Symantec: We finally understand Stuxnet
Security firm Symantec says it has discovered that the Stuxnet worm targeted specific motors used, for instance, in uranium enrichment processes. With the support of a Dutch Profibus expert, Symantec says, in a blog posting, that it has now managed to fully interpret the purpose of the Stuxnet code. Apparently, Stuxnet is designed to manipulate frequency converters which determine motor speed.
Symantec's findings indicate that Stuxnet targeted industrial plants with a specific combination of components and characteristics: The target computer must have a type S7-300 CPU and is designed to control up to six type CP-342-5 Profibus communications modules that can each connect to up to 31 frequency converters. Symantec said Stuxnet only attacks converter drives made by two specific vendors, one in Finland and the other in the Iranian capital of Tehran. The malware reportedly requires the frequency converter drives to be operating between 807 Hz and 1210 Hz. By changing the output frequency, and with it the working speed, of the motors for short intervals over periods of months, Stuxnet reportedly sabotages the industrial control process the motors are used for.
Symantec says that the results of the analysis reduce the number of potential Stuxnet targets to only a few. According to the security firm, the malware's focus on converter models by two specific vendors and the very high output frequencies are defining characteristics. Symantec points out that, in the United States, the export of products that can output over 600 Hz is regulated by the US Nuclear Regulatory Commission, as these products can reportedly be used for uranium enrichment. "We are not experts in industrial control systems," Symantec said, "but for example, a conveyor belt in a retail packaging facility is unlikely to be the target." Symantec added that it would be interested in hearing what other applications use frequency converter drives at these frequencies.