Stuxnet Was Designed To Subtly Interfere With Uranium Enrichment

ceswiedler writes "Wired is reporting that the Stuxnet worm was apparently designed to subtly interfere with uranium enrichment by periodically speeding or slowing specific frequency converter drives spinning between 807Hz and 1210Hz. The goal was not to cause a major malfunction (which would be quickly noticed), but rather to degrade the quality of the enriched uranium to the point where much of it wouldn't be useful in atomic weapons. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 at around the time the worm was spreading in Iran."

Re:frequency converter drives ?

[dattaway]

AC motors require these drives to get their speed. 60Hz would be about 1800 or 3600 rpm, depending how its wound. Most industrial drives can be programmed for 400Hz, which will spin the armature quite fast. Enrichment is like spinning glassware on a dentist's drill. Those frequencies at that high of voltage (480 volts typical) has a very high switching rate that requires exotic transistor designs. Given that these controllers aren't very common, say for a juice mixer, they can be tracked and sabotaged by the distributor quite easily.

Re:Resources, will, and motive

[makomk]

I doubt that you would really need that many resources to do something like this.

Aside from the problem that maxwell demon points out with the huge amount of secret internal information required, the attackers also obtained and used several zero-day vulnerabilities and driver signing certificates from two different hardware manufacturers. That's hardly trivial.

Re:Resources, will, and motive

[sigxcpu]

I concur,
Also note that whoever wrote the virus had very specific knowledge of the target.
It would only act if more than 33 devices of one of two manufacturers were linked to one controller.
It would act one way if the majority of the devices were from one manufacturer and do something else if there were from the other kind.
I would guess that someone that worked there or someone that supplied parts to the project had a major hand in this.
My guess would be that this is at least to some extent an inside job.

More details

[jimmyswimmy]

There's a lot more detail in the symantec virus "dossier". A very interesting and detailed read.

There are many (more interesting) questions left

[kestasjk]

• It contains code written in Visual Studio 2005 and 2008, compiled long times apart.
• It required the theft of two digital certificates from offices of electronics manufacturers in Korea.
• It would have needed a lot of expertise on a very particular type of industrial controller.
• It is found most widely in Iran, and has countdown timer to reduce the spread of infected machines, so was probably launched there (and I can't imagine it's easy to hop over on a plane from Israel to drop off a bunch of infected thumbdrives in Iranian offices)

On the other hand the project name was apparently "myrtus", an east-Mediterranean flower, and a hard-coded value for the disable-flag was the date of an atrocity Iranians perpetrated against some Jews (I can't remember the details off-hand, but it's all in Symantec's fascinating report)

It's all totally speculative of course, and probably the least technically interesting thing about this worm is the question of the author. But even besides that the effort and diverse skillsets that must have gone into this thing I feel somehow diminishes the importance of asking "was it country A or B?"


If you think the only question left is was it Yanks or Jews here's a couple that I would raise:
Is there a lesson here about putting too much faith in signed drivers? How about asking what SCADA systems closer to home might be vulnerable? If this thing hadn't been so picky about which controllers it altered what could it have done?