Security researchers cautious about Iran's admission of Stuxnet issues
November 30 2010
Although Iran on Monday apparently confirmed that the Stuxnet worm disrupted the country's uranium enrichment efforts, one of the researchers who has dug deepest into the malware wasn't ready to call it a done deal.
"If that information is accurate, then, yes, it's very interesting," said Liam O Murchu, manager of operations on Symantec's security response team, in an interview Monday.
If it did affect the centrifuges, O Murchu continued, again stressing the word "if," then it would verify that Symantec's latest analysis of Stuxnet was on the mark. "But we'd like to get firm confirmation that Stuxnet was definitely used to disrupt centrifuges," he said.
Monday's announcement by Iran's President Mahmoud Ahmadinejad notwithstanding, that proof may never come.
Iran's story on Stuxnet has changed in the last several months, and it's possible Ahmadinejad's admission was a smokescreen for more prosaic problems.
O Murchu acknowledged that Stuxnet's target may never be known with certainty, even though the circumstantial evidence points toward Iran and its nuclear program.
"Stuxnet didn't give us direct proof that [it] targeted centrifuges," O Murchu said. "It only pointed toward that as one of the applications that it could have targeted."
Not that he doesn't have strong suspicions.
"Stuxnet targeted PLCs," O Murchu said, referring to the "programmable logic controllers" that the worm modified. "It targeted drive converters at the frequencies used for [uranium] enrichment. There really aren't a lot of options left other than uranium enrichment."
O Murchu, Eric Chien and Nicolas Falliere, all of Symantec, have spent months analyzing Stuxnet, a worm that others have called "groundbreaking" in its complexity and deviousness. Two weeks ago, the three said clues in the worm's code indicated that Stuxnet targeted industrial systems that control high speed electrical motors, like those used to spin gas centrifuges, one of the ways uranium can be enriched into bomb-grade material.
According to O Murchu, Chien and Falliere, Stuxnet looked specifically for devices called "frequency converter drives." Such drives take electrical current from a power grid, then change the output to a much higher frequency, typically 600 Hz or higher.
When the worm found converter drives operating between 807 Hz and 1210 Hz, Stuxnet reset the frequency to 1410 Hz, then after 27 days, dropped the frequency to just 2 Hz and later bumped it up to 1064 Hz. It then repeated the process.
View more news |
