Symantec’s not saying that the Stuxnet worm was a state-sponsored creation designed to take out the centrifuges that power Iran’s controversial uranium enrichment program. The company’s just saying that if someone can come up with another explanation that pieces together the latest analysis of the worm, they’d love to hear it.
In a blog post on November 12, Symantec researcher Eric Chien said that the company had finally pierced the veil on Stuxnet and now understands not only what kind of industrial control equipment Stuxnet was written to exploit, but also how it was programmed to manipulate that equipment.
The analysis, which was possible after a Dutch researcher responded to Symantec’s public request for assistance, lends credence to the theory that Stuxnet was targeted at centrifuges that were used for uranium enrichment in Iran.
Symantec has done the most extensive private-sector analysis of the Stuxnet worm, and made much of what it has learned public through posts on the Symantec Connect blog and presentations. At the Virus Bulletin Conference in September, researcher Liam O’Murchu revealed that Stuxnet targeted programmable logic controllers (PLCs) by Siemens Inc. and probably disabled machinery connected to them. At that time, however, O’Murchu said that Symantec still didn’t know what types of machinery the targeted logic controllers were connected
In the intervening months, however, Symantec received some valuable help from what the company described as a Dutch expert with knowledge of the Profibus network adapter cards that Symantec had determined were used to connect to the type of PLCs that Stuxnet targeted. That information permitted Symantec to do a deeper analysis of Stuxnet that revealed the PLCs Stuxnet affected were programmed to operate frequency converter drives – common components of industrial control systems that modify the frequency of output to control of speed of another component, such as a motor.
Specifically, Symantec learned that the kinds of frequency converter drives that Stuxnet was attempting to control come from just two vendors: one headquartered in Finland, the other in Tehran, Iran. Furthermore, the company said worm was looking for drives operating at very high frequencies — 807 Hz to 1210 Hz — relative to drives used for most industrial control systems. Th
According to the post, one application for drives running at that frequency is uranium enrichment; the U.S. government’s Nuclear Regulatory Commission (NRC) controls the export of converter drives that can support output over 600 Hz for that reason, Chien notes.
And, while Symantec said it can’t confirm that the motors targeted by Stuxnet were being used for that purpose, the company “would be interested in hearing what other applications use frequency converter drives at these frequencies.”
Assuming that the motors Stuxnet was attempting to control were hooked up to centrifuges used for uranium enrichment, the worm’s code would have made a hash of it: monitoring the frequency converters for a time to understand their behavior, then intermittently changing their output for short periods of time to sabotage the system, Chien wrote.
Symantec’s analysis is just one take on the Stuxnet worm and is by no means definitive. While the worm did disproportionately affect Iran, it spread the most widely inside India. In addition, the company is careful to say that there are many applications for frequency converters and that it is possible that those targeted by Stuxnet were not running centrifuges.
Symantec has updated its analysis of Stuxnet to include the new information on the intended target of the worm.