designed to foil Iran’s enrichment work at Natanz and only impact that plant.
The research was conducted by a trio of specialists working for Symantec, the computer security company.
They found that the Stuxnet worm only springs into life in a system using equipment made by Fararo Paya in Tehran or Vacon of Finland. The goal appears to have been to speed up and slow down the spinning of Iran’s centrifuges, a sure way to disable them.
Liam O Murchu, one of the Symantec researchers, said Stuxnet’s creators “wanted to get on the system and not be discovered and stay there for a long time and change the process subtly, but not break it.”
Arstechnica, a computer news website, said the researchers determined long ago that Stuxnet was designed to intercept commands sent to control a certain function at a facility, but until Symantec’s latest research it was not known what function was being targeted for sabotage.
Symantec still has not determined what specific facility or type of facility Stuxnet targeted, but the new information lends weight to speculation that Stuxnet was targeting the Natanz uranium enrichment plant.
According to Symantec, Stuxnet targets specific frequency converter drives — power supplies that are used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.
The malware, however, doesn’t just sabotage any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Tehran or by the Finland-based Vacon.
Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds – between 807Hz and 1210Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
O Murchu said, “There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment. I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the US using an Iranian device.”
Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.
“The amount of applications where this would be applicable are very limited,” O Murchu said. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges . . . and the final grade of uranium you would get out would be a lower quality.”
O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would get them noticed.
Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands. Or at least they wouldn’t have seen this, if information about Stuxnet hadn’t been released last July.
The Symantec research suggests, but does not prove, that an intelligence agency desiring to foil Iran’s nuclear program was behind the Stuxnet worm.