Stuxnet, the world’s first known “cyber missile,” was designed to sabotage special power supplies used almost exclusively in nuclear fuel-refining centrifuge systems, researchers studying its code have revealed. The discovery is another puzzle piece experts say points to Iran’s nuclear centrifuge plants as the likely target.
While the discovery may seem just another bit of circumstantial evidence, it is a critical one that appears to all but answer a central mystery surrounding Stuxnet: What was its target?
Stuxnet was discovered in June by a Belarus antivirus company, and its unique ability to control industrial processes was uncovered by US researchers in July. But its true role as the world’s first publicly known cyber super weapon – designed to cross the digital divide and destroy a very specific target in the real world – was only revealed in September.
Even then, the target was mostly an informed guess. Was Iran’s Bushehr nuclear power plant or its nuclear centrifuge fuel-refining plant at Natanz the target, as some suggested? Or was it something quite different, like the big Indian-made satellite that failed dramatically in July?
It now appears that a smoking gun within Stuxnet’s software code targets power supplies almost certainly used inside any Iranian nuclear fuel refining plant, researchers say. Working separately, researchers at California computer security firm Symantec arrived at the same conclusion as researchers in Germany late last week: Nuclear-fuel centrifuges were the target.
The researchers followed a complex trail. After cleverly gaining access to computer systems using an array of devious “exploits,” Stuxnet searches for and infects only a specific Siemens-made programmable logic controller (PLC) performing specific functions, the researchers found. Then – and this is the part just unearthed – it hunts for identification numbers unique to a special kind of “frequency converter drive” made by just two firms in the world: one headquartered in Finland, the other in Tehran.
Frequency converter drives are a kind of power supply that can change the frequency of its output to control the speed of a motor. The drive responds to a PLC’s computer commands and is used for industrial control in factory settings worldwide. Stuxnet hunts for specific drives set at specific speeds – the very high speeds a centrifuge must achieve to physically separate and concentrate uranium isotopes for use as nuclear fuel. Such fuel can then be used in a reactor or, if refined to far higher concentrations, a nuclear weapon. [Editor’s note: The original version misconstrued the nature of frequency converter drives.]
Symantec researchers were aided by a Dutch industrial control systems expert who revealed the connection with Tehran and Finland firms. It turns out that the special drives Stuxnet targets are built to operate “at very high speeds … speeds used only in a limited number of applications,” Symantec stated in a report update Nov. 12. Such drives are “regulated for export in the US by the Nuclear Regulatory Commission,” because one of their main uses is for uranium enrichment, it noted.
Once Stuxnet has locked its sights on the target, it alternately brings the centrifuge process to either a grinding slowdown or an explosive surge – by sabotaging the centrifuge refining process. It tells the commandeered PLC to force the frequency converter drive to do something it’s not ever supposed to do: Switch back and forth from high speed to low speed at intervals punctuated by long period of normal operation. It also occasionally pushes the centrifuge to far exceed its maximum speed.
“Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months,” Symantec researcher Eric Chien reported Nov. 12 on his blog. “Interfering with the speed of the motors sabotages the normal operation of the industrial control process.”
Normal operating frequency of the special drive is supposed to be between 807 and 1210 Hz – the higher the hertz, the higher the speed. One hertz means that a cycle is repeated once per second.
Stuxnet “sabotages the system by slowing down or speeding up the motor to different rates at different times,” including sending it up to 1410 Hz, well beyond its intended maximum speed. Such wide swings would probably destroy the centrifuge – or at least wreck its ability to produce refined uranium fuel, others researchers say.
“One reasonable goal for the attack could be to destroy the centrifuge rotor by vibration, which causes the centrifuge to explode” as well as simply degrading the output subtly over time, Ralph Langner, the German researcher who first revealed Stuxnet’s function as a weapon in mid-September, wrote on his blog last week.
All of the circumstantial evidence points in the same direction: Natanz.
The Natanz nuclear centrifuge fuel-refining plant may have been hit first by Stuxnet in mid-2009, said Frank Rieger, a German researcher with Berlin encryption firm GSMK. The International Atomic Energy Agency found a sudden drop in the number of working centrifuges at the Natanz site, he noted in an interview in September.
“It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once – which makes it fit well with a centrifuge plant like Natanz,” Mr. Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he said.
That and Symantec’s new findings also dovetail nicely with Mr. Langner’s detailed findings in his ongoing dissection of Stuxnet. Parts of the code show Stuxnet causing problems for short periods, then resuming undisturbed operation, Symantec’s findings show. As a result, Langner writes, “the victim, having no clue of being under a cyber attack, will replace broken centrifuges by new ones – until ending in frustration. It’s like a Chinese water torture.”
Ultimately, the Stuxnet cyber attack “is as good as using explosives,” Langner notes. Actually, it’s even better, he writes. Iran is believed to have other hidden centrifuge plants and “with a well designed attack plan, you even hit the unknown facilities.”
Help us Prepare for Trump’s Day One
Trump is busy getting ready for Day One of his presidency – but so is Truthout.
Trump has made it no secret that he is planning a demolition-style attack on both specific communities and democracy as a whole, beginning on his first day in office. With over 25 executive orders and directives queued up for January 20, he’s promised to “launch the largest deportation program in American history,” roll back anti-discrimination protections for transgender students, and implement a “drill, drill, drill” approach to ramp up oil and gas extraction.
Organizations like Truthout are also being threatened by legislation like HR 9495, the “nonprofit killer bill” that would allow the Treasury Secretary to declare any nonprofit a “terrorist-supporting organization” and strip its tax-exempt status without due process. Progressive media like Truthout that has courageously focused on reporting on Israel’s genocide in Gaza are in the bill’s crosshairs.
As journalists, we have a responsibility to look at hard realities and communicate them to you. We hope that you, like us, can use this information to prepare for what’s to come.
And if you feel uncertain about what to do in the face of a second Trump administration, we invite you to be an indispensable part of Truthout’s preparations.
In addition to covering the widespread onslaught of draconian policy, we’re shoring up our resources for what might come next for progressive media: bad-faith lawsuits from far-right ghouls, legislation that seeks to strip us of our ability to receive tax-deductible donations, and further throttling of our reach on social media platforms owned by Trump’s sycophants.
We’re preparing right now for Trump’s Day One: building a brave coalition of movement media; reaching out to the activists, academics, and thinkers we trust to shine a light on the inner workings of authoritarianism; and planning to use journalism as a tool to equip movements to protect the people, lands, and principles most vulnerable to Trump’s destruction.
We urgently need your help to prepare. As you know, our December fundraiser is our most important of the year and will determine the scale of work we’ll be able to do in 2025. We’ve set two goals: to raise $110,000 in one-time donations and to add 1350 new monthly donors by midnight on December 31.
Today, we’re asking all of our readers to start a monthly donation or make a one-time donation – as a commitment to stand with us on day one of Trump’s presidency, and every day after that, as we produce journalism that combats authoritarianism, censorship, injustice, and misinformation. You’re an essential part of our future – please join the movement by making a tax-deductible donation today.
If you have the means to make a substantial gift, please dig deep during this critical time!
With gratitude and resolve,
Maya, Negin, Saima, and Ziggy