Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
The attack didn’t stop there, however. If programmers noticed something amiss with a turbine or other equipment controlled by the PLC and
tried to view the command blocks on the PLC to see if it had been misprogrammed, Stuxnet intervened and prevented them from seeing the rogue code. It did this by intercepting any requests to read the code blocks on the PLC and serving up sanitized versions of them instead, minus the malicious commands. If a troubleshooting engineer tried to reprogram the device by overwriting old blocks of code on the PLC with new ones, Stuxnet intervened and infected the new code with its malicious commands too. A programmer could reprogram the PLC a hundred times, and Stuxnet would swap out the clean code for its modified commands every time.
Falliere was stunned by the attack’s complexity—and by what it implied. It was suddenly clear that Stuxnet wasn’t trying to siphon data out of the PLC to spy on its operations, as everyone had originally believed. The fact that it was injecting commands into the PLC and trying to hide that it was doing so while at the same time disabling alarms was evidence that it was designed not for espionage but for sabotage.
But this wasn’t a simple denial-of-service attack either. The attackers weren’t trying to sabotage the PLC by shutting it down—the PLC remained fully functional throughout the attack—they were trying to physically destroy whatever process or device was on the other end of the PLC. It was the first time Falliere had seen digital code used not to alter or steal data but to physically alter or destroy something on the other end of it.
It was a plot straight out of a Hollywood blockbuster film. A Bruce Willis blockbuster, to be exact. Three years earlier,
Live Free or Die Hard
had imagined such a destructive scenario, albeit with the typical Hollywood flair for bluster and creative license. In the film, a group of cyberterrorists, led by a disgruntled former government worker, launch coordinated cyberattacks to cripple the stock market, transportation networks, and power grids, all to distract authorities from their real aim—siphoning millions of dollars from government coffers. Chaos ensues, along with the requisite
Die Hard
explosions.
But Hollywood scenarios like this had long been dismissed by computer security pros as pure fantasy. A hacker might shut down a critical system or two, but blow something up? It seemed improbable. Even most
of the explosions in
Die Hard
owed more to physical attacks than to cyber ones. Yet here was evidence in Stuxnet that such a scenario might be possible. It was leaps and bounds beyond anything Falliere had seen before or had expected to find in this code.
For all of its size and success, Symantec was in the end just a nerdy company, in the business of protecting customers. For fifteen years the adversaries they had battled had been joy-riding hackers and cybercriminals or, more recently, nation-state spies hunting corporate and government secrets. All of them were formidable opponents to varying degrees, but none were bent on causing physical destruction. Over the years, malware had gone through a gradual evolution. In the early days, the motivations of malware writers remained pretty much the same. Though some programs were more disruptive than others, the primary goal of virus writers in the 1990s was to achieve glory and fame, and a typical virus payload included shout-outs to the hacker’s slacker friends. Things changed as e-commerce took hold and hacking grew into a criminal enterprise. The goal wasn’t to gain attention anymore but to remain stealthy in a system for as long as possible to steal credit card numbers and bank account credentials. More recently, hacking had evolved into a high-stakes espionage game where nation-state spies drilled deep into networks to remain there for months or years while silently siphoning national secrets and other sensitive data.
But Stuxnet went far beyond any of these. It wasn’t an evolution in malware but a revolution. Everything Falliere and his colleagues had examined before, even the biggest threats that targeted credit card processors and Defense Department secrets, seemed minor in comparison. Stuxnet thrust them into an entirely new battlefield where the stakes were much higher than anything they had dealt with before.
There had long been a story floating around that suggested something like this might have occurred before, but the tale has never been substantiated. According to the story, in 1982 the CIA hatched a plot to install a logic bomb in software controlling a Russian gas pipeline in order to sabotage it. When the code kicked in, it caused the valves on the pipeline
to malfunction. The result was an explosive fireball so fierce and large that it was caught by the eyes of orbiting satellites.
3
Back in Culver City, Chien wondered if there had been unexplained explosions in Iran that could be attributed to Stuxnet. When he searched the news reports, he was startled to find a number of them that had occurred in recent weeks.
4
Toward the end of July, a pipeline carrying natural gas from Iran to Turkey had exploded outside the Turkish town of Dogubayazit, several miles from the Iranian border. The blast, which shattered windows of nearby buildings, left a raging blaze that took hours to extinguish.
5
Another explosion occurred outside the Iranian city of Tabriz, where a 1,600-mile-long pipeline delivered gas from Iran to Ankara. Yet a third explosion ripped through a state-run petrochemical plant on Kharg Island in the Persian Gulf and killed four people.
6
Weeks later, a fourth gas explosion occurred at the Pardis petrochemical plant in Asalouyeh, killing five people and injuring three.
7
It occurred just a week after Iranian president Mahmoud Ahmadinejad had visited the plant.
The explosions didn’t all go unexplained. Kurdish rebels claimed responsibility for the ones at Dogubayazit and Tabriz, and the Iranian news agency, IRNA, attributed the Kharg Island fire to high-pressure buildup in a central boiler.
8
The explosion at Pardis was blamed on a leak of ethane that ignited after workers began welding a pipeline. But what if one or more of the explosions had actually been caused by Stuxnet? Chien wondered.
This was much more than anyone on the team had bargained for when they first began deconstructing Stuxnet weeks earlier. If Stuxnet was doing what Chien and his colleagues thought it was doing, then this was the first documented case of cyberwarfare.
Chien, O’Murchu, and Falliere convened on the phone to discuss their options. They still didn’t know what exactly Stuxnet was doing to the PLC or even the identity of its target, but they knew they had to reveal what they’d learned about its payload so far. So on August 17, 2010, they went public with the news that Stuxnet wasn’t an espionage tool as everyone had believed but a digital weapon designed for sabotage. “Previously, we reported that Stuxnet can steal code … and also hide itself using a classic Windows rootkit,” Falliere wrote in his typical understated tone, “but unfortunately it can also do much more.”
9
To illustrate Stuxnet’s destructive capability, they referenced the 1982 attack on the Siberian pipeline. Their words had been carefully parsed by the company’s PR team, but there was no denying the shocking nature of what they implied. As soon as the post went public, they waited on edge for the community’s response. But instead of the dramatic reaction they thought they would get, all they got in return was, in Chien’s words, “silence like crickets.”
Chien was confused by the lack of response. After all, they were talking about digital code that was capable of blowing things up. They had assumed, at the very least, that once they published their findings, other researchers would publish their own research on Stuxnet. That was the way malware research worked—whenever new attack code was uncovered, teams of competing researchers at different firms worked to decipher the code simultaneously, each one racing to be the first to publish their results. As soon as one team published, the others quickly weighed in to deliver
their own findings. If multiple groups arrived at the same results, the duplicate work served as an informal peer-review process to validate all of their findings. The silence that greeted their post about Stuxnet, then, was unusual and disconcerting—Chien began to wonder if they were the only team examining the payload or if anyone else even cared about it.
For a brief moment, he questioned their decision to devote so much time to the code. Had everyone else seen something that made them dismiss it as insignificant, something that Chien and his team had completely missed? But then he reviewed everything they had discovered in the past few weeks. There was no possible way they could have been wrong about the code, he concluded—either about Stuxnet’s importance or its aggressive intentions.
As for continuing their research, there was no question anymore that they had to press on. If anything, their work on the code seemed more urgent than before. They had just announced to the world that Stuxnet was a digital weapon designed for physical destruction. But they still hadn’t identified the malware’s target. Having made a public declaration about the code’s destructive aim, they worried that the attackers might suddenly feel pressure to accelerate the mission and destroy their target. That is, if they hadn’t already done so.
And apparently, they weren’t the only ones concerned about the possibility of things blowing up. Five days after they published their announcement, the steady stream of traffic still coming into their sinkhole from Stuxnet-infected machines in Iran suddenly went dark. It seemed that someone in the Islamic Republic had taken note of their news. To prevent the attackers or anyone else from remotely accessing the infected machines and doing some damage, someone in Iran had finally got wise and given the order to sever all outbound connections from machines in that country to Stuxnet’s two command-and-control domains.
1
Symantec acquired SecurityFocus in 2002.
2
There was very little whimsy in Stuxnet or anything that seemed superfluous. But in the part of the code responsible for intercepting the OB35 blocks, the attackers had placed a “magic marker” (a value placed in code that signifies a condition or triggers an action) that seemed like a bit of an inside joke—0xDEADF007. The marker was the hexadecimal representation of a number. When Stuxnet checked conditions on the system it was sabotaging to determine when it should start disabling the safety system, a magic marker was produced to indicate when conditions were right to disable the system. The attackers could have chosen any random number—1234—but chose one that when written in hexadecimal produced a word and numbers—DEADF007. It wasn’t uncommon for programmers to use whimsical values in their code to spell words in hexadecimal. For example, the first four bytes of Java class files translate to “0xCAFEBABE” in hexadecimal. 0xDEADBEEF is another hexadecimal value that in hacker-speak refers to a software crash. So Chien wondered if 0xDEADF007 in Stuxnet might actually mean “dead fool”—a derogatory way to indicate when the safety system was no longer functional—or “dead foot.” Dead foot is an expression used by airplane pilots to refer to an engine failure, “Dead foot, dead engine” being the maxim to help pilots realize quickly in a stressful situation that when a foot pedal is dead it means an engine is out—the pilot essentially has no control of the engine. Similarly “DEADF007” in Stuxnet signaled the point at which operators in Iran lost control of their PLCs while Stuxnet was sabotaging them, preventing both the safety system from initiating its own automatic shutdown or operators from stepping in to do an emergency manual shutdown. It made Chien wonder if one or more of Stuxnet’s authors were pilots.
3
For more on the story of the alleged pipeline sabotage, see
this page
.
4
Con Coughlin, “Who’s Blowing up Iran’s Gas Pipelines?”
The Telegraph
, August 18, 2010, available at
blogs.telegraph.co.uk/news/concoughlin/100050959/whos-blowing-up-irans-gas-pipelines
.
5
Agence France-Presse, “Suspected Kurd Rebels Blow up Iran–Turkey Gas Pipeline,” July 21, 2010, available at
institutkurde.org/en/info/latest/suspected-kurd-rebels-blow-up-iran-turkey-gas-pipeline-2372.html
.
6
“Petrochemical Factory Blast Kills 4 in Iran,” Associated Press, July 25, 2010, available at
gainesville.com/article/20100725/news/100729673
.
7
“Explosion in Petrochemical Complex in Asalouyeh Kills 5,” Tabnak News Agency, August 4, 2010, available at
tabnak.ir/en/news/180
.
8
Ivan Watso and Yesim Comert, “Kurdish Rebel Group Claims Responsibility for Gas Pipeline Blast,” CNNWorld, July 21, 2010, available at
articles.cnn.com/2010-07-21/world/turkey.pipeline.blast_1_pkk-kurdistan-workers-party-ethnic-kurdish-minority?_s=PM:WORLD
.
9
Nicolas Falliere, “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems,” Symantec blog, August 6, 2010, available at
symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-industrial-control-systems
. Note that the date on the blog post is August 6, but that’s the date the post was first published with news of the PLC rootkit. They updated it when they added the news that Stuxnet was bent on sabotage.
Fifty miles outside Idaho Falls, Idaho, on a vast desert prairie owned by the Department of Energy’s Idaho National Lab, a handful of engineers shivered against the cold as they paced around a generator the size of a small bus parked on a slab of concrete. It was March 4, 2007, and the workers were making final safety checks for a groundbreaking test they were about to conduct.
About a mile away at the lab’s visitor’s center, a group of officials from Washington, DC, as well as executives from the power industry and NERC, the North American Electric Reliability Corporation, gathered in a theater warming their hands around cups of steaming coffee as they waited for a live feed of the demo to begin.