Symantec researchers have figured out a key mystery to the Stuxnet worm code that strongly suggests it was designed to sabotage a uranium enrichment facility.
The program targets systems that have a frequency converter, which is a type of device that controls the speed of a motor, Eric Chien, technical director of Symantec Security Response, told CNET today. The malware looks for converters from either a company in Finland or Tehran, Iran.
"Stuxnet is watching these devices on the target system that is infected and checking what frequency these things are running at," looking for a range of 800 hertz to 1200 Hz, he said. "If you look at applications out there in industrial control systems, there are a few that use or need frequency converters at that speed. The applications are very limited. Uranium enrichment is an example."
There had been speculation that Stuxnet was targeting an Iranian nuclear power plant. But power plants use uranium that has already been enriched and don't have the frequency converters Stuxnet seeks like those that control centrifuges, Chien said.
The new information from Symantec would seem to bolster speculation that Iran's Natanz uranium enrichment facility was a target. The worm spreads via holes in Windows and saves its payload for systems running specific industrial control software from Siemens.
Also on Symantec's short list of possible targets are facilities using computer numerical controlled equipment, commonly referred to as CNC equipment, such as drills used to cut metal, he said.
The Stuxnet code modifies programmable logic controllers in the frequency converter drives used to control the motors. It changes the frequencies of the converter, first to higher than 1400 Hz and then down to 2 Hz--speeding it up and then nearly halting it--before setting it at just over 1000 Hz, according to Chien.
"Basically, it is messing with the speed at which the motor runs, which could cause all kinds of things to happen," he said. "The quality of what is being produced would go down or not be able to be produced at all. For example, a facility wouldn't be able to enrich uranium properly."
It could also cause physical damage to the motor, Chien said. "We have confirmation that this industrial process automation system is essentially being sabotaged," he added.
Symantec was able to figure out what the malware does and exactly what systems it targets after getting a tip from a Dutch expert in the Profibus network protocol, which is used in these specific industrial control systems. The information had to do with the fact that the frequency drives all have a unique serial number, according to Chien. "We were able to pair up a couple of numbers we had with some devices and figured out they were frequency drives," he said.
"The real world implications [to Stuxnet] are pretty frightening," Chien said. "We're not talking about a credit card being stolen. We're talking about physical machines potentially causing damage in the real world. And clearly there are some geopolitical concerns, as well."
Chien has more detailed technical information in this blog post.