According to the latest results of the analysis of the worm's code, Stuxnet was developed to search for industrial control systems that have frequency converter drives from a specific Finnish or Iranian vendor - or from both. These drives function as a power supply that can change the speed of a motor by changing the frequency of the output.
What Stuxnet does is change drastically the operating frequency of these motors every once in a while, sabotaging the workings of the automation system that they run.
Stuxnet begins this procedure after it has been witnessing the drives operating at speeds that go from 807 Hz to 1210 Hz for an undefined period of time.
Researcher Eric Chien says that these these frequencies are actually a lot higher that those required to power, let's say, a conveyor belt in a factory. "Also, efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment," he notes. "We would be interested in hearing what other applications use frequency converter drives at these frequencies."
According to Symantec's updated paper on Stuxnet, the worm springs to life only when it detects 33 or more frequency converter drives from one or both of the two manufacturers - a fact that seems to imply that its developers had specific specific targets in mind and that they are familiar with their networks.
“I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device," said Liam O Murchu, one of Symantec's researchers that work on analyzing Stuxnet, to Wired. And he's probably right. This speculation seems to give weight to the theory that the Iranian Bushehr nuclear power plant was Stuxnet's main target.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.