Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

The first part of the attack, a reconnaissance stage, lasted about thirteen days, during which Stuxnet sat silently on the PLC recording normal operations in order to loop that data back to operators when the sabotage began. Stuxnet recorded data at least once a minute and only progressed to the next stage after recording data at least 1.1 million times. Once enough data was recorded, a two-hour countdown commenced. Then when the count reached zero, the sabotage began. It lasted just fifteen minutes, however, and once it was done, normal operations on the PLC and the devices it controlled resumed. Then, after a five-hour interval passed, the entire sequence began again, with Stuxnet this time waiting about twenty-six days to strike, and recording twice the amount of data it recorded the first time.

As before, once the sabotage was done, operations returned to normal for another twenty-six days, and the whole cycle repeated again. Each time the sabotage occurred thereafter, it alternated between fifteen minutes and fifty minutes in l...

THE RUSH-HOUR TRAFFIC on Artesh Boulevard in northern Tehran was particularly congested the morning of November 29, 2010, when Majid Shahriari, a slim forty-year-old professor of nuclear physics maneuvered his Peugeot sedan through the bumper-to-bumper gridlock on his way to work. It was only seven forty-five on that Monday morning, but a layer of smog already hovered in the air as Shahriari inched his way toward Shahid Beheshti University, where he was a lecturer. With him in the car were his wife, also a nuclear physics professor and mother of two, and a bodyguard. As the sedan approached a busy intersection, assailants on a motorcycle suddenly pulled alongside Shahriari’s vehicle and brazenly slapped a “sticky” bomb to the driver’s-side door. Seconds after they zipped away, the bomb exploded, shattering the car’s rear window and leaving the driver’s-side door a twisted mess of molten metal. Shahriari was instantly killed; his wife and bodyguard were injured, though spared. A small pit in the asphalt next to the car testified to the force of the blast.7 Not long after, in another part of the city, Fereydoon Abbasi, a fifty-two-year-old expert in nuclear isotope separation, was also making his way through traffic toward the same destination, when, out of the corner of his eye, he spotted a motorcycle approaching. A second later he heard the distinctive sound of something being attached to his door. Abbasi was a member of Iran’s Revolutionary Guard, so his defensive instin...

President Ahmadinejad wasted no time laying blame for the attacks on “the Zionist regime and Western governments.”10 Saeed Jalili, general secretary of Iran’s Supreme National Security Council, called the attacks an act of desperation by powerless enemies.

Other Iranian scientists reportedly called in sick to work for several days after the bombings to avoid the fate of their colleagues.14

The news of US involvement in developing and releasing the digital weapon should have created a stir in Washington and in other government circles beyond. But it was largely met with silence, despite the fact that it raised a number of troubling questions—not only about the risks it created for US critical infrastructures that were vulnerable to the same kind of attack, but about the ethical and legal considerations of unleashing a destructive digital attack that was essentially an act of war. Ralph Langner had been right in signing off his original post about Stuxnet the way he did. With confirmation, albeit unofficial, that Israel and the United States were behind the attack, the world had now formally entered the age of cyberwarfare.

Certificate authorities are at the core of the trust relationship that makes the internet function. They issue the certificates that governments, financial institutions, and companies use to sign their software and websites, providing users with assurance that they are downloading a legitimate program made by Microsoft or entering their account login credentials at a legitimate website operated by Bank of America or Gmail. Attacking such an authority would allow the attackers to issue themselves legitimate certificates in the name of any company and use it to sign malware. It went a step beyond Stuxnet’s tactic of compromising individual companies like RealTek, JMicron, and C-Media. If Duqu was the work of the United States or Israel, it meant that a NATO country or ally had compromised a fundamental part of the trusted infrastructure that made transactions on the internet possible, all for the sake of advancing a covert campaign.

Kaspersky faced a battle of mistrust in the West—particularly since founder Eugene Kaspersky had been schooled in a KGB-backed institute and had served in Russia’s military intelligence. But the company slowly made a name for itself in eastern Europe and elsewhere, particularly in the Middle East, where the United States and US firms faced a similar battle of mistrust.

Based on information gleaned from log files provided by some of the victims, the attackers appeared to be particularly interested in swiping AutoCAD files—especially ones related to industrial control systems used in various industries in Iran. AutoCAD, which stands for computer-aided design, is software used for drafting 2D and 3D architectural blueprints and designing computer boards and consumer products; but it’s also used for mapping the layout of computer networks and the machinery on plant floors. The latter would come in handy for someone planning to bomb a factory or launch a digital attack like Stuxnet.

The attackers were systematic in how they approached their victims, compiling new attack files for each target and setting up separate command servers throughout Europe and Asia so that only two or three infected machines reported to a single server. This segmentation no doubt helped them track different operations and sets of victims, but it also ensured that if any outsider got access to one of the servers, their view of the operation would be very limited.

Sudan had close military ties to Iran—it received $12 million worth of arms from Iran between 2004 and 2006—and was a vocal supporter of Iran’s nuclear program. In 2006, Iran had publicly vowed to share its nuclear expertise with Sudan. Sudan was also a target of UN sanctions. Duqu’s victim in Sudan was a trade services firm that had been infected in April 2011, four months before the infection in Hungary. The malicious code arrived via a phishing attack using the same Dexter zero-day exploit that was used in Hungary. The malicious e-mail, purporting to come from a marketing manager named B. Jason, came from a computer in South Korea, though the machine had likely been hacked to send the missive.29 “Dear Sir,” the e-mail read, “I found the details of your company on your website, and would like to establish business cooperation with your company. In the attached file, please see a list of requests.” The attached document contained a handful of survey questions as well as an image of a green Earth with plants sprouting from its top. When the victim opened the attachment, the Dexter exploit sprang into action and deposited its illicit cargo onto the victim’s machine.

When Duqu’s self-destruct mechanism kicked in after thirty-six days, it was supposed to erase all traces of itself from infected machines so a victim would never know he had been hit. But the Kaspersky team discovered that when Duqu removed itself, it forgot to delete some of the temporary files it created on machines to store the data it stole.

A clear picture was beginning to emerge of a digital arsenal filled with spy tools and weapons created to attack not just Iran’s nuclear program but other targets as well. Two separate platforms had been used to create the malicious code discovered so far. One was the Flame platform, upon which the massive Flame spy tool had been built. The other was the Tilde-d platform, upon which Duqu had been built. The Flame platform was much more dense and complex than the Tilde-d platform, and had therefore probably been created in parallel by a different team. Both platforms, however, were used to develop Stuxnet at various stages.