Stuxnet researchers cautious about Iran's admission of centrifuge issues
Symantec researchers want confirmation that uranium enrichment centrifuges were hit by worm, but proof may be impossible
Although Iran on Monday apparently confirmed that the Stuxnet worm disrupted the country's uranium enrichment efforts, one of the researchers who has dug deepest into the malware wasn't ready to call it a done deal.
"If that information is accurate, then, yes, it's very interesting," said Liam O Murchu, manager of operations on Symantec's security response team, in an interview Monday.
If it did affect the centrifuges, O Murchu continued, again stressing the word "if," then it would verify that Symantec's latest analysis of Stuxnet was on the mark. "But we'd like to get firm confirmation that Stuxnet was definitely used to disrupt centrifuges," he said.
Monday's announcement by Iran's President Mahmoud Ahmadinejad notwithstanding, that proof may never come.
Iran's story on Stuxnet has changed in the last several months, and it's possible Ahmadinejad's admission was a smokescreen for more prosaic problems.
O Murchu acknowledged that Stuxnet's target may never be known with certainty, even though the circumstantial evidence points toward Iran and its nuclear program.
"Stuxnet didn't give us direct proof that [it] targeted centrifuges," O Murchu said. "It only pointed toward that as one of the applications that it could have targeted."
Not that he doesn't have strong suspicions.
"Stuxnet targeted PLCs," O Murchu said, referring to the "programmable logic controllers" that the worm modified. "It targeted drive converters at the frequencies used for [uranium] enrichment. There really aren't a lot of options left other than uranium enrichment."
O Murchu, Eric Chien and Nicolas Falliere, all of Symantec, have spent months analyzing Stuxnet, a worm that others have called "groundbreaking" in its complexity and deviousness. Two weeks ago, the three said clues in the worm's code indicated that Stuxnet targeted industrial systems that control high speed electrical motors , like those used to spin gas centrifuges, one of the ways uranium can be enriched into bomb-grade material.
According to O Murchu, Chien and Falliere, Stuxnet looked specifically for devices called "frequency converter drives." Such drives take electrical current from a power grid, then change the output to a much higher frequency, typically 600 Hz or higher.
When the worm found converter drives operating between 807 Hz and 1210 Hz, Stuxnet reset the frequency to 1410 Hz, then after 27 days, dropped the frequency to just 2 Hz and later bumped it up to 1064 Hz. It then repeated the process.
After Symantec released its latest findings, experts noted that the 807-1210 Hz range was consistent with drive converters used to power gas centrifuges, and that the changes Stuxnet ordered could hamper enrichment efforts or cause the high-speed rotors inside the centrifuges to fly apart.
Symantec's analysis gained credence last week when the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, reported that earlier this month Iran had stopped feeding uranium hexafluoride gas to its centrifuges for about a week. Speculation quickly focused on problems created by Stuxnet as the reason for the shutdown.
But the same day that the IAEA report made news, Ali Akbar Salehi, the head of Iran's nuclear agency, denied Stuxnet had affected the country's atomic program . According to the Associated Press, which quoted the official IRNA news agency, Salehi said Iran's "enemies failed to achieve their goals" with the worm.
"We discovered the virus exactly at the same spot it wanted to penetrate because of our vigilance and prevented the virus from harming [equipment]," Salehi told the IRNA.
Since September, Iranian officials have acknowledged that Stuxnet had spread through Iran and infected tens of thousands of PCs, including several personal computers owned by employees at the Bushehr nuclear power plant.
But until Monday, Iran had repeatedly denied that malware had managed to infiltrate its nuclear program and caused any damage or disruption. Two months ago, for instance, the deputy head of Salehi's agency claimed Stuxnet had not penetrated Iran's nuclear facilities.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.