Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (49 page)
Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
There was a lot of political pressure inside Iran to move quickly on the nuclear program. UN sanctions and the lack of progress in negotiations with the West irritated Iranian leaders, and they were tired of the delays. But the sudden ramp-up was ill-advised and likely was not supported by Iranian scientists and engineers. Even under normal conditions, installing centrifuges and getting them to run properly was a tricky business. Add to this the inherent fragility of the IR-1s and it didn’t make sense to move this fast.
“From an engineering point of view, it’s kind of a reckless procedure, because if you barely operated a 164-machine centrifuge cascade, why would you want to race and try to operate eighteen or thirty cascades all at once?” says Albright. “An engineer would say do this very slowly, and make sure that you’ve understood how to work all these things as a unit before you start scaling up like that.”
32
But few problems occurred during this period, and by the end of the summer, the technicians at Natanz must have begun to grow confident that they had put earlier troubles behind them. Then conditions began to go south again.
The IAEA reports told the story in a series of dry numbers.
During his April 2008 tour, Ahmadinejad had announced optimistically that technicians would soon add 6,000 centrifuges to the 3,000 centrifuges already installed in the underground hall. But after reaching just 3,772 centrifuges that August, the technicians stopped, and no new centrifuges were added in the next three months. Production levels were also
way down. Since the start of enrichment in early 2007, technicians had fed 7,600 kg of gas into the cascades, but by August 2008 the centrifuges had produced only 480 kg of enriched uranium, instead of the 760 they should have produced. The low production numbers continued the rest of 2008. Between August and November technicians fed 2,150 kg of gas into the cascades but produced only 150 kg of enriched uranium during that time. As in 2007, they appeared to be losing an unusual amount of gas.
Despite all of these problems, however, 2008 overall was a better year for Iran than 2007.
33
Whereas Natanz had produced only 75 kg of enriched uranium in all of 2007, by the end of 2008, this had jumped to 630 kg. Albright and his colleagues at ISIS estimated that with further enriching under optimal conditions, Iran could turn 700 to 800 kg of low-enriched uranium into 20 to 25 kg of weapons-grade uranium, enough for a crude nuclear weapon. Nonetheless, there was no getting around the fact that Iran’s nuclear program wasn’t at the level it should have been at that point.
The timing of the problems in late 2008 appeared to coincide with how Stuxnet 0.5 was designed to work. Once Stuxnet infected a 417 PLC, the sabotage took time to unfold. The reconnaissance stage took at least a month while Stuxnet recorded data to play back to operators, and the cascades had to be active for a period of time before the sabotage kicked in—at least 35 days in the case of a single cascade, or more than 297 days for all six cascades combined. Once the attack was finished, another 35 days passed before it began again. The problems in late 2008 seemed to be concentrated in unit A26, where technicians had begun to install centrifuges in the spring. If Stuxnet was introduced to controllers for that unit in late 2007 or early 2008, it could have taken months for the attack’s negative effects—from the increase of pressure inside the centrifuges—to show.
Notably, around this time, a Canadian-Iranian man tried to purchase a batch of pressure transducers from two Western manufacturers to ship
to Iran. The devices were used for, among other things, measuring the pressure of gas inside a centrifuge. Between December 2008 and March 2009, Mahmoud Yadegari bought ten transducers at a cost of $11,000 and shipped two of them to Iran via Dubai. He placed an order for twenty more from a second firm, but the company rejected the order after he failed to certify the identity of the end recipient. He was arrested that April after authorities were tipped off about the suspicious order.
34
Was Iran attempting to purchase transducers to replace ones that appeared to be failing at Natanz or was there no connection between Yadegari’s efforts and the problems that occurred at Natanz?
As Iran entered 2009, technicians began rapidly adding new centrifuges and cascades to unit A26. Nine cascades were under vacuum in this unit by February. But instead of being fed gas, the centrifuges sat in their cascades empty. In the past, technicians had begun to feed gas into new cascades as soon as they were installed, but for some reason now they weren’t. At the same time, the number of separative work units—a measurement of how much work each centrifuge expends in the enrichment process—fell dramatically from .80 to .55 for the centrifuges that were enriching in A24 and A26. The level of enrichment also dropped from 4 percent, where it had hovered through most of 2008, to 3.49 percent. If the effects were caused by Stuxnet, it appeared the digital weapon was doing exactly what it was designed to accomplish.
But then the attackers decided to switch things up.
AS 2009 BEGAN,
president-elect Barack Obama was invited to the White House to meet with President Bush for the standard debriefing that passed between incoming presidents and their predecessor as the two prepared to exchange the baton. During the conversation, Bush laid out the details of the digital attack and the subtle magic it had been working
over the last year to undermine the centrifuges at Natanz.
35
There had been progress in setting the Iranian program back a bit, but the operation needed more time to succeed. If it was to continue, however, it needed to be authorized by a sitting president, which meant Obama had to renew the Presidential Finding that approved it. Given that other options had failed up to then, and an airstrike was the only likely alternative, Obama ultimately needed little persuasion.
36
In the summer of 2008, while still in the midst of his presidential campaign, Obama had made a whistle-stop tour in Israel, where he told the Israelis that he felt their pain. A nuclear-armed Iran, he said, would be “a grave threat” to peace not just in the Middle East, but around the world.
37
He promised that under his leadership all options would remain on the table to prevent Iran from obtaining nuclear weapons. Although in essence this meant a military option as well, Obama, like Bush, wanted to avoid a military engagement at all costs. Therefore, a covert operation that used bytes over bombs was a more welcome choice.
Coming into office, Obama already faced a lot of pressure on multiple fronts. Little progress had been made with Iran via diplomatic channels, and sanctions weren’t having much of their desired effect either. And there was concern that the Israelis might take matters into their own hands if the United States didn’t show results soon. For these and other reasons, Obama decided not only to reauthorize the digital sabotage program but to accelerate it. It was in this environment that he gave the green light for a new, more aggressive, version of Stuxnet to launch—the one that targeted the frequency converters at Natanz.
Why fire off a new attack when the first one seemed to be succeeding? The operation against the valves was effective but slow. Stuxnet’s creators
were running out of time and needed a faster attack that would target the centrifuges more directly and set Iran’s program back more definitively. They also wanted to confuse technicians with a different set of problems.
The irony was that while Obama was authorizing this new attack against Iran’s computer systems, he was also announcing new federal initiatives to secure cyberspace and critical infrastructure in the United States—to protect them, that is, from the very sort of destruction that Stuxnet produced.
38
The nation’s digital infrastructure was a strategic national asset, he said during a speech weeks after his inauguration, and protecting it was a national security priority. “We will ensure that these networks are secure, trustworthy and resilient,” he said. “We will deter, prevent, detect and defend against attacks and recover quickly from any disruptions or damage.”
39
While Obama was reauthorizing the covert operation, its details were already at risk of being exposed. It was no secret that the United States and its allies were engaged in efforts to sabotage Iran’s nuclear program. In February 2009, the
Telegraph
in London reported that Israel had launched an extensive covert war against Iran’s nuclear program that included hit men, front companies, double agents, and sabotage.
40
In the article, a former CIA officer seemed to hint at Stuxnet’s existence by revealing that the sabotage was designed to slow the progress of the program in such a way that the Iranians would never know what caused it. The goal, he said, was to “delay, delay, delay until you can come up with some other solution or approach.… It’s a good policy, short of taking them out militarily, which probably carries unacceptable risks.”
Around the same time, the
New York Times
also revealed that a new covert campaign against Iran had been launched, but didn’t go into detail.
41
It’s unclear if the Iranians saw these news stories or, if they did, connected
them to the problems they were having at Natanz. They were certainly well aware of the risks of sabotage, having already experienced it in 2006 with the power regulators from Turkey. But suspecting that something was being sabotaged was one thing. Homing in on the part or component that was causing it was another.
As the attackers were preparing to launch the next version of Stuxnet, Obama made good on another of the campaign pledges he’d made with regard to Iran. During the campaign, he had promised to engage in more robust diplomacy with the Islamic Republic. As part of this promise, he made the unprecedented move of directly addressing the Muslim world during his televised inauguration speech. “We seek a new way forward, based on mutual interest and mutual respect,” he said. “To those leaders around the globe who seek to sow conflict, or blame their society’s ills on the West—know that your people will judge you on what you can build, not what you destroy.”
42
He addressed Iranians directly again on March 20, when he appealed to the Islamic Republic’s leaders and its people in a speech broadcast through
Voice of America
on Nowruz, the Persian New Year.
“In this season of new beginnings, I would like to speak clearly to Iranian leaders,” he said. The United States was interested in pursuing constructive ties with Iran that were “honest and grounded in mutual respect,” he said, and was seeking a future in which the Iranian people, their neighbors, and the wider international community could live “in greater security and greater peace.” He closed his address with a quote from the Persian poet Saadi: “The children of Adam are limbs to each other, having been created of one essence.” The United States, he said, was prepared to extend a hand in friendship and peace, “if you are willing to unclench your fist.”
43
But while Obama was extending one metaphorical hand in peace to the Iranian people, other hands were preparing a new round of digital attacks on Natanz.
1
The comment appeared in a post about Ahmadinejad’s tour published on the Arms Control Wonk website. William J. Broad, “A Tantalizing Look at Iran’s Nuclear Program,”
New York Times
, April 29, 2008.
2
It took only a day or two for a batch of gas to run through a cascade and finish enriching, according to Albright, but centrifuges spin nonstop for years as new batches of gas are constantly fed into them.
3
Joby Warrick, “U.S. Is Said to Expand Covert Operations in Iran,”
Washington Post
, June 30, 2008.
4
The code that infected the OB1 and OB35 blocks in the PLCs—organizational blocks that controlled the reading of commands on the PLCs and the alarm system—had a compilation date of February 7, 2001. The code that sabotaged the frequency converters and manipulated the valves had similar timestamps. For example, there were thirty blocks of code in the 315 attack that sabotaged the Vacon and Fararo Paya frequency converters; two of these appeared to have been compiled in May 2000, while the timestamp for the remaining blocks was September 23, 2001. The code blocks used to manipulate the valves in the 417 attack had a timestamp from the same September day, though three hours later, as if the person compiling them had taken a dinner break, then returned to finish the job.
5
As noted previously, cascades are configured into a number of enrichment stages, with each stage containing a different number of centrifuges, depending on how many are needed for that stage in the enrichment process.
6
Author interview with Albright, November 2013. The first module of cascades, known as A24, is believed to have been struck by Stuxnet version 0.5, which targeted only valves on the centrifuges, not the frequency converters. Later versions that targeted the frequency converters are believed to have focused on a different module, A26, which Iran began installing in late 2007 or early 2008.
7
Iran has accused the IAEA of providing the United States and Israel with intelligence about its nuclear program. But even if the IAEA didn’t provide information willingly, hacking IAEA computers to obtain information about Natanz was an option for Western and Israeli intelligence agencies. Recent news stories have revealed how US intelligence agencies spied on the UN Security Council, the IAEA’s umbrella organization, and hacked into the videoconferencing system of the UN to glean information about UN activities.
8
See
this page
for more information about Neda.
9
The contents of the document dated May 4, 2003, and titled, “Related to a PLC device Siemens TTE sold to Kimian Madaan [
sic
] for G’chin mine” was shared with me by someone who was given access to it. The letter was from Tehran Tamman Engineering to Kimia Maadan and indicated that Iran had obtained hardware and software for monitoring and controlling a SIMATIC S7-300 PLC in 2002. The next year, according to the document, Iran obtained another S7-300 and two S7-400s, as well as Siemens SIMATIC WinCC software to monitor the PLCs. The equipment was described in the letter as a “computerized system to monitor and control industrial process via information received from physical measurement transmitters, such as pressure, temperature, and controllers on valves, heating/cooling, using specialized software.” The description closely matches what a control system for a cascade would do.
10
When Stuxnet was discovered in 2010 and it was revealed that the digital weapon was attacking Siemens controllers, many in the public wondered if Iran even had Siemens controllers installed at Natanz. But just the previous year, the British Navy had intercepted a secret shipment of 111 boxes of Siemens controllers at a port in Dubai that were apparently bound for Iran’s uranium enrichment program. Siemens had shipped them to a buyer in China, where they were forwarded to Iran through Dubai. The discovery of the shipment caused a bit of an international incident—since the sale of technology for Iran’s nuclear program is banned under UN sanctions—and eventually forced Siemens to announce in early 2010 that it would initiate no new business in Iran after the summer of 2010.
11
David E. Sanger and Thom Shanker, “N.S.A. Devises Radio Pathway into Computers,”
New York Times
, January 14, 2014.
12
In 2011, Ralph Langner suggested that tests the Idaho National Lab conducted in the summer of 2008 on the Siemens PCS7 system—which included the Step 7 and WinCC software and S7-400 PLCs—were used to uncover vulnerabilities for Stuxnet to attack. The tests were done as part of the lab’s vendor-assessment program, whereby researchers examined various industrial control systems for security vulnerabilities. Langner first suggested the INL tests played a role in developing Stuxnet after he uncovered a PowerPoint presentation that INL had produced about the tests. But the INL tests were conducted between July and September 2008, and we now know that the earliest-discovered version of Stuxnet—Stuxnet 0.5—had been developed before these tests occurred and was already in the wild in November 2007, when someone had uploaded it to the VirusTotal website. And if the timestamp on Stuxnet’s rogue Step 7 .DLL is to be believed, it was compiled in 2006. INL leaders insisted to reporters during a tour of the lab in 2011, in which the author participated, that it did not provide information about vulnerabilities in the Siemens system to anyone to develop Stuxnet.
13
It’s been suggested by some that Germany and Great Britain, two countries in the Urenco consortium that produced the original centrifuges that served as the design for Iran’s IR-1s, may have provided some assistance with understanding the centrifuges.
14
The numbers vary depending on the account. The United States told reporters that Libya had been caught with 4,000 centrifuges, but by ISIS’s count, it was more like 200. The rest were simply components for centrifuges—the casings were there (the hollow aluminum cylinder) as well as other components, but they were missing the rotors to make them work.
15
Jody Warrick, “U.S. Displays Nuclear Parts Given by Libya,”
Washington Post
, March 15, 2004.
16
William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,”
New York Times
, January 15, 2011.
17
Oak Ridge sits on former farmland, and “chicken ranch” may refer to a real chicken ranch that existed on the land in the 1940s before the farmers were displaced when the government bought up their land for the war effort.
18
The NNSA is housed at Oak Ridge in the Multi-Program Research Facility, or MRF, a large SIGINT facility that contains a supercomputer in its basement that is used in part for doing data mining for the NSA. Other staff at the MRF, many of them former CIA and NSA employees, are technically astute and work on various other compartmentalized programs, including efforts to crack encryption and data fusion—what workers sometimes call “data diarrhea”—which involves fusing data from various branches of intelligence around the world.
19
Various methods are used to do this, such as examining gas plumes from suspect factories for trace particles or measuring the temperature of water near suspect sites. Many nuclear facilities are built near rivers and other water sources and the temperature of the water can be indicative of nuclear activity. Another method involves measuring the flickering of lights in factory windows from long distances. Since centrifuges operate at specific frequencies, the pattern in flickering lights can sometimes provide clues as to the presence and kind of centrifuges being used in a building.
20
David E. Sanger,
Confront and Conceal
(New York: Crown, 2012), 197.
21
Given that the first version of Stuxnet appeared in the field in November 2007, it suggests the sabotage might have begun that year. David Sanger writes that multiple versions of the worm were released while Bush was still in office; only one version from that period has been found by researchers. The others date from Obama’s term in office.
22
In 2008, Iran hanged an Iranian electronics vendor named Ali Ashtari, who Iranian news reports say confessed to trying to introduce Mossad-produced viruses and GPS units into equipment used by members of the Revolutionary Guard. After Stuxnet was discovered, there were reports that said he helped get Stuxnet into Natanz. But news from Iran is often unreliable, since it generally comes from state-affiliated publications with an agenda. Over the years Iran has accused many people of being spies for the Mossad, often with little evidence to support the claim.
23
Stuxnet 0.5 expected its target, for example, to have between two and twenty-five auxiliary valves and between three and thirty pressure transducers for measuring the gas pressure at each stage of the cascade.
24
Together, various systems constantly monitor the flow of electricity to the centrifuges, their speed and vibration, as well as the gas pressure and temperature, and the temperature of water used to heat or cool them.
25
The IAEA inspectors visited Natanz about twenty-four times a year. Every three months, the inspectors published a report listing the number of centrifuges during their most recent visit that were spinning and under vacuum—but did not yet have gas in them—and the number that were actually enriching gas. The reports also tracked how much gas the technicians fed into the cascades, and how much enriched uranium was produced from it.
26
See
note 29
for previous discussion of the setup of Hall A, and Stuxnet’s precise knowledge of it. Iran would later increase the number of centrifuges per cascade in November 2010, but until then, the number of centrifuges per cascade remained constant at 164.
27
IAEA Report to the Board of Governors, “Implementation of the NPT Standards Agreement and Relevant Provisions of Security Council Resolution 1737 (2006) in the Islamic Republic of Iran,” February 22, 2007, available at
iaea.org/Publications/Documents/Board/2007/gov2007-08.pdf
.
28
IAEA Report to the Board of Governors, “Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions 1737 (2006) and 1747 (2007) in the Islamic Republic of Iran,” November 15, 2007, available at
iaea.org/Publications/Documents/Board/2007/gov2007-58.pdf
.
29
An IAEA official told ISIS privately about the breaking centrifuges and the lost gas.
30
David Albright, Jacqueline Shire, and Paul Brannan, “Is Iran Running Out of Yellowcake?,” Institute for Science and International Security, February 11, 2009, available at
http://isis-online.org/publications/iran/Iran_Yellowcake.pdf
; Barak Ravid, “Israel Slams Clinton Statement on Nuclear Iran,”
Ha’aretz
, July 22, 2009; Mark Fitzpatrick, “Statement Before the Senate Committee on Foreign Relations,” March 3, 2009, available at
iranwatch.org/sites/default/files/us-sfrc-fitzpatrick-iranrealities-030309.pdf
.
31
In addition to the eighteen cascades in A24 that were being fed gas, five cascades in A26 were being fed gas, another cascade was under vacuum, and construction on the remaining twelve cascades in that module was continuing. See IAEA Board of Governors Report, “Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions 1737 (2006), 1747 (2007) and 1803 (2008) in the Islamic Republic of Iran,” September 15, 2008, available at
iaea.org/Publications/Documents/Board/2008/gov2008-38.pdf
.
32
Author interview with Albright, January 2012.
33
David Albright, Jacqueline Shire, and Paul Brannan, “IAEA Report on Iran: Centrifuge Operation Significantly Improving; Gridlock on Alleged Weaponization Issues,” September 15, 2008, available at
isis-online.org/publications/iran/ISIS_Report_Iran_15September2008.pdf
.
34
Yadegari was convicted, and an explanation from the Ontario Court of Justice detailing the reasons for his conviction can be found on the website of the Institute for Science and International Security:
isis-online.org/uploads/isis-reports/documents/Yadegari_Reasons.pdf
.
35
Broad, Markoff, and Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay.”
36
Mike Shuster, “Inside the United States’ Secret Sabotage of Iran,”
NPR.org
, May 9, 2011, available at
npr.org/2011/05/09/135854490/inside-the-united-states-secret-sabotage-of-iran
. The meeting between President Bush and Barack Obama is described by Sanger,
Confront and Conceal
, 200–3.
37
Rebecca Harrison, “Obama Says Nuclear Iran Poses ‘Grave Threat,’ ” Reuters, July 23, 2008, available at
reuters.com/article/2008/07/23/us-Iran-usa-Obama-idUSL23104041320080723
.
38
In May that year, he announced the creation of a cybersecurity czar position to help secure US critical infrastructure against cyberattacks.
39
Kim Zetter, “Obama Says New Cyberczar Won’t Spy on the Net,”
Wired
, May 29, 2009, available at
wired.com/threatlevel/2009/05/netprivacy
.
40
Philip Sherwell, “Israel Launches Covert War Against Iran,”
Telegraph
, February 16, 2009.
41
David Sanger, “U.S. Rejected Aid for Israeli Raid on Iranian Nuclear Site,”
New York Times
, January 10, 2009.
42
See
whitehouse.gov/blog/inaugural-address
.
43
See
whitehouse.gov/the_press_office/videotaped-remarks-by-the-president-in-celebration-of-nowruz
.