Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
When news of the attacks on the scientists reached Ralph Langner in Germany, his stomach dropped. He wondered if his team’s work exposing Stuxnet had pushed the attackers to take even more drastic measures than he’d expected them to take once their digital attack was exposed. It underscored for him the reality that their work on Stuxnet had placed them in the midst of a very dark and bloody business.
Symantec’s researchers were no less shaken by the news. During the months they had worked on Stuxnet, black humor and paranoia had hung in the air, a by-product of the uncertainty about who was behind the attack or what they were capable of doing. O’Murchu began hearing strange clicking sounds on his phone, making him think it was tapped, and one Friday afternoon as he left the office to go home, he joked to Chien and Falliere that if he turned up dead over the weekend, he wanted them to know in advance that he wasn’t suicidal. Chien for his part had begun
glancing around his neighborhood each morning when he left the house to see if anyone was watching him. He never seriously believed he was in danger, though, and the day that news of the attacks on the scientists broke, he joked to O’Murchu that if motorcyclists ever approached his car, he’d take out the driver with a quick swerve of his wheels. But when he drove away from work that day and stopped at the first traffic light, he was momentarily startled when he saw a motorcyclist pull up behind in his rearview mirror.
None of them really thought assassins would target them for their work on Stuxnet, but it was clear that the dynamics of virus hunting had changed with Stuxnet, and that going forward companies like theirs would be forced to make new risk calculations about the information they exposed.
At various points in their work on Stuxnet, they had indeed debated at times whether to withhold information they uncovered or to release it anonymously. In the end, although they did withhold some of the details they found—such as the identity of Stuxnet’s five initial victims—they decided in favor of disclosure, believing that the more information they released, the better it would be for everyone to defend against Stuxnet and any copycat attacks. There was just one thing, they concluded, that would have merited censorship, and that was the identity of the attackers. But in the end this was a moot point, since they never did uncover definitive proof of who was behind the attack.
In fact, they also never found incontrovertible proof that Stuxnet targeted Natanz. Although the information about the frequency converters added a major piece to the Stuxnet puzzle, they found no evidence that the specific configuration Stuxnet targeted existed at Natanz. It took David Albright and his colleagues at the Institute for Science and International Security to provide the last bit of evidence.
SYMANTEC PUBLISHED ITS
last report on the frequency converters in mid-November, but it wasn’t until two weeks later that Albright made
the final connection. It happened one day in December when he was sitting in a meeting with his staff at ISIS, along with a handful of centrifuge experts they had invited to their office to discuss Iran’s nuclear program, and the group began puzzling over a mystery that had been bothering them for more than a year.
ISIS had published the satellite images of Natanz back in 2002 to pressure Iran into letting UN inspectors examine the enrichment plant, and Albright and his staff had been following Iran’s nuclear progress ever since, sometimes gleaning information from government sources but mostly gathering it from the quarterly reports the IAEA published about its inspections. The latter reports were the only inside view that most Iran-watchers had of Natanz.
For eighteen months, Albright and his staff had been scratching their heads over fluctuating numbers that appeared in the reports. Every three months, the inspectors listed the number of centrifuges and cascades the Iranians had installed at Natanz, as well as the number of centrifuges that were actually enriching gas, as opposed to the ones that were just sitting in cascades empty. They also reported the amount of gas Iranian technicians fed into the centrifuges and the amount of enriched gas the centrifuges produced from this.
For most of 2007 and 2008 all of these numbers had risen fairly steadily with occasional glitches. But in mid- to late 2009, the numbers began to noticeably change. The amount of enriched gas being produced by the centrifuges suddenly dropped, and centrifuges that were once spinning in eleven out of eighteen cascades in one of the rooms at Natanz were eventually disconnected. There was no indication in the reports about why this occurred, though it was clear that something was wrong.
Albright and his colleagues had puzzled over the changes for many months, considering the data from various angles: perhaps the problems were due to poorly manufactured components or inferior materials, or perhaps the technicians had simply installed the pipes and valves in the cascades incorrectly, causing gas to leak out of them. None of the explanations, however, seemed to account for all of the changes they had seen in
the reports. Now in December 2010 as they sat with their guests discussing the anomalies, someone mentioned Stuxnet and Symantec’s recent report about the frequency converters. Albright hadn’t read the report, but knew that Iran used frequency converters made by Vacon, the Finnish company mentioned by Symantec, and that it had also purchased converters in the past from Turkey and Germany. But he had never heard of Fararo Paya converters before. This was significant: he and his staff closely followed Iran’s procurement and manufacturing activities for the nuclear program and weren’t aware that Iran was making its own converters. If Iran was using such converters at Natanz, then the attackers had knowledge of the enrichment program that even some of its closest watchers didn’t possess.
When the meeting was over and he went back to his desk, Albright pulled up the report from Symantec to examine it carefully. He also found a report that Langner had written about the disabled 417 attack code. He spent the next couple of weeks sifting through the technical details of the attacks and even contacted Chien for explanations about some of the things he didn’t understand. As he and Chien were talking one day, something struck him that he hadn’t noticed before. Each time Stuxnet completed a round of sabotage on the frequency converters, it reset their frequency to 1,064 Hz. The number leapt out at him. Albright knew that centrifuge motors had different optimal frequencies for operating, depending on the model of the centrifuge and the materials from which it was made. And the optimal frequency for the IR-1 centrifuges at Natanz was exactly 1,064 Hz.
What’s more, the 1,064 Hz frequency was very specific to IR-1 centrifuges. No other centrifuge had this nominal frequency, and there was no country outside of Iran that used them. (Although the IR-1s were based on the P-1 centrifuge design that Pakistan had used during the early years of its enrichment program, Pakistan had since moved on to more advanced designs, which operated at different frequencies.)
The optimal frequency for the IR-1s wasn’t widely known, however. Albright knew it only because a government source had told him in 2008. But even though the optimal frequency was 1,064 Hz, the source told him
that Iran actually operated its centrifuges at a slightly lower frequency, which Albright and his staff learned was 1,007 Hz, due to their tendency to break at higher speeds. Albright thought about the discrepancy for a minute. Either the Stuxnet attackers weren’t aware that Iran had made this change, or Iran had reduced the frequency of its centrifuges some time after the attackers had already written their code.
But this wasn’t the only detail that stood out to Albright. He also noticed that when Stuxnet conducted its attack, it increased the frequency of the converters to 1,410 Hz for fifteen minutes, which was nearly the maximum frequency an IR-1 rotor could withstand before it would begin to break from stress.
Then he looked at what Symantec and Langner had written about the 417 attack code. Although what they knew about the attack was still pretty sketchy, they knew it targeted devices that were configured into six arrays of 164 devices each. Centrifuges at Natanz, Albright knew, were installed 164 to a cascade, suggesting the 417 attack had targeted six cascades containing 984 centrifuges.
Chien also told Albright that instead of changing frequencies like the 315 attack, the 417 attack sequence appeared to simply be turning devices on or off. Albright and his colleagues ran down the list of components in a uranium enrichment plant that might fit this scenario, and the only one that made sense to them was valves.
Centrifuges at Natanz each had three valves that controlled the movement of gas in and out of them, plus auxiliary valves that controlled the movement of gas in and out of the cascade and between rows of centrifuges in a cascade. Albright and his staff ran through various scenarios to determine what would happen if certain valves were opened or closed with malicious intent for extended periods of time, and in each scenario the outcome was likely damaged or destroyed centrifuges.
It was clear to Albright that they had finally found the answer to the puzzling numbers they had seen in the IAEA reports. In statements made to the press, Ahmadinejad had insisted that the damage done to centrifuges by the virus sent by the West was limited. But to Albright, the numbers
that appeared in IAEA reports around the time that Iran said the virus had struck appeared to indicate that at least 1,000 centrifuges might have been damaged or replaced during that period.
Albright published a paper discussing his thoughts that appeared to resolve the Natanz question once and for all. Then, shortly after he did, the
New York Times
came out with a story that seemed to resolve Stuxnet’s most enduring mystery—who had created and launched it. The story surprised no one in its findings. The paper reported that Stuxnet was a joint operation between Israel and the United States, with a little bit of assistance, witting or otherwise, from the Germans and the British.
18
According to the story, which relied on anonymous sources, the worm had been written by US and Israeli coders and tested at Israel’s Dimona complex in the Negev Desert—the site that developed Israel’s own illicit nuclear weapons program in the 1960s. Dimona was enlisted to set up a test-bed of Siemens controllers and centrifuges, which were identical to the IR-1s at Natanz, to measure the effectiveness of the worm at destroying the spinning devices. But a US lab also played a role in the tests. In 2004, the Oak Ridge National Laboratory in Tennessee had obtained some P-1 centrifuges, the type that Iran’s IR-1s were modeled on, and the British, who were partners in the Urenco consortium that had created the original centrifuge designs, may have played a role. When testing was completed, the United States and Israel worked together to target the machines in Iran.
When asked about the role the United States might have played in Stuxnet, Gary Samore, Obama’s chief adviser on weapons of mass destruction and arms control, simply smiled at a
Times
reporter and said, “I’m glad to hear they are having troubles with their centrifuge machines, and the US and its allies are doing everything we can to make it more complicated.”
19
The news of US involvement in developing and releasing the digital weapon should have created a stir in Washington and in other government
circles beyond. But it was largely met with silence, despite the fact that it raised a number of troubling questions—not only about the risks it created for US critical infrastructures that were vulnerable to the same kind of attack, but about the ethical and legal considerations of unleashing a destructive digital attack that was essentially an act of war. Ralph Langner had been right in signing off his original post about Stuxnet the way he did. With confirmation, albeit unofficial, that Israel and the United States were behind the attack, the world had now formally entered the age of cyberwarfare.
1
This and all quotes from Chien are from author interviews in 2010 and 2011.
2
“STL” stands for Statement List programming language.
3
Chien had no idea why Siemens wasn’t more responsive. It was possible the company didn’t consider the issue an urgent one, since only about a dozen Siemens customers reported being infected by Stuxnet. It was also possible Siemens wasn’t used to dealing with in-depth questions about its software. The Symantec researchers weren’t asking questions that could be answered easily by product reps; they were fundamental engineering questions about how the Siemens code worked. This required the company to track down programmers who’d worked on the Step 7 system. But it’s also possible that Siemens was relatively quiet on Stuxnet because the company didn’t want to stir up discussions about its business in Iran. The company had recently found itself in hot water after a shipment of its controllers was seized in Dubai on its way to Iran for the uranium enrichment program. Another shipment of Siemens turbo processors was intercepted in Hamburg by export authorities as it was on its way to Iran. Both of these shipments violated European Union export controls prohibiting the sale of dual-use equipment to Iran without a permit. Siemens claimed it didn’t know the shipments were headed to Iran, but the incidents eventually forced the company’s CEO to announce in January 2010 that Siemens would not initiate any new business with Iran after mid-2010. When Stuxnet was discovered in Iran a few months later, Siemens’s relative silence about the code may have been in part an effort to not stir up a discussion about how its controllers got to be at the uranium enrichment plant in the first place. There were Siemens workers who urged the company to take a more active role in examining Stuxnet, but they were silenced. Siemens in effect wanted the issue to go away and had hoped that Symantec and other researchers would give up.
4
Because Iran had been the victim of sabotage in 2006 when parts purchased from Turkey for its nuclear program were reportedly sabotaged (see
this page
), Iranian officials may have decided they needed to manufacture their own frequency converters to avoid saboteurs who were targeting the supply chain and manipulating ones they bought abroad.
6
Eric Chien, “Stuxnet: A Breakthrough,” Symantec blog, November 12, 2010, available at
symantec.com/connect/blogs/stuxnet-breakthrough
.
7
“Iranian Nuclear Scientist Killed in Motorbike Attack,” BBC, November 29, 2010, available at
bbc.co.uk/news/world-middle-east-11860928
.
8
William Yong and Robert F. Worth, “Bombings Hit Atomic Experts in Iran Streets,”
New York Times
, November 29, 2010.
9
Ibid.
10
Ibid.
11
Dieter Bednarz and Ronen Bergman, “Israel’s Shadowy War on Iran: Mossad Zeros in on Tehran’s Nuclear Program,”
Spiegel Online
, January 17, 2011, available at
spiegel.de/international/world/israel-s-shadowy-war-on-iran-mossad-zeros-in-on-tehran-s-nuclear-program-a-739883.html
.
12
“Iran’s Chief Nuclear Negotiator: ‘We Have to Be Constantly on Guard,’
Der Spiegel
, January 18, 2011.
13
Shahriari and Abassi were not the first Iranian scientists targeted. In 2007, Ardeshire Hassanpour, a nuclear physicist working at the uranium conversion plant at Esfahan died under mysterious circumstances, though his death was reported as an industrial accident. Then, ten months before Shahriari’s death, a colleague of his, Massoud Alimohammadi, was killed in a car bombing attack. Iran accused the Mossad of masterminding the attack on Alimohammadi, but questions arose later when news reports revealed he was not a nuclear scientist at all but a quantum field theorist. In December that year, a twenty-six-year-old kickboxer named Majid Jamali Fashi was arrested for the crime and later told a bizarre story on Iranian TV of having been recruited and trained by the Mossad, after visiting Turkey in 2007. He said he was paid $30,000 up front for the assassination and promised $20,000 more after the attack. Iranian news agencies reported that Fashi was executed by hanging in May 2012. In a 2014 interview, Alimohammadi’s widow said that her husband had indeed been secretly working on Iran’s nuclear program. See Scott Peterson, “Covert War Against Iran’s Nuclear Scientists: A Widow Remembers,”
Christian Science Monitor
, July 17, 2014.
14
As a further intimidation tactic, an Iranian official revealed in a 2014 interview that the Mossad had once ordered a bouquet of flowers to be sent from an Iranian florist to the family of an Iranian nuclear engineer with a card expressing condolences over his death. The engineer was still alive and well, however. The spy agency, he said, also created videos of fake Iranian news broadcasts showing the images of murdered Iranian scientists and sent the videos to the still-living scientists as a warning. See “How West Infiltrated Iran’s Nuclear Program, Ex-Top Nuclear Official Explains,”
Iran’s View
, March 28, 2014,
www.iransview.com/west-infiltrated-irans-nuclear-program-ex-top-nuclear-official-explains/1451
.
15
Yong and Worth, “Bombings Hit Atomic Experts in Iran Streets.”
16
Dagan was reportedly pushed out by Prime Minister Netanyahu and Defense Minister Ehud Barak because he opposed an air strike against Iran.
17
Yong and Worth, “Bombings Hit Atomic Experts in Iran Streets.”
18
William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,”
New York Times
, January 15, 2011.
19
Ibid.