Discovered this year in June in Iran, Stuxnet has already infected more then 100000 computer systems world wide and is not as it first seemed a sophisticated windows virus designed to steal data. It apparently contains code targeting Siemens Simatic WinCC SCADA systems, which are control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment. Despite these discoveries, the specific sabotage function has no yet been discovered.
Symantec researches have also uncovered the fact that Stuxnet targets specific frequency-converter drives, which are basically power supplies used to control the speed of a physical device, such as a motor. The malware replaces commands intercepted from SCADA systems with it’s own malicious routines.
However, Stuxnet does not target any frequency converters, but specific ones like the ones made by made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.
“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said Liam O Murchu, researcher with Symantec Security Response. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.
Stuxnet was publicly exposed in Belarus, the country where the most infections occurred, by VirusBlokAda, an obscure security company.
“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”
Stuxnet’s internal security systems hides it even from system administrators, and many such infections would have been passed over if official information about it would not have been published in July.