Symantec claims breakthrough in understanding on how Stuxnet operates and what its targets are
The Stuxnet worm requires the industrial control system to have frequency converter drives from at least one of two specific vendors.
According to Symantec's Eric Chien, a critical piece of the Stuxnet puzzle has been connected. He claimed that since it discovered that Stuxnet modifies code in a potential act of sabotage, it has been unable to determine what the exact purpose of Stuxnet is and what its target was. According to the Register, new research that was published late last week established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland.
Chien said: “The new key findings are that Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries. Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807Hz and 1,210Hz. While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications.
“Stuxnet also changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process. Finally, Stuxnet's requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.”
With the frequencies considered to be very high-speed, Chien said that it is likely that a conveyor belt in a retail packaging facility is unlikely to be the target.
Symantec's new detection therefore determined that once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behaviour of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1,410Hz and then to 2Hz and then to 1,064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly.
“With this discovery, we now understand the purpose of all of Stuxnet's code. We have modified our paper, in particular multiple subsections of the modifying PLCs section, to include the finer details. Since we are far from experts in industrial control systems,” he said.