Stuxnet specifically targeted Iran nuclear plants

London – There is now strong evidence linking the Stuxnet virus, which modifies code on SCADA and PLC control systems, to a state-sponsored attack on Iran’s nuclear enrichment programme, a blog item on the Symantec website suggests.

According to the IT security firm, a Dutch Profibus expert has helped Symantec to establish that the malware requires the industrial control system to have frequency converter drives, as well as a S7-300 CPU and a CP-342-5 Profibus communications module.

The virus was found to attack only frequency converter drives – power supply units that can change the frequency of the output and control the speed of a motor – from two specific vendors, one based in Finland and the other in Tehran.

Stuxnet also requires the converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz, which are used only in a limited number of applications. Interfering with the speed of the motors sabotages the normal operation of the industrial control process.

Stuxnet then hijacks the PLC code, and begins modifying the behavior of the frequency converter drive once they have been operated at the specific high frequencies for a period of time

Efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment.

We would be interested in hearing what other applications use frequency converter drives at these frequencies, said Symantec, suggesting that Iran’s nuclear programme was the actual target of the Stuxnet writers.