Researchers at Symantec say they have made a breakthrough in deciphering another piece of Stuxnet’s puzzle – the disruption of motors at nuclear power plants.
Stuxnet – which is considered by some to be one of the most sophisticated pieces of malware ever seen – was first uncovered by the security community this summer. In the ensuing months, speculation has run rampant about who created the malware and what exactly it was designed to do.
“Since our discovery that Stuxnet actually modifies code on PLCs (programmable logic controllers) in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was,” blogged Eric Chien, technical director of Symantec Security Response. “However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.”
A frequency converter drive controls the frequency of electrical power supplied to a motor, thereby controlling the motor’s speed.
Stuxnet, Chien explained, looks for frequency converter drives operating at high speeds, between 807 Hz and 1210 Hz. These speeds are only used in a limited number of applications – in fact, Chien wrote, low-harmonic frequency converter drives that output more than 600 Hz are regulated for export in the U.S. by the Nuclear Regulatory Commission because they can be used for uranium enrichment.
The prospect that nuclear facilities could be Stuxnet’s main target arguably gives more weight to speculation that its purpose was to prevent either a certain country or certain countries from developing nuclear weapons.
“Interfering with the speed of the motors sabotages the normal operation of the industrial control process…Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives,” he blogged. “In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”
Much of the speculation has centered on Iran as the primary target, as the country has been the site of many Stuxnet infections. Additionally, Iran’s first nuclear power plant is reportedly expected to start feeding the country’s power grid by late December. Hidden within Stuxnet’s code some say are clues pointing to state-sponsorship, but many researchers have pointed out that the evidence is far from conclusive.
Chien credited a Dutch Profibus expert as having played an important role in the breakthrough and asked for more outside help in examining Stuxnet.
“We would be interested in hearing what other applications use frequency converter drives at these frequencies…Since we are far from experts in industrial control systems, we appreciate any feedback or further tips or explanation of some of the data,” he wrote.