Date: 27 September 2010
Click here for printable version
As noted in our previous blogs, Symantec and other analysts have confirmed that the Stuxnet's primary purpose is to "modify the behavior of an industrial control system by modifying Programmable Logic Controllers (PLCs)". This can only be for the purposes of disruption and/or sabotage.
While the targeted Siemen's products are used by a wide range industries, it is now known that a specific industrial application of the systems was the primary target of the attack.
Siemens (17 September 2010) advised that:
Further investigations have shown that the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system . However, this behavior has not yet been verified in tests or in practice.
The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.
This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. · This kind of specific plant was not among the cases that we know about.
Symantec (21 September 2010) has confirmed this functionality:
Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of PLC blocks (code blocks and data blocks) that will be injected into the PLC to alter its behavior.
Hence when the malware locates specific Siemen's SCADA products, it then looks for specific files which indicates the malware is in a specific process or plant.
While speculation continues that the target was Iran's nuclear power program, at present, Iranian officials have only confirmed that staff of its Bushehr nuclear power plant had personal computers infected with the malware; it is still not clear whether these where personal computers used within, or physically or logically connected to the facility, or whether these PCs also had the targeted Siemen's software installed, or indeed whether other Iranian nuclear facilities have been affected.