Stuxnet Targeted Nuclear Plants, Researchers Find

The Stuxnet worm targeted specific control systems in nuclear plants, according to researchers studying the malware.

Researchers at Symantec confirmed Stuxnet was created to affect a control system containing frequency converter drives, a power supply that can increase the speed of a motor with a higher frequency. Those specific frequency converter drives are made in two facilities -- one located in Finland and the other in Tehran, Iran, according to a Symantec blog post Friday.

Researchers deduced Stuxnet's intended targets by ascertaining that the notorious worm required that the frequency converter drives be operating at very high speeds between 800 Hz and 1200 Hz, found in a limited number of potential targets, including nuclear facilities. The malware also requires specific frequency converter drives from certain vendors, found in only specific countries.

Stuxnet's requirement for high frequency converter drives naturally limits the number of potential targets for the malware, researchers said.

"For example, a conveyor belt in a retail packaging facility is unlikely to be the target," said Symantec researcher Eric Chien in a blog post Friday, noting that, "low-harmonic frequency conveyer drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment."

Stuxnet is designed to monitor the currency operating frequency of the motors. Once it determines that the frequency, Stuxnet then hijacks the Programmable Logic Controller code and begins to modify the behavior of the frequency converter drive. The malware is then programmed to change the output frequencies, and subsequently, the speed of the motors, in short intervals over the course of months, ultimately interfering with the motor's behavior and sabotaging the normal operation of the industrial control process.

"With this discovery, we now understand the purpose of all of Stuxnet's code," Chien said.

But while security researchers have a better idea of the intended targets, they have yet to nail down Stuxnet's creators or their motives.

Stuxnet first emerged on the public radar in September when researchers found traces of code on Siemens industrial software systems that operate Iran's Bushehr nuclear reactor. The attack on Bushehr was later thought to be launched by exploiting four zero-day Windows vulnerability and spreading via infected USB devices, possibly indicating insider knowledge, experts had said.

The worm differentiated itself from other malware with its "search and destroy" code, designed to target industrial facilities such as chemical manufacturing and power plants using Supervisory Control and Data Acquisition (SCADA) systems.

Next: Security Experts Say Findings Indicate Changing Security Paradigm

Prior to the Bushehr plant, the malware had spread throughout numerous targets in Asia, including Malaysia, India and the Middle East throughout the summer.

Members of the security community contend that the latest Stuxnet findings underscore the need for a changing security paradigm in order for organizations to adequately protect their networks and infrastructure from increasingly sophisticated security attacks.

'We need to start to rethink how we are going to defend our networks in the coming years and decades. Layers of defense are, of course, important -- but what should those layers be?" said Marcus Sachs, director of SANS Internet Storm Center, in a blog post Sunday. "I'm afraid that many organizations are still defending themselves as though it's 1998."

Sachs added that traditional security, such as "firewalls and other blinking light mechanisms are not enough." Neither are patching, changing passwords, shutting off unneeded services or "any of the primary best practices we've been preaching as security professionals for many years," he said.

"We need a new layer to add to our defensive strategies. But what is that layer?"