The infamous Stuxnet worm may have had its eyes set on motors at nuclear power facilities, according to Symantec.
Researchers at Symantec say they have made a breakthrough in
deciphering another piece of Stuxnet's puzzle - the
disruption of motors at nuclear power plants.
Stuxnet - which is considered by some to be one of the most sophisticated pieces
malware ever seen - was first uncovered by the security community this
summer. In the ensuing months, speculation has run rampant about who
created the malware and what exactly it was designed to do.
"Since our discovery that Stuxnet actually modifies code on PLCs
(programmable logic controllers) in a potential act of sabotage,
we have been unable to determine what the exact purpose of Stuxnet is
and what its target was," blogged Eric Chien
technical director of Symantec Security Response. "However, we can now
confirm that Stuxnet requires the industrial control system to have
frequency converter drives from at least one of two specific vendors,
one headquartered in Finland and the other in Tehran, Iran. This
is in addition to the previous requirements we discussed of a S7-300
CPU and a CP-342-5 Profibus communications module."
A frequency converter drive controls the frequency of electrical
power supplied to a motor, thereby controlling the motor's speed.
Stuxnet, Chien explained, looks for frequency converter drives
operating at high speeds, between 807 Hz and 1210 Hz. These speeds
are only used in a limited number of applications - in fact, Chien
wrote, low-harmonic frequency converter drives that output more than
600 Hz are regulated for export in the U.S. by the Nuclear Regulatory Commission
because they can be used for uranium enrichment.
The prospect that nuclear facilities could be Stuxnet's main
target arguably gives more weight to speculation that its purpose
was to prevent either a certain country or certain countries from
developing nuclear weapons.
"Interfering with the speed of the motors sabotages the normal
operation of the industrial control process...Once operation at those
frequencies occurs for a period of time, Stuxnet then hijacks the PLC
code and begins modifying the behavior of the frequency converter
drives," he blogged. "In addition to other parameters, over a period of
months, Stuxnet changes the output frequency for short periods of time
to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the
output frequency essentially sabotages the automation system from
operating properly. Other parameter changes may also cause
Much of the speculation has centered on Iran as the primary target,
as the country has been the site of many Stuxnet
infections. Additionally, Iran's first nuclear power plant is
reportedly expected to start feeding the country's power grid
by late December. Hidden within Stuxnet's code some say are clues
pointing to state-sponsorship, but many researchers have pointed
out that the evidence is far from conclusive.
Chien credited a Dutch Profibus expert as having played an important
role in the breakthrough and asked for more outside help in
"We would be interested in hearing what other applications use
frequency converter drives at these frequencies...Since we are far from
experts in industrial control systems, we appreciate any feedback or
further tips or explanation of some of the data," he wrote.