…or at least a lot clearer than it has been.
Much of the controversy about the origin and targeting of Stuxnet derived from the uncertainty about exactly what its code was meant to do. Even after it was established that it was intended to modify PLC (Programmable Logic Controller) code, details of the kind of installation targeted remained unclear.
However, Eric Chien has blogged some information that puts us a lot nearer to understanding what is really behind the attack. He tells us that "Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module." He goes on to describe in some detail the workings of the relevant Stuxnet code. Symantec's hefty Stuxnet dossier has also been updated accordingly. Our own Stuxnet analysis will be updated shortly to include pointers to this and some other resources, but I'm between airports right now, and if your knowledge of, interest in, or (most importantly) responsibility for industrial control systems is greater than mine, you may want to check that information.
While this doesn't, in my humble opinion, constitute proof of some of the speculation about who/what was targeted or responsible for the malware, it is indeed a "critical piece of the puzzle": kudos to Symantec for their continuing and excellent work. Though I suspect that some of the SCADA-oriented researchers outside the upstart AV industry will be less enthusiastic… Come on guys, we're all trying to get at the truth here!
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET