Stuxnet researchers cautious about Iran's admission of centrifuge issues
Symantec researchers want confirmation that uranium enrichment centrifuges were hit by worm, but proof may be impossible
Computerworld - Although Iran on Monday apparently confirmed that the Stuxnet worm disrupted the country's uranium enrichment efforts, one of the researchers who has dug deepest into the malware wasn't ready to call it a done deal.
"If that information is accurate, then, yes, it's very interesting," said Liam O Murchu, manager of operations on Symantec's security response team, in an interview Monday.
If Stuxnet did affect centrifuges used to enrich uranium at Iran's nuclear sites, O Murchu continued -- again stressing the word if -- that would mean that Symantec's latest analysis of the worm was on the mark. "But we'd like to get firm confirmation that Stuxnet was definitely used to disrupt centrifuges," he said.
But that proof may never come, despite Monday's announcement by Iran President Mahmoud Ahmadinejad that enemies of his country had "succeeded in creating problems for a limited number of our centrifuges with the software they had installed."
Iran's story on Stuxnet has changed in the past several months, and it's possible that Ahmadinejad's admission was a smokescreen for more prosaic problems.
O Murchu acknowledged that Stuxnet's target may never be known with certainty, even though the circumstantial evidence points toward Iran and its nuclear program.
"Stuxnet didn't give us direct proof that [it] targeted centrifuges," O Murchu said. "It only pointed toward that as one of the applications that it could have targeted."
Not that he doesn't have strong suspicions.
"Stuxnet targeted PLCs," O Murchu said, referring to the "programmable logic controllers" that the worm modified. "It targeted drive converters at the frequencies used for [uranium] enrichment. There really aren't a lot of options left other than uranium enrichment."
O Murchu and fellow Symantec security researchers Eric Chien and Nicolas Falliere have spent months analyzing Stuxnet, a worm that others have called "groundbreaking" in its complexity and deviousness. Two weeks ago, the three said clues in the worm's code indicated that Stuxnet targeted industrial systems that control high-speed electrical motors, like those used to spin gas centrifuges, one of the ways uranium can be enriched into bomb-grade material.
According to O Murchu, Chien and Falliere, Stuxnet looked specifically for devices called "frequency converter drives." Such drives take electrical current from a power grid, then change the output to a much higher frequency, typically 600 Hz or higher.
When the worm found converter drives operating between 807 Hz and 1210 Hz, Stuxnet reset the frequency to 1410 Hz, then after 27 days, dropped the frequency to just 2 Hz and later bumped it up to 1064 Hz. It then repeated the process.
After Symantec released its latest findings, experts noted that the 807-1210 Hz range was consistent with drive converters used to power gas centrifuges, and that the changes Stuxnet ordered could hamper enrichment efforts or cause the high-speed rotors inside the centrifuges to fly apart.
Symantec's analysis gained credence last week when the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, reported that earlier this month Iran had stopped feeding uranium hexafluoride gas to its centrifuges for about a week. Speculation quickly focused on problems created by Stuxnet as the reason for the shutdown.
But the same day that the IAEA report made news, Ali Akbar Salehi, the head of Iran's nuclear agency, denied Stuxnet had affected the country's atomic program. According to the Associated Press, which quoted the official IRNA news agency, Salehi said Iran's "enemies failed to achieve their goals" with the worm.
"We discovered the virus exactly at the same spot it wanted to penetrate because of our vigilance and prevented the virus from harming [equipment]," Salehi told the IRNA.
Since September, Iranian officials have acknowledged that Stuxnet had spread through Iran and infected tens of thousands of PCs, including several personal computers owned by employees at the Bushehr nuclear power plant.
But until Monday, Iran had repeatedly denied that malware had managed to infiltrate its nuclear program and caused any damage or disruption. Two months ago, for instance, the deputy head of Salehi's agency claimed Stuxnet had not penetrated Iran's nuclear facilities.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts