Missing piece completes Stuxnet jigsaw

Malware targets frequency converter drives from two specific vendors


Security researchers have found an important missing piece in the Stuxnet jigsaw that provides evidence that the malware was targeted at the types of control systems more commonly found in nuclear plants and other specialised operations than in mainstream factory controls.

It was already known that the highly sophisticated Stuxnet worm targets industrial plant control (SCADA) systems from Siemens, spreading using either unpatched Windows vulnerabilities or from infected USB sticks. The malware only uses infected PCs as a conduit onto connected industrial control systems. The malware is capable of reprogramming or even sabotaging targeted systems while hiding its presence using rootkit-style functionality.

New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz.

The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.

Low-harmonic frequency converter drives that operate at over 600 Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment. They may have other applications but would certainly not be needed to run a conveyor belt at a factory, for example.

Symantec - which has an informative write-up piece here - describes the new research as a "critical piece of the puzzle". Eric Chien, a senior researcher at Symantec, writes. "With this discovery, we now understand the purpose of all of Stuxnet’s code".

Although we know what Stuxnet does, we still can't be sure who created it or its exact purpose, although we can make an educated guess.

Stuxnet infections first surfaced in Malaysia in June, but the appearance of the malware in Iran has long been the major point of interest in the story. Plant officials at the controversial Bushehr nuclear plant in Iran admitted the malware had infected its network in September. This had nothing to do with a recently announced two-month delay in bringing the reactor online, government ministers subsequently claimed.

One theory is that Russian contractors at the site of Bushehr power plant introduced the malware, either accidentally or (more likely) deliberately. Stuxnet used four Windows zero-day vulnerabilities to spread and must have been developed by a team with expertise in and access to industrial control systems over several weeks, at a minimum. Altogether an expensive and tricky project with no obvious financial return, factors suggest the malware was developed with either the direct involvement of support of intelligence agencies or nation-states and designed for sabotage.

The appearance of the malware has provoked talk of cyberwar in some quarters and certainly done a great deal to raise the profile of potential attacks on power grid and utility systems in the minds of politicians. This is regardless of the potential likelihood of such an attack actually being successful, which remains unclear even after the arrival of Stuxnet. ®

Similar topics


Other stories you might like

  • ESA's 2030+ roadmap envisions Europeans on the Moon and Mars
    But the agency is distinctly aware that it needs more autonomy

    The European Space Agency (ESA) has released a strategy roadmap to take it into the 2030s and beyond.

    The publication comes on the eve of much-anticipated images from the James Webb Space Telescope, on which ESA partnered with NASA and others, but that makes one of the themes of the roadmap all the more stark – ESA needs more autonomy.

    "As recent events have shown," the document begins, "the geopolitical context can unexpectedly become unstable."

    Continue reading
  • Biden considers removal of Trump-era China tariffs to ease inflation
    But US administration split on loss of leverage, according to reports

    US president Joe Biden is debating whether to end or cut Trump-era tariffs imposed on Chinese imports into the United States, according to reports.

    Introduced in 2018 during the Trump administration, tariffs on more than $300 billion in imports from China — including products and components vital in consumer and business technologies — were inherited by the Biden administration.

    According to Bloomberg, president Biden and his cabinet have discussed the inflationary impact of these levies with Treasury Secretary Janet Yellen. The cabinet was looking at all of the possible ways to curb inflation and to provide some relief on cost of living for Americans, the report said.

    Continue reading
  • Semiconductor market to be hit by fresh wave of rising component costs
    Chemicals supplier warns it expects to raise prices, may cut some product lines

    More red flags about the semiconductor market are being raised with the news that a key supplier to chipmakers such as TSMC is planning to hike prices, which will likely have a knock-on effect on chip prices.

    Japan-based chemicals company Showa Denko has warned it expects to raise prices and may have to cut back some of its unprofitable product lines. The company is a major supplier of chemicals and gases that are used in the semiconductor manufacturing industry for the creation of silicon wafers and in the etching process to create chips.

    In an interview with Bloomberg, Showa Denko chief financial officer Hideki Somemiya said the company had already raised prices at least a dozen times this year, citing issues such as COVID-19 lockdowns, increasing energy costs and other factors. However, he confirmed "the current market moves require us to ask twice the amount we had previously calculated."

    Continue reading
  • Germany unveils plan to tackle cyberattacks on satellites
    Vendors get checklist on what to do when crooks inevitably turn up in space

    The German Federal Office for Information Security (BSI) has put out an IT baseline protection profile for space infrastructure amid concerns that attackers could turn their gaze skywards.

    The document, published last week, is the result of a year of work by Airbus Defence and Space, the German Space Agency at the German Aerospace Center (DLR), and BSI, among others. It is focused on defining minimum requirements for cyber security for satellites and, a cynic might say, is a little late to the party considering how rapidly companies such as SpaceX are slinging spacecraft into orbit.

    The guide categorizes the protection requirements of various satellite missions from "Normal" to "Very High" with the goal of covering as many missions as possible. It is also intended to cover information security from manufacture through to operation of satellites.

    Continue reading

Biting the hand that feeds IT © 1998–2022