Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

Over the years, malware had gone through a gradual evolution. In the early days, the motivations of malware writers remained pretty much the same. Though some programs were more disruptive than others, the primary goal of virus writers in the 1990s was to achieve glory and fame, and a typical virus payload included shout-outs to the hacker’s slacker friends. Things changed as e-commerce took hold and hacking grew into a criminal enterprise. The goal wasn’t to gain attention anymore but to remain stealthy in a system for as long as possible to steal credit card numbers and bank account credentials. More recently, hacking had evolved into a high-stakes espionage game where nation-state spies drilled deep into networks to remain there for months or years while silently siphoning national secrets and other sensitive data. But Stuxnet went far beyond any of these. It wasn’t an evolution in malware but a revolution.

According to the story, in 1982 the CIA hatched a plot to install a logic bomb in software controlling a Russian gas pipeline in order to sabotage it. When the code kicked in, it caused the valves on the pipeline to malfunction. The result was an explosive fireball so fierce and large that it was caught by the eyes of orbiting satellites.

The explosions didn’t all go unexplained. Kurdish rebels claimed responsibility for the ones at Dogubayazit and Tabriz, and the Iranian news agency, IRNA, attributed the Kharg Island fire to high-pressure buildup in a central boiler.8 The explosion at Pardis was blamed on a leak of ethane that ignited after workers began welding a pipeline. But what if one or more of the explosions had actually been caused by Stuxnet?

this was the first documented case of cyberwarfare.

PLCs are used with a variety of automated control systems that include the better-known SCADA system (Supervisory Control and Data Acquisition) as well as distributed control systems and others that keep the generators, turbines, and boilers at power plants running smoothly.

In truth, the problems with control systems are not new; Stuxnet just exposed them for the first time to the public. But some control-systems experts had known about them for years.

The following year, US forces in Kabul seized a computer in an al-Qaeda office and found models of a dam on it along with engineering software that could be used to simulate its failure.21 That same year, the CIA issued a Directorate of Intelligence Memorandum stating that al-Qaeda had “far more interest” in cyberterrorism than previously believed and had begun to contemplate hiring hackers.

despite the best efforts of the test-bed and site-assessment researchers, they were battling decades of industry inertia—vendors took months and years to patch vulnerabilities that government researchers found in their systems, and owners of critical infrastructure were only willing to make cosmetic changes to their systems and networks, resisting more extensive ones.

Each time engineers would leave his conference fired up with ideas about improving the security of their networks, they would run up against executives back home who balked at the cost of re-architecting and securing the systems. Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?

Beresford found that the PLCs were promiscuous computers that would talk to any machine that spoke their protocol language.

Although there was an authentication packet, or password of sorts, that passed between a Step 7 machine and the PLC, Beresford was able to decode the password in less than three hours. He also found that he could simply capture the authentication packet as it passed from a Step 7 machine to the PLC and replay it in the same way he replayed commands, eliminating the need to decode the password at all. Once he had control of a PLC, he could also issue a command to change the password to lock out legitimate users.

Many of the vulnerabilities in control systems could be mitigated if the systems ran on standalone networks that were “air-gapped”—that is, never connected to the internet or connected to other systems that are connected to the internet. But this isn’t always the case.

In 2012, Telvent Canada, a maker of control software used in the smart grid, was hacked by intruders linked to the Chinese military, who accessed project files for the SCADA system the company produced—a system installed in oil and gas pipelines in the United States as well as in water systems. Telvent used the project files to manage the systems of customers. Though the company never indicated whether the attackers modified the project files, the breach demonstrated how easily an attacker might target oil and gas pipelines by infecting the project files of a company like Telvent.

Although rail systems have redundancies and fail-safe mechanisms to prevent accidents from occurring, when many systems are interconnected, it creates the opportunity for misconfigurations that could allow someone to access the safety systems and undermine them.

ALTHOUGH THERE ARE many different ways to attack critical infrastructure, one of the most effective is to go after the power grid, since electricity is at the core of all critical infrastructure. Cut the power for a prolonged period, and the list of critical services and facilities affected is long—commuter trains and traffic lights; banks and stock exchanges; schools and military installations; refrigerators controlling the temperature of food and blood supplies; respirators, heart monitors, and other vital equipment in hospitals; runway lights and air traffic control systems at airports.

Going after smart meters is an effective way to cut electricity. But an even more effective and widespread attack would be to take out generators that feed the grid or the transmission systems that deliver electricity to customers.

When distribution lines overheat, it causes them to sag or melt. Sagging lines were the cause of the 2003 Northeast blackout that cut power to 50 million people in eight states and parts of Canada.

An even more destructive attack than targeting distribution lines, however, would be to target equipment at substations that feed electricity to those lines.

Langner suspected the researchers had hit a wall, due to their lack of expertise with PLCs and industrial control systems. But curiously, Siemens had also gone silent. This was strange, Langner thought. It was, after all, Siemens controllers that were being attacked; the company had an obligation to analyze the malevolent code and tell customers what it might be doing to their systems. But after a couple of brief announcements the German company had made in July, it had gone mum.

Samples of Stuxnet were already available for download on the internet; any random hacker, criminal extortionist, or terrorist group could study the code and use it as a blueprint to devise a more wide-scale and destructive attack against other models of PLCs.

There were ways to tell if a Windows desktop PC or laptop was compromised, but with the stealth techniques that Stuxnet used, there would be no way to tell if a PLC was infected.

There was no such thing as antivirus software for PLCs and no easy way to know if a controller had rogue code installed if it used the same kind of subterfuge that Stuxnet had used. The only way to detect an attack was at the Windows stage before it reached the PLC. But Stuxnet had shown the folly of even that defense, since no antivirus scanner had caught it before it reached the PLCs. Operators would never be able to detect a warhead until it was too late.

Mahmoud Jafari said in one of his interviews that five versions of Stuxnet had been found in Iran.19 Symantec and other antivirus researchers had uncovered only three.

And if two other versions of the code existed, they might contain additional clues about Stuxnet and its authors. Unfortunately, however, there was little chance that Western researchers would ever see them, since Iranian officials were unlikely to provide copies of the code to anyone outside of Iran.

there was the mind-boggling silence from the public and Congress, who seemed to have little concern about the Pandora’s box Stuxnet had opened in legitimizing the use of cyberweapons to resolve political disputes. Neither did they seem alarmed about the digital arms race Stuxnet had launched that would be impossible to curb.

At Fort Meade, a dozen senior military, government, and intelligence leaders sat listening to McGurk as he described what his team had found, but the question of whether the United States was behind the attack never came up. They asked McGurk if Stuxnet was directed against US control systems and how many US systems were vulnerable to the malicious code.24 They were also curious to know if McGurk’s team could tell who the intended target was. And finally they asked if there was anything in the code that gave away its source. McGurk told them no, there were no clues revealing who was behind the attack. There weren’t even any familiar “footprints” in the code that matched the modus operandi of known hacker groups or nation-state spies. McGurk maintains that never, either in classified briefings or in open testimony with lawmakers, did anyone ask him the question that was on everyone else’s mind. “I don’t think, even jokingly, did someone say in a formal briefing, ‘Hey did we do this?’ Because that’s just not the way those interactions occur. I’m sure there was speculation elsewhere, but it wasn’t done at our level.” McGurk says he also never got the impression from anyone he briefed that Stuxnet was a homemade job. “When

Nor did anyone suggest to McGurk that he should pull his team off of Stuxnet either. “No one said hey, cease and desist, leave it alone, don’t go there,” he says. “We were actually getting a lot of cooperation from all of those organizations … assisting with the analysis and assisting with the understanding of what type of threat this actually posed.”

The Israelis wanted US support and endorsement for an air strike to take out the uranium enrichment plant at Natanz. The Israelis had been gunning for an air strike since at least 2003, when IAEA inspectors got their first look at Natanz and found highly enriched uranium particles in environmental samples taken from the plant. Talk of an air strike died down for a while after Iranian officials agreed to suspend their enrichment activities in 2003 and 2004, but returned in 2006 when Iran withdrew from the suspension agreement and proceeded to install the first centrifuges in one of the underground halls at the plant. Now, with 3,000 centrifuges already in place and spinning, and the number expected to double soon, talk of a strike was growing louder than ever before. Israel wasn’t the only one urging an attack. Behind closed doors, its Arab neighbors were just as adamant about halting Iran’s nuclear program, according to secret government cables released by WikiLeaks. “We are all terrified,” Egyptian President Hosni Mubarak told US diplomats at one point.1 Saudi Arabia’s King Abdullah privately urged the United States to do them all a favor where Iran and Ahmadinejad were concerned and “cut off the head of the snake.”2 A nuclear-armed Iran threatened the peace of the entire region, not just Israel, Mohammad bin Zayed, crown prince of Abu Dhabi said. If Iran got the bomb, “all hell will break loose,” he said, warning that Egypt, Saudi Arabia, Syria, and Turkey would all seek...

Bush opposed an air strike. “I think it’s absolutely absurd that people suspect I am trying to find a pretext to attack Iran,” he said in 2007.5 Even if he did support a strike, he would have had difficulty drumming up widespread backing for one. A November 2007 Gallup poll showed that 73 percent of Americans preferred sanctions and diplomacy to an air strike against Iran,

Israel had, of course, been in this position before, seeking US support for a strike—in 1981 when it took out Iraq’s Osirak reactor, and again in 2007 when it bombed the suspected nuclear reactor in Syria.6 Israeli intelligence agents had obtained crucial information about the latter facility in 2006 when they tailed a senior Syrian official to London and installed a Trojan horse on his laptop after he unwisely left it behind in his hotel room one day.

They won US support to attack the site after providing evidence that North Korea was helping Syria build it.

In his State of the Union address in January 2002, President Bush had identified Iran as part of the “axis of evil,” along with Iraq and North Korea, that threatened the peace of the world. The United States, he said, would not permit “the world’s most dangerous regimes” to “threaten us with the world’s most destructive weapons.”12 They were strong words.

sometime in 2006, after Iran withdrew from its suspension agreement, US military and intelligence officials reportedly brought the proposal for the cyber operation, later dubbed “Olympic Games,” to the president. Bush had been weighing his options for a while. With two protracted and complex wars already being fought in Iraq and Afghanistan, he had already decided he wanted no part in a third battle in the Middle East. On-the-ground covert attacks that physically sabotaged Iran’s nuclear sites also were ruled out, since they, too, would likely spark a war.14 So his advisers proffered a third option—a digital bunker buster that, if designed and executed carefully, could achieve some of the same results as its kinetic counterparts, without all of the risks and consequences of those other attacks.

The advantages of a cyberattack over other forms of attack were many. A digital bomb could achieve some of the same effects as a kinetic weapon without putting the lives of pilots at risk. It could also achieve them covertly in a way a physical bomb could never do, by silently damaging a system over weeks and months without being detected. The Iranians would eventually see the effects of the digital sabotage, but if done well, they would never know its cause, leaving them to wonder if the problem was a material defect, a programming error, or something else. Even if the Iranians discovered the malware, a digital attack done properly left no fingerprints to be traced back to its source. This plausible deniability was key, since the United States was trying to prevent a war, not start one. There were other benefits to a digital attack. Air strikes had obvious disadvantages when it came to bombing facilities buried deep underground, as Natanz and other Iranian facilities were.16 But a digital attack could slip past air-defense systems and electrified fences to burrow effortlessly into infrastructure deep underground that was otherwise unreachable by air and other means. It could also take out centrifuges not just in known facilities but in unknown ones. You couldn’t bomb a plant you didn’t know about, but you could possibly cyberbomb it. If Iran had other secret enrichment plants distributed throughout the country that used the same equipment and configuration as Natanz, a di...

The CIA would let the Soviets continue to obtain the technology they wanted—but with the spy agency slipping modified designs and blueprints into the mix to misdirect their scientific efforts toward money-wasting ventures. He also proposed modifying products and components before they reached the Iron Curtain so that they would pass any quality-assurance tests the Soviets might subject them to, then fail at a later date. The plan was a veritable win-win because even if the Soviets discovered the counterintelligence operation, they would forever be suspicious of any information or technology later acquired from the West, never certain how or if it had been altered or when it might malfunction. It would be a “rarity in the world of espionage,” Weiss later wrote in an internal CIA newsletter describing the scheme: “an operation that would succeed even if compromised.”17 Under the scheme, “contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory,” Weiss wrote. Additionally, the Soviets were fed misleading information about stealth and tactical aircraft as well as Western space defense programs. The Soviet Space Shuttle was also built on “a rejected NASA design” that had been slipped to the Soviets, Weiss revealed.18 The Farewell operation was never discovered, according to Weiss, but Vetrov was not so lucky. He was imprisoned in 19...

The military already had its first taste of their capabilities in the 1980s, when a German named Markus Hess, who was reportedly recruited by the KGB, hacked into hundreds of military systems and research facilities, such as Lawrence Berkeley National Laboratory, in search of intelligence about satellites and the Star Wars defense system.3 Other scares followed. In 1990 in the run-up to the first Gulf War, Dutch teens broke into nearly three-dozen US military computers seeking information about Patriot missiles, nuclear weapons, and the operation against Iraq. Officials feared the teens planned to sell the intelligence to Iraq. Then in 1994, a sixteen-year-old British hacker, mentored by a twenty-one-year-old in Wales, breached US Air Force systems and used them to hack into a South Korean nuclear research institute, as well as attacking one hundred other victims. With the breach appearing to come from US military computers, it became clear that the potential consequences of such intrusions weren’t limited to intelligence theft.

The Air Force was the first to take steps in this direction in 1993, when it transformed its Electronic Warfare Center into the Air Force Information Warfare Center and established, two years later, the 609 Information Warfare Squadron—the military’s first cybercombat unit.5 Located at Shaw Air Force Base in South Carolina, its job was to combine offensive and defensive cyber operations in support of combat commands.

1997 the military conducted a more organized exercise to measure its defensive capabilities against enemy network attacks. The exercise, dubbed “Eligible Receiver,” pitted a red team of NSA hackers against the networks of the US Pacific Command in Hawaii.

The red-team hackers dropped marker files onto the systems to plant a virtual flag, proving they were there, and also created a number of simulated attacks showing how they could have seized control of power and communications networks in Oahu, Los Angeles, Chicago, and Washington, DC. Had they wanted to, they could have seized control of a system used to command hundreds of thousands of troops or set up “rolling blackouts and other activities that would cause social unrest,” according to Lt. Gen. John H. Campbell, a now-retired Air Force general who headed the Pentagon’s information operations at one time.

There was another reason for caution, however. A cyberweapon was the “type of weapon that you fire and it doesn’t die. Somebody can pick it up and fire it right back at you,” Sachs says. “That was a very strong motivator to not do this.”

secretary of defense had already given the NSA authority to begin developing computer network attack (CNA) techniques, a task the spy agency embraced as an extension of its existing electronic warfare duties, which included jamming enemy radar systems and taking out communication channels.14 The NSA believed its technical geniuses could play a critical role on the emerging digital battlefield as well.

US offensive operations advanced further in 2003 when the Pentagon prepared a secret “Information Operations Roadmap” aimed at turning information warfare into a core military competency on par with air, ground, maritime, and special operations.23 The classified report, released with redactions a few years later, noted that a comprehensive process was already under way to evaluate the capabilities of cyberweapons and spy tools and develop a policy for their use. The latter included trying to determine what level of data or systems manipulation constituted an attack or use of force and what qualified as mere intelligence gathering.

In 2007, the US reportedly assisted Israel with a cyberattack that accompanied its bombing of the Al Kibar complex in Syria by providing intelligence about potential vulnerabilities in the Syrian defense systems.

In 2011, during the civilian uprising in Libya, there had also been talk of using cyberattacks to sever that country’s military communications links and prevent early-warning systems from detecting the arrival of NATO warplanes. The plan was nixed, however, because there wasn’t enough time to prepare the attack.

leaks from former NSA systems administrator Edward Snowden have provided some of the most extensive views yet of the government’s shadowy cyber operations in its asymmetric war on terror. The documents describe NSA elite hacker forces at Fort Meade and at regional centers in Georgia, Texas, Colorado, and Hawaii, who provide US Cyber Command with the attack tools and techniques it needs for counterterrorism operations. But the government cyberwarriors have also worked with the FBI and CIA on digital spy operations, including assisting the CIA in tracking targets for its drone assassination campaign.

Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system.

Who are the people filling these jobs? Sometimes they’re people like Charlie Miller, the mathematician mentioned in chapter 7 who was recruited by the NSA for code and computer cracking. And sometimes they’re former hackers, wanted by law enforcement as much for breaking into US government systems as they are coveted by spy agencies for their ability to do the same against an adversary. A shortage of highly skilled candidates in the professional ranks who can fill the demand for elite cyberwarriors has led the military and intelligence agencies to recruit at hacker conferences like Def Con, where they may have to forgive a hacker’s past transgressions or lower their expectations about office attire and body piercings to attract the choicest candidates. One code warrior employed by a government contractor told an interviewer that he worried that his history hacking US government systems would preclude him from working with the feds, but the staffing company that hired him “didn’t seem to care that I had hacked our own government years ago or that I smoked pot.”

it’s a government model that relies on keeping everyone vulnerable so that a targeted few can be attacked—the equivalent of withholding a vaccination from an entire population so that a select few can be infected with a virus.

In 2007, Immunity, a security firm in Florida, determined that the average zero-day exploit survived in the wild 348 days before being discovered on systems. The ones with the longest life-span could live in hiding for nearly three years.42 Today the situation isn’t much different, with the average life-span of a zero day now ten months, and others lurking in systems undiscovered for as long as two and a half years.

One of the first things that struck him about the attack was that it unfolded in six stages that repeated over weeks and months. Once the attack was done, it recycled itself and began again. This meant that rather than launching a single blow that caused catastrophic failure, as the researchers originally believed Stuxnet was designed to do, the attackers were going for subtle sabotage that extended over time. This, combined with the man-in-the-middle attack that concealed the sabotage from operators as it occurred, would have made it hard for anyone to detect and pinpoint the source of problems. The attackers, Falliere realized, had expected to go undetected for months, and indeed they had.