Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors—which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.

But O’Murchu had a different take on Stuxnet’s inconsistencies. He believed the attackers deliberately used weak encryption and a standard protocol to communicate with the servers because they wanted the data traveling between infected machines and the servers to resemble normal communication without attracting unusual attention. And since communication with the servers was minimal—the malware transmitted only limited information about each infected machine—the attackers didn’t need more advanced encryption to hide it.

But there was another possible explanation for the patchwork of techniques used in the threat—Stuxnet was likely created by different teams of coders with different skills and talents.

The market is “gray” only because the buyers and sellers are presumed to be the good guys, acting in the interest of public safety and national security.

A zero-day exploit for Adobe Reader can go for $5,000 or $30,000, while an exploit for the Mac OS can cost $50,000. But an exploit for Flash or Windows can jump to $100,000 or more because of the programs’ ubiquity in the marketplace. An exploit for Apple’s iOS can also go for $100,000 because the iPhone is more difficult to crack than competing mobile phones. Browser exploits that attack Firefox, Internet Explorer, and Chrome can sell for anywhere from $60,000 to more than $200,000, depending on their ability to bypass security protections the vendors have put in the software.1

In 2011, a test team led by security researcher Marc Maiffret penetrated the remote-access system for a Southern California water plant and was able to take control of equipment the facility used for adding chemicals to drinking water. They took control of the system in just a day, and Maiffret said it would have taken just a couple of additional steps to dump chemicals into the water to make it potentially undrinkable.38

These incidents were all accidental, but in Poland in 2008 a fourteen-year-old boy in Lódz caused several trains to derail when he used the infrared port of a modified TV remote control to hijack the railway’s signaling system and switch the tram tracks. Four trams derailed, and twelve people were injured.49

But the configuration Stuxnet was looking for was so precise that it was likely to be found in only a single facility in Iran or, if more than one, then facilities configured exactly the same, to control an identical process. Any system that didn’t have this exact configuration would remain unharmed; Stuxnet would simply shut itself down and move on to the next system in search of its target. The idea that someone had put so much money and effort into a weapon attacking a single target left Langner dumbfounded. It could mean only one thing—the target had to be extraordinarily important. Now they just had to figure out what it was.

Two years earlier, Bush’s advisers had offered him what seemed like an even better solution to the problem with Iran, possibly even a brilliant one. And in the spring of 2008, while he was touring Israel for the last time as president, it looked like they might actually pull it off.

So his advisers proffered a third option—a digital bunker buster that, if designed and executed carefully, could achieve some of the same results as its kinetic counterparts, without all of the risks and consequences of those other attacks.

The Iranians would eventually see the effects of the digital sabotage, but if done well, they would never know its cause, leaving them to wonder if the problem was a material defect, a programming error, or something else. Even if the Iranians discovered the malware, a digital attack done properly left no fingerprints to be traced back to its source. This plausible deniability was key, since the United States was trying to prevent a war, not start one. There were other benefits to a digital attack. Air strikes had obvious disadvantages when it came to bombing facilities buried deep underground, as Natanz and other Iranian facilities were.16 But a digital attack could slip past air-defense systems and electrified fences to burrow effortlessly into infrastructure deep underground that was otherwise unreachable by air and other means. It could also take out centrifuges not just in known facilities but in unknown ones.

And even if the operation were discovered and the Iranians learned that their computers had been infiltrated, it would still be a win-win situation, as Weiss had pointed with the Farewell Dossier, since it would succeed in sowing doubt and paranoia among the Iranians. Even if technicians wiped their machines clean and reprogrammed them, they could never be certain that the systems wouldn’t be infected again or that their enemies wouldn’t try a different tack. They would always be on guard for any signs of trouble, and if something did go wrong, they would never know for certain if the cause had been a material defect or enemy sabotage. They’d also be much more wary of any equipment procured outside of Iran for fear that it might have already been compromised.

The change in focus also led to a name change. Instead of Joint Task Force–Computer Network Defense, they were now to be called Joint Task Force–Computer Network Operations. The change was subtle to avoid attracting attention, Sachs says, but internally it signaled the military’s readiness to begin seriously planning offensive operations.

In 2004, to accommodate this increased focus on offensive operations, the Defense Department split its offensive and defensive cyber operations into two divisions, a move that signaled for many the beginning of the militarization of cyberspace. The defensive division became known as Joint Task Force–Global Network Operations, while the offensive division was called the Joint Functional Component Command–Network Warfare.

Six years later, in May 2010, as Stuxnet was spreading wildly on computers around the world and was about to be exposed, the Pentagon recombined its defensive and offensive cyber operations under the newly formed US Cyber Command.

In 2011, the NSA mounted 231 offensive cyber operations against other countries, according to the documents, three-fourths of which focused on “top-priority” targets like Iran, Russia, China, and North Korea. Under a $652-million clandestine program code named GENIE, the NSA, CIA, and special military operatives have planted covert digital bugs in tens of thousands of computers, routers, and firewalls around the world to conduct computer network exploitation, or CNE.

In 2007, Immunity, a security firm in Florida, determined that the average zero-day exploit survived in the wild 348 days before being discovered on systems. The ones with the longest life-span could live in hiding for nearly three years.42 Today the situation isn’t much different, with the average life-span of a zero day now ten months, and others lurking in systems undiscovered for as long as two and a half years.43

As the sedan approached a busy intersection, assailants on a motorcycle suddenly pulled alongside Shahriari’s vehicle and brazenly slapped a “sticky” bomb to the driver’s-side door. Seconds after they zipped away, the bomb exploded, shattering the car’s rear window and leaving the driver’s-side door a twisted mess of molten metal. Shahriari was instantly killed; his wife and bodyguard were injured, though spared. A small pit in the asphalt next to the car testified to the force of the blast.7 Not long after, in another part of the city, Fereydoon Abbasi, a fifty-two-year-old expert in nuclear isotope separation, was also making his way through traffic toward the same destination, when, out of the corner of his eye, he spotted a motorcycle approaching. A second later he heard the distinctive sound of something being attached to his door. Abbasi was a member of Iran’s Revolutionary Guard, so his defensive instincts were more honed than Shahriari’s. He quickly leapt from the car and pulled his wife from her seat. Although the two were injured when the bomb exploded, both of them survived the attack. News reports indicated the two scientists were targeted for their prominent roles in Iran’s nuclear program. “They’re bad people,” an unnamed US official said afterward, “and the work they do is exactly what you need to design a bomb.”8

When news of the attacks on the scientists reached Ralph Langner in Germany, his stomach dropped. He wondered if his team’s work exposing Stuxnet had pushed the attackers to take even more drastic measures than he’d expected them to take once their digital attack was exposed. It underscored for him the reality that their work on Stuxnet had placed them in the midst of a very dark and bloody business.

Now that the Symantec team—minus Falliere, who had left Symantec for a job at Google—had their hands on this early variant, they were finally able to determine what the 417 PLCs were controlling and what Stuxnet was doing to them. It turned out this version was targeting the valves that managed the flow of uranium hexafluoride gas into and out of the centrifuges and cascades at Natanz.29 Stuxnet was opening and closing the valves to increase the pressure inside the centrifuges to five times its normal level. At that pressure, the gas would likely begin to solidify, ruining the enrichment process, and causing the centrifuges, spinning at high speed, to careen dangerously off balance and crash into other centrifuges around them. Or at least this was likely the plan. It may not have worked as well or as quickly as the attackers had hoped, so in 2009 they changed tactics and focused on attacking the frequency converters instead—a more direct method of damaging the centrifuges.

“There’s a new good guy/bad guy question here that puts us potentially in a very difficult position,” Eric Chien said in 2012 after their analysis of Stuxnet was done. Their work on Stuxnet had been unmarred and unimpeded by political influences, and he hoped to never be in a position where they were forced to choose between customers and the interests of national security. But he wasn’t so naïve to think that it would never come to that. “It sounds a little cheesy, but we’re just trying to help people and do what’s right,” he says. “If we get to a point where we have to ask that question, it’s going to be a very hard question [to answer]. I think we’ll be in a bad place if we get to that point.”36

But if the timestamps were accurate, it would mean the attackers had held the malicious code in reserve for three to six years while the United States waited to see how the diplomacy game with Iran played out, then pulled out the code only in 2006 when it was clear that negotiations and sanctions had failed.

How had a digital weapon so carefully crafted and controlled for so long come undone now? Fingers pointed to Israel initially. In the spring of 2010 the White House, the NSA, and the Israelis had reportedly “decided to swing for the fences” with their sights on a specific group of 1,000 centrifuges they wanted to attack.30

The Israelis apparently added the final touches—the extra zero days and other spreading mechanisms—in order to supersize it.

Workers at other companies chimed in to say that they, too, were having the same problem. One user, who also wrote that all of the PCs at his company were infected, said the problem appeared to be confined to Iran. “[B]ecause you can see many people in Iran [on the forum] have the same problem from at least 1 [month] ago,” he wrote. The discussion continued throughout July, with Behrooz so frustrated at times that he ended some of his messages with an angry, red-faced emoticon. Then suddenly, on July 24, he posted a message saying finally the mystery had been solved. He included a link to a news article about Stuxnet, which had recently been publicly exposed, and ended his message with three grinning emoticons. Of course it would be several more months before he and the rest of the world learned what it was targeting.

Despite Iran’s seemingly quick recovery from Stuxnet, the digital weapon did have at least two longer-lasting effects on the enrichment program. First, it cut into Iran’s supply of uranium gas. Several tons of enriched uranium ended up in dump tanks during the period that Stuxnet was doing its sabotage. The waste likely wasn’t all due to Stuxnet, since technicians experienced a number of varied problems with the centrifuges, but Stuxnet no doubt contributed to the loss. As previously noted, Iran had a limited supply of uranium on hand (some imported from abroad, some mined from its own land), and any gas that was wasted cut into these reserves.

But Iran also had a limited supply of centrifuges and materials to make new ones. With sanctions tighter than ever before, replacing damaged centrifuges now would become more challenging. In 2008, the IAEA estimated that Iran had enough components and materials on hand to build 10,000 centrifuges.9 If Stuxnet destroyed 1,000 of these, this cut the stockpile of centrifuges by 10 percent. On top of this, Iran lost about 10 percent of centrifuges each year to normal wear and tear. At that rate of attrition, “after five years, these guys are cooked,” says the IAEA’s Olli Heinonen.10

But Heinonen in fact believed that more than 1,000 centrifuges were damaged by Stuxnet. He believed t...

Had it been held in abeyance until more centrifuges were installed and more uranium gas was in play, its effects on the program might have been more detrimental.

Civil War general Robert E. Lee said famously that it was a good thing war was so terrible, “otherwise we should grow too fond of it.”7 The horrors and costs of war encourage countries to choose diplomacy over battle, but when cyberattacks eliminate many of these costs and consequences, and the perpetrators can remain anonymous, it becomes much more tempting to launch a digital attack than engage in rounds of diplomacy that might never produce results.

As Mike McConnell, the former director of national intelligence, told a US Senate committee in 2011, “If the nation went to war today, in a cyberwar, we would lose. We’re the most vulnerable. We’re the most connected. We have the most to lose.”12

DESPITE THE RISKS and consequences of using digital weapons, there has been almost no public discussion about the issues raised by the government’s offensive operations. Critics have pointed out that the Obama administration has been more open about discussing the assassination of Osama bin Laden than discussing the country’s offensive cyberstrategy and operations.

When questions about the rules of engagement for digital attacks were raised during the confirmation hearing for Gen. Keith Alexander to be made head of US Cyber Command in 2010, Alexander refused to address them in public and said he would only answer in a closed session.32

One US official has referred to Stuxnet as a first-generation weapon, on par with “Edison’s initial light bulbs, or the Apple II,” suggesting that more sophisticated designs have already replaced it.

Healey says. “So it’s very easy for them to make these decisions to keep going farther and farther … because the government accrues all the benefit. If we use a zero-day for Flame, the government gets the benefit of that. It’s the private sector that’s going to get the counterattacks and that’s going to suffer from the norms the US is now creating that says it’s OK to attack.”

Any digital operation that could disrupt, destroy, or manipulate computers or is “reasonably likely to result in significant consequences” also requires presidential approval. Significant consequences include loss of life, damage to property, and serious economic impact, as well as possible retaliation against the United States or adverse effects on foreign policy. Presidential authorization is also required to plant a logic bomb in a foreign system or a beacon marking it for later attack. But is not needed for espionage operations that are conducted for the sake of simply collecting data or mapping a network, unless the operation involves a worm or other malware that could spread.

Under the UN Charter’s Law of Armed Conflict, for example, they determined that hacking the control system of a dam to unleash water into a valley was the equivalent of breaching the dam with explosives. And launching an attack from a proxy system located in a neutral country would be prohibited in the same way that an army couldn’t march through a neutral country’s territory to invade an enemy. They also determined that an attack had to cause physical or personal damage to qualify as an act of force—simply erasing hard drives, if it didn’t result in physical damage or injury, didn’t qualify. But what about an attack on Wall Street that damaged a nation’s economy or aimed to do so? Here they found the legal waters less clear. Some of the experts believed such an attack qualified, while others were less convinced.

Thankfully, as of this book’s publication there has been no sign yet of the counterstrikes against industrial control systems that Ralph Langner warned about, nor have there been signs of any other types of comparable digital attacks launched by the United States or anyone else. Stuxnet still holds the distinction of being the only known case of cyberwarfare on record. But that can change at any time, now that Pandora’s digital box has been opened.