Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (28 page)
Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
The windowless watch floor was an alphabet soup of three-letter agencies, with intelligence analysts from the CIA and NSA sitting next to law enforcement agents from the FBI and Secret Service and computer security experts from US-CERT and ICS-CERT. Liaisons from all the top telecoms and other critical-infrastructure industries were there as well.
McGurk sent a copy of Stuxnet to ICS-CERT’s lab in Idaho Falls, where analysts determined that the attack code unleashed its payload only on specific models of Siemens PLCs. Two years earlier, the lab’s test-bed program had conducted a vulnerability assessment of the same Step 7 software that Stuxnet was attacking, but the PLC they had used for the tests had been returned to Siemens. Now they had to request that Siemens send another one before they could watch Stuxnet deliver its payload. It took about three weeks for the PLC to arrive, and when it did, a group of Siemens engineers accompanied it.
In the meantime, the researchers in Idaho reverse-engineered the payload code while analysts on the watch floor back in Virginia pored over the missile portion, documenting each of its functions in an extensive flow chart. Within two days, McGurk says, they had catalogued some 4,000 functions in the code—more than most commercial software packages
contained—and had also uncovered the four zero-day exploits that Symantec and Kaspersky would later find.
ICS-CERT released an advisory on July 20 announcing to control-system owners that malware targeting the Siemens Step 7 system had been found. But the advisory provided very few details about its operation, saying only that the “full capabilities of the malware and intent … are not yet known.” A subsequent advisory provided a few more details about the zero-day exploits Stuxnet used, plus information about how to detect and remove the malicious code, but said little about what the attack was designed to do and made no mention at all of sabotage.
21
McGurk says it was the government’s job to help critical-infrastructure owners detect and remove Stuxnet, not to provide extensive analysis of the malware.
22
A few days after the group’s analysis was complete, McGurk had a conference call with several government agencies and private-industry representatives to review what they had found. In most discussions about malware and vulnerabilities, there were always a few critics in the group who downplayed the vulnerability’s importance or claimed that a piece of malicious code was nothing new. Sometimes other federal agencies were the naysayers; sometimes it was the owners and operators of critical infrastructure or the vendor that made the control system that was being discussed. But as McGurk laid out the details of Stuxnet there was only silence on the phone. “Everyone had that ‘oh shit’ moment all at the same time,” he says.
23
Oddly, the source of Stuxnet never came up, either during the call or on the NCCIC watch floor. McGurk says that when the code first arrived, intelligence analysts from various agencies on the floor searched their classified data sources for any information or reports related to the worm, but
came up with nothing. He also says no one on the watch floor wondered out loud if the worm had been spawned by the United States. An outsider might question why no one on the watch floor turned to the CIA or NSA analysts sitting in the room to ask with a wink, “Is this one of yours?” But McGurk insists this never occurred to them because attribution wasn’t the watch floor’s concern. Their mission was to uncover an attack code’s capabilities and determine the best way for US networks to defend against it.
“At first when you look at [malware]… your assumption is that it’s not friendly fire. You don’t think the sniper on the roof is one of your guys shooting at you,” he says. “It could turn out to be … But in the heat of it, at the very beginning, you’re not overly concerned, nor do you naturally default to [that.]”
But very quickly, Stuxnet became “an item of high interest” in Washington. Over the next few weeks and months, McGurk gave briefings to a number of high-level groups—to DHS secretary Janet Napolitano, to John Brennan and other members of the White House National Security staff, to the Senate and House intelligence committees, the DoD, and the Defense Intelligence Agency. He even went to Fort Meade to brief Gen. Keith Alexander, director of US Cyber Command and the NSA—the very entities that many in the security community suspected were behind the attack.
At Fort Meade, a dozen senior military, government, and intelligence leaders sat listening to McGurk as he described what his team had found, but the question of whether the United States was behind the attack never came up. They asked McGurk if Stuxnet was directed against US control systems and how many US systems were vulnerable to the malicious code.
24
They were also curious to know if McGurk’s team could tell who the intended target was. And finally they asked if there was anything in
the code that gave away its source. McGurk told them no, there were no clues revealing who was behind the attack. There weren’t even any familiar “footprints” in the code that matched the modus operandi of known hacker groups or nation-state spies.
McGurk maintains that never, either in classified briefings or in open testimony with lawmakers, did anyone ask him the question that was on everyone else’s mind. “I don’t think, even jokingly, did someone say in a formal briefing, ‘Hey did we do this?’ Because that’s just not the way those interactions occur. I’m sure there was speculation elsewhere, but it wasn’t done at our level.”
McGurk says he also never got the impression from anyone he briefed that Stuxnet was a homemade job. “When I was in a room, regardless of who the audience was, whether it was senior intelligence folks—and I mean
senior
intelligence folks—I never got the impression that this was all smoke-and-mirrors for them,” he says. “The same thing inside the Department of Homeland Security, when I was briefing up to the secretariat level. Never did I get the impression that, you know, they already knew this … and they were just hoping that I would go away.”
Nor did anyone suggest to McGurk that he should pull his team off of Stuxnet either. “No one said hey, cease and desist, leave it alone, don’t go there,” he says. “We were actually getting a lot of cooperation from all of those organizations … assisting with the analysis and assisting with the understanding of what type of threat this actually posed.”
But even if officials in Washington weren’t openly asking the obvious question, there was little doubt among experts and observers that the United States was behind the attack—either alone or with Israel—and it seemed only a matter of time before the details behind the attack got out.
Ralph Langner’s assertion that Stuxnet was a precision weapon aimed at Iran’s nuclear program must have caused a lot of consternation and panic in the halls of the White House and the Pentagon, as a plot that had been meticulously planned and executed over a number of years was slowly unraveling before their eyes.
1
All quotes from Langner come from interviews conducted with him in 2010, 2011, and 2012.
2
“Ladder logic” is a generic term to describe the structure of commands used to code a control system. The name comes from the ladderlike structure of the programming, which lays out each process in a step-by-step, sequential fashion.
3
In its initial announcement, Siemens said it had assembled a team of experts to evaluate Stuxnet and would begin alerting customers to their potential risk of infection from it. The company later said that less than two dozen of its customers were infected with Stuxnet. The company’s second announcement had to do with the hard-coded database password in the Siemens software that Stuxnet used to spread. Siemens warned customers against changing the password at the risk of disrupting critical functions in their systems. “We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” a spokesman said a week after Stuxnet was exposed. See Robert McMillan, “After Worm, Siemens Says Don’t Change Passwords,”
PCWorld.com
, July 19, 2010.
4
The vulnerability is partly due to the fact that the Siemens system lacked authentication, which allowed rogue ladder logic to be sent to the PLC. If the system had required the code to be digitally signed, the PLC would not have accepted it.
5
See ICS-CERT Advisory ICSA-10-201-01C, “USB Malware Targeting Siemens Control Software,” August 2, 2010, with subsequent updates available at
ics-cert.us-cert/gov/advisories/ICSA-10-201-01C
; and ICS-CERT Advisory ICSA-10-238-01B, “Stuxnet Malware Mitigation,” September 15, 2010, available at
ics-cert.us-cert/gov/advisories/ICSA-10-238-01B
.
6
A couple of weeks later, Iranian officials denied that Stuxnet was the cause and instead attributed the delay to a leak in a pool near the reactor.
7
The screenshot, taken by a UPI photographer, includes a caption identifying it as a computer screen at Bushehr and says the image was snapped in February 2009. Some critics have disputed the accuracy of the caption, saying the image appears to show a water-treatment facility and not Bushehr, but water-treatment facilities are generally part of nuclear plant operations, which would explain how both could be true. The image can be seen at
upi.com/News_Photos/Features?The-Nuclear-Issue-in-Iran/1581/2/
.
8
“Stuxnet logbook, Sept 16, 2010, 1200 hours MESZ,” available at
langner.com/en/2010/09/16/stuxnet-logbook-sep-16-2010-1200-hours-mesz
.
9
The article appeared in the German newspaper
Frankfurter Allgemeine Zeitung
on September 22, 2010. The article is in German, but he describes its content in English in the blog post published on his website, available at
frank.geekheim.de/?p=1189
.
10
At the time he speculated about Bushehr, Langner wasn’t aware that the nuclear reactor plant didn’t have centrifuges. Once that became clear, he continued to think that Bushehr was the target, but thought the equipment Stuxnet was attacking was a turbine or generator at the plant. It was only later when more information came out about the exact devices Stuxnet was targeting that he concluded that Natanz was in fact a match for Stuxnet, not Bushehr.
11
Dan Williams, “Wary of Naked Force, Israelis Eye Cyberwar on Iran,” July 7, 2009, available at
reuters.com/article/2009/07/07/us-israel-iran-cyberwar-analysis-idUSTRES663EC20090707
.
12
The WikiLeaks post can be seen at
mirror.wikileaks.info/wiki/Serious_nuclear_accident_may_lay_behind_Iranian_nuke_chief%27s_mystery_resignation/
.
13
The story was published at:
news.bbc.co.uk/2/hi/8153775.dtm
. Although it’s possible Aghazadeh’s resignation was related to something that occurred at Natanz in late June 2009, it was just as likely related to politics. In addition to being head of Iran’s Atomic Energy Organization, Aghazadeh was Iran’s vice president. He resigned both positions simultaneously, two weeks after Iran’s hotly contested presidential elections on June 12, 2009. Aghazadeh had aligned himself with President Ahmadinejad’s political challenger, Mir-Hossein Mousavi, and there was speculation that vehement protests over the legitimacy of the election results made it impossible for Aghazadeh to retain his government positions once Ahmadinejad’s victory was sanctioned. There’s also a problem of timing, which doesn’t quite align with the June 2009 version of Stuxnet. According to the BBC report, Aghazadeh resigned sometime around June 26. But the June 2009 version of Stuxnet was unleashed June 22, and once it found itself on the right PLC, it took thirteen days for the sabotage to begin. So unless an earlier version of Stuxnet or something else caused an accident at Natanz, the timing didn’t match Aghazadeh’s resignation.
14
Author interview, September 2010.
15
John Markoff, “A Silent Attack, but Not a Subtle One,”
New York Times
, September 26, 2010.
16
Laurent Maillard, “Iran Denies Nuclear Plant Computers Hit by Worm,” Agence France-Presse, September 26, 2010, available at
iranfocus.com/en/index.php?option=com_content&view=article&id=21820
.
17
David E. Sanger, “Iran Fights Malware Attacking Computers,”
New York Times
, September 25, 2010.
18
Six months later, a report from the Iranian Passive Defense Organization, a military organization chaired by Revolutionary Guard General Gholam-Reza Jalali, which is responsible for defending Iran’s nuclear facilities, contradicted these statements. It stated that Stuxnet had so thoroughly infected computers at Bushehr that work at the plant had to be halted indefinitely. The report claimed that if Bushehr went online, the worm would “bring the generators and electrical power grid of the country to a sudden halt.” There were plenty of reasons to doubt the report’s conclusions, however, since it contained a number of exaggerations about Stuxnet’s known capabilities—such as the claim that the worm could “destroy system hardware step-by-step”—and the fact that the configuration Stuxnet was seeking didn’t match what one would find at the nuclear power plant. All of this suggested that Iran might be using Stuxnet as an excuse to explain delays at Bushehr. But there was also the possibility that a different digital attack—a modified version of Stuxnet—might have been released separately against Bushehr. See Ken Timmerman, “Computer Worm Wreaking Havoc on Iran’s Nuclear Capabilities,” Newsmax, April 27, 2011, available at
newsmax.com/KenTimmerman/iran-natanz-nuclear-stuxnet/2011/04/27/id/394327
.
19
Maillard, “Iran Denies Nuclear Plant Computers Hit by Worm.”
20
There were other statements made by officials that, if true, suggested that other versions of Stuxnet existed. Mahmoud Liayi, head of the information technology council at the Ministry of Industries, told reporters that when Stuxnet got activated, “the industrial automation systems start[ed] transmitting data about production lines” to an outside destination. Gen. Gholam-Reza Jalali had stated at a press conference in 2011 that the worm was discovered communicating with systems in Israel and Texas. There, data about infected machines was processed by the worm’s architects, who then engineered plots to attack the nuclear program. (See “Iran Military Official: Israel, US Behind Stuxnet Computer Worm,” Associated Press, April 16, 2011, available at
haaretz.com/news/world/iran-military-official-israel-u-s-behind-stuxnet-computer-worm-1.356287
.) But the three versions of Stuxnet that were discovered communicated with command servers in Denmark and Malaysia. This doesn’t discount that another version was somehow traced to Texas or that a spy tool that preceded Stuxnet might have been traced to Texas. But although the NSA does in fact have an elite hacking team based in the Lone Star state, it seems unlikely that they would have made a mistake that allowed the worm or a spy tool to be traced to them.
21
ICS-CERT Advisory ICSA-10-201-01, “USB Malware Targeting Siemens Control Software” and ICS-CERT Advisory ICSA-10-238-01B, “Stuxnet Malware Mitigation.”
22
The ICS-CERT advisories did provide a link to Symantec’s website for additional information about the code, but didn’t specify what readers would find there.
23
All quotes from McGurk from author interview, September 2012.
24
The Siemens Step 7 system, it turned out, made up less than 10 percent of the US control-system market. Analysts at NCCIC determined this by consulting a database used by research firms that provides statistics on the market penetration of various products—including the number of industrial control systems made by specific vendors that had been sold in the United States. They determined that most of the US Step 7 systems were being used in manufacturing facilities, though there were also some Step 7 systems used in agriculture and water treatment and power plants.