badly misinterpreted. Theory-crafters that stumbled on clues in the worm's code quickly began making some rather wild claims that Israel was the attacker. Unfortunately, these interpretations were as clueless as the accusations that Iran was the target. For a run-through of these claims, see: Debunking the Bunk of Stuxnet.