Report Strengthens Suspicions That Stuxnet Sabotaged Iran’s Nuclear Plant

(WIRED) A new report appears to add fuel to suspicions that the Stuxnet superworm was responsible for sabotaging centrifuges at a uranium-enrichment plant in Iran.

The report, released Thursday by the Institute for Science and International Security, or ISIS, indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart.

The frequencies of the Natanz rotors were apparently not a secret and were disclosed to ISIS in mid-2008 — the earliest samples of Stuxnet code found so far date back to June 2009, a year after ISIS learned about the frequencies. They were disclosed to ISIS by “an official from a government that closely tracks Iran’s centrifuge program.”

The unnamed government official told ISIS that the nominal frequency for the IR-1 centrifuges at Natanz was 1,064 Hz, but that Iran kept the actual frequency of the centrifuges lower to reduce breakage. According to another source, Iran often ran its centrifuges at 1,007 Hz.

The information would have been gold to someone looking to sabotage the centrifuges since, as ISIS notes, it provided both confirmation that Iran’s centrifuges were prone to an unusual amount of breakage and that they were subject to breakage at a specific frequency of rotation.

Stuxnet was discovered last June by a Belarus security firm, which found samples of the code on computers belonging to an unnamed client in Iran. The sophisticated code was designed to sabotage specific components used with an industrial control system made by the German firm Siemens, but only if these components were installed in a particular configuration. The unique configuration Stuxnet seeks is believed to exist at Natanz and possibly other unknown nuclear facilities in Iran.

After German researcher Ralph Langner first posited that Stuxnet’s target was Iran’s nuclear power plant at Bushehr, Iranian President Mahmoud Ahmadinejad acknowledged that Stuxnet affected personal computers belonging to workers at the plant, but he maintained that the plant’s operations were not affected by the malware. However, Ahmadinejad announced in November that unspecified malicious software sent by western enemies had affected Iran’s centrifuges at its Natanz plant and “succeeded in creating problems for a limited number of our centrifuges.” He did not mention Stuxnet by name.

It’s known that Iran decommissioned and replaced about a thousand IR-1 centrifuges at its Natanz plant between November 2009 and February 2010. It’s not known if this was due to Stuxnet or due to a manufacturing defect or some other cause, but the ISIS report increases plausibility that Stuxnet could have played a role in their demise.

According to an examination of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights. Once it finds itself on the targeted system, depending on how many frequency converters from each company are present on that system, Stuxnet undertakes two courses of action to alter the speed of rotors being controlled by the converters. In one of these courses of action, Stuxnet begins with a nominal frequency of 1,064 Hz — which matches the known nominal frequency at Natanz but is above the 1,007 Hz at which Natanz is said to operate — then reduces the frequency for a short while before returning it back to 1,064 Hz.

In another attack sequence, Stuxnet instructs the speed to increase to 1,410 Hz, which is “very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically,” according to the ISIS report, which was written by ISIS president David Albright and colleagues.

“The rotor tube of the IR-1 centrifuge is made from high-strength aluminum and has a maximum tangential speed of about 440-450 meters per second, or 1,400-1,432 Hz, respectively,” according to ISIS. “As a result, if the frequency of the rotor increased to 1,410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level.”

ISIS doesn’t say how long the frequency needs to be at 1,410 Hz before the rotor reaches the tangential speed at which it would break apart, but within 15 minutes after instructing the frequency to increase, Stuxnet returns the frequency to its nominal 1,064 Hz level. Nothing else happens for 27 days, at which point a second attack sequence kicks in that reduces the frequency to 2 Hz, which lasts for 50 minutes before the frequency is restored to 1,064 Hz. Another 27 days pass, and the first attack sequence launches again, increasing the frequency to 1,410 Hz, followed 27 days later by a reduction to 2 Hz.

Stuxnet disguises all of this activity by sending commands to shut off warning and safety controls that would normally alert plant operators to the frequency changes.

ISIS notes that the Stuxnet commands don’t guarantee destruction of centrifuges. The length of the frequency changes may be designed simply to disrupt operations at the plant without breaking rotors outright, and the plant could conceivably have secondary control systems in place to protect centrifuges and that are not affected by Stuxnet’s malicious commands.

There are still a lot of unanswered questions about both Stuxnet and the Natanz facility.

ISIS notes that it could not confirm the brand of frequency converters used at Natanz in order to determine if they are the ones that Stuxnet targets. Iran is known to have obtained frequency converters from a variety of suppliers, including ones in Germany and in Turkey. The New York Times reported in January that a foreign intelligence operation had aimed at sabotaging “individual power units that Iran bought in Turkey” for its centrifuge program. The ISIS authors say these “power units” are believed to have been frequency converters Iran obtained from Turkey.

If Stuxnet was indeed aimed at Natanz, and if its goal was to quickly destroy all of the centrifuges at Natanz, ISIS notes that it failed at this task.

“But if the goal was to destroy a more-limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily,” according to the report.

The authors close their report with a warning to governments that using tools like Stuxnet “could open the door to future national security risks or adversely and unintentionally affect U.S. allies.”

“Countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code,” they write. “Such an attack could shut down large portions of national power grids or other critical infrastructure using malware designed to target critical components inside a major system, causing a national emergency.”

Copyright © Jewish Internet Defense Force
All Rights Reserved

The views expressed on this website do not necessarily reflect the views of the JIDF. The content is not intended to malign any religion, ethnic group, club, organization, company or individual. This site's intention is to do no harm, to not injure others, defame, or libel. All data and information provided on this site is for informational, educational, and/or entertainment purposes only. The Jewish Internet Defense Force (JIDF) makes no representations as to accuracy, currentness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use, or access to this site. We are not responsible for translation or interpretation of content. We are not responsible for defamatory statements bound to government, religious or other laws from the reader’s country of origin. All information is provided on an as-is basis with no warranties, and confers no rights. We are not responsible for the actions, content, accuracy, opinions expressed, privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information on the Jewish Internet Defense Force site. This site includes links to other sites and blogs operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. We have not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of the JIDF. We have the right to edit, remove or deny access to content that is determined to be, in our sole discretion, unacceptable. These Terms and Conditions of Use apply to you when you view, access or otherwise use this blog and the Website. The JIDF is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to
Related Posts with Thumbnails