Stuxnet has a double payload
According to the latest analysis, Stuxnet is aimed not at disrupting a single system, but at two different systems. According to control systems security firm Langner Communications, the worm is not just designed to interfere with specific, variable frequency, motor control systems – it also attempts to disrupt turbine control systems. According to Langner, this would mean that, in addition to Iran's uranium enrichment plant at Natanz, the country's Bushehr nuclear power plant may have been a further target of the Stuxnet attack.
Specialists have been puzzling over the worm's target for several weeks, with early rumours circulating that it was aimed at sabotaging Natanz or Bushehr. However, no-one initially suspected that its aim was to sabotage both plants, although clues that this might be the case have been emerging for some time. Stuxnet attacks Siemens control system types S7-300 (315) and S7-400 (417). The attack modules appear to have been created using different tools – probably even by different teams.
The code for the S7-417 system – used in the turbine control systems at Bushehr – is reported to be much more sophisticated than that for the S7-315 system. The code carries out what amounts to a man-in-the-middle attack in order to pass fake input and output values to the genuine plant control code. User code running on a programmable logic controller (PLC) does not usually query I / O ports directly, but instead reads from an input process image and writes to an output process image. Mapping of physical ports to logical ports is intended to ensure that I / O values do not change during processing cycles.
According to analysis by Langner, the Stuxnet code deactivates regular updating of the process images. Values are instead written to the process images by code injected into the PLC. What these values are depends on whether or not an attack is under way. The Stuxnet code is able to pass the original values from the physical input to the process image – or not, as the case may be. This allows it to disrupt turbine control systems, which in extreme cases can lead to destruction of the turbine.
This realisation is the cherry on top of the icing on the cake. Initial analysis of Stuxnet showed that the worm contained a rootkit for PLCs which fooled programmers into thinking there was nothing wrong with the code for their control system.
Just this past weekend, Symantec announced that it had discovered that the Stuxnet worm was aimed at specific motors which can be used, among other things, for uranium enrichment. The company reported that Stuxnet is designed to interfere with control systems for the frequency converters which determine motor speeds, but this now appears to be only one of the two payloads.