Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (50 page)

BOOK: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
6.2Mb size Format: txt, pdf, ePub
CHAPTER 17
THE MYSTERY OF THE CENTRIFUGES

The two weeks leading up to the release of the next attack were tumultuous ones in Iran. On June 12, 2009, the presidential elections between incumbent Mahmoud Ahmadinejad and challenger Mir-Hossein Mousavi didn’t turn out the way most expected. The race was supposed to be close, but when the results were announced—two hours after the polls closed—Ahmadinejad had won with 63 percent of the vote over Mousavi’s 34 percent. The electorate cried foul, and the next day crowds of angry protesters poured into the streets of Tehran to register their outrage and disbelief. According to media reports, it was the largest civil protest the country had seen since the 1979 revolution ousted the shah, and it wasn’t long before it became violent. Protesters vandalized stores and set fire to trash bins, while police and Basijis, government-loyal militias in plainclothes, tried to disperse them with batons, electric prods, and bullets.

That Sunday, Ahmadinejad gave a defiant victory speech, declaring a new era for Iran and dismissing the protesters as nothing more than soccer hooligans soured by the loss of their team. The protests continued throughout the week, though, and on June 19, in an attempt to calm the crowds, the Ayatollah Ali Khamenei sanctioned the election results, insisting
that the margin of victory—11 million votes—was too large to have been achieved through fraud. The crowds, however, were not assuaged.

The next day, a twenty-six-year-old woman named Neda Agha-Soltan got caught in a traffic jam caused by protesters, and was shot in the chest by a sniper’s bullet after she and her music teacher stepped out of their car to observe.

Two days later on June 22, a Monday, the Guardian Council, which oversees elections in Iran, officially declared Ahmadinejad the winner, and after nearly two weeks of protests, Tehran became eerily quiet. Police had used tear gas and live ammunition to disperse the demonstrators, and most of them were now gone from the streets. That afternoon, at around four thirty p.m. local time, as Iranians nursed their shock and grief over events of the previous days, a new version of Stuxnet was being compiled and unleashed.
1

WHILE THE STREETS
of Tehran had been in turmoil, technicians at Natanz had been experiencing a period of relative calm. Around the first of the year, they had begun installing new centrifuges again, and by the end of February they had about 5,400 of them in place, close to the 6,000 that Ahmadinejad had promised the previous year. Not all of the centrifuges were enriching uranium yet, but at least there was forward movement again, and by June the number had jumped to 7,052, with 4,092 of these enriching gas.
2
In addition to the eighteen cascades enriching gas in unit
A24, there were now twelve cascades in A26 enriching gas. An additional seven cascades had even been installed in A28 and were under vacuum, being prepared to receive gas.

The performance of the centrifuges was improving too. Iran’s daily production of low-enriched uranium was up 20 percent and remained consistent throughout the summer of 2009.
3
Despite the previous problems, Iran had crossed a technical milestone and had succeeded in producing 839 kg of low-enriched uranium—enough to achieve nuclear-weapons breakout capability.
4
If it continued at this rate, Iran would have enough enriched uranium to make two nuclear weapons within a year.
5
This estimate, however, was based on the capacity of the IR-1 centrifuges currently installed at Natanz. But Iran had already installed IR-2 centrifuges in a small cascade in the pilot plant, and once testing on these was complete and technicians began installing them in the underground hall, the estimate would have to be revised. It took 3,000 IR-1s to produce enough uranium for a nuclear weapon in one year, but it would take just 1,200 IR-2 centrifuges to do the same.

Cue Stuxnet 1.001, which showed up in late June.

To get their weapon into the plant, the attackers launched an offensive against computers owned by four companies. All of the companies were involved in industrial control and processing of some sort, either manufacturing products and assembling components or installing industrial control systems. They were all likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.

To ensure greater success at getting the code where it needed to go, this version of Stuxnet had two more ways to spread than the previous one.
Stuxnet 0.5 could spread only by infecting Step 7 project files—the files used to program Siemens PLCs. This version, however, could spread via USB flash drives using the Windows Autorun feature or through a victim’s local network using the print-spooler zero-day exploit that Kaspersky and Symantec later found in the code.

Based on the log files in Stuxnet, a company called Foolad Technique was the first victim. It was infected at 4:40 a.m. on June 23, a Tuesday.
6
But then it was almost a week before the next company was hit.

The following Monday, about five thousand marchers walked silently through the streets of Tehran to the Qoba Mosque to honor victims killed during the recent election protests. Late that evening, around 11:20 p.m., Stuxnet struck machines belonging to its second victim—a company called Behpajooh.

It was easy to see why Behpajooh was a target. It was an engineering firm based in Esfahan—the site of Iran’s new uranium conversion plant, built to turn milled uranium ore into gas for enriching at Natanz, and was also the location of Iran’s Nuclear Technology Center, which was believed to be the base for Iran’s nuclear weapons development program. Behpajooh had also been named in US federal court documents in connection with Iran’s illegal procurement activities.
7

Behpajooh was in the business of installing and programming industrial control and automation systems, including Siemens systems. The company’s website made no mention of Natanz, but it did mention that the company had installed Siemens S7-400 PLCs, as well as the Step 7 and WinCC software and Profibus communication modules at a steel plant in Esfahan. This was, of course, all of the same equipment Stuxnet targeted at Natanz.

At five a.m. on July 7, nine days after Behpajooh was hit, Stuxnet struck computers at Neda Industrial Group, as well as a company identified in the logs only as CGJ, believed to be Control Gostar Jahed. Both companies designed or installed industrial control systems.

Neda designed and installed control systems, precision instrumentation, and electrical systems for the oil and gas industry in Iran, as well as for power plants and mining and process facilities. In 2000 and 2001 the company had installed Siemens S7 PLCs in several gas pipeline operations in Iran and had also installed Siemens S7 systems at the Esfahan Steel Complex.
8
Like Behpajooh, Neda had been identified on a proliferation watch list for its alleged involvement in illicit procurement activity and was named in a US indictment for receiving smuggled microcontrollers and other components.
9

About two weeks after it struck Neda, a control engineer who worked for the company popped up on a Siemens user forum on July 22 complaining about a problem that workers at his company were having with their machines. The engineer, who posted a note under the user name Behrooz, indicated that all PCs at his company were having an identical problem with a Siemens Step 7 .DLL file that kept producing an error message. He suspected the problem was a virus that spread via flash drives.
10

When he used a DVD or CD to transfer files from an infected system to a clean one, everything was fine, he wrote. But when he used a flash
drive to transfer files, the new PC started having the same problems the other machine had. A USB flash drive, of course, was Stuxnet’s primary method of spreading. Although Behrooz and his colleagues scanned for viruses, they found no malware on their machines. There was no sign in the discussion thread that they ever resolved the problem at the time.

It’s not clear how long it took Stuxnet to reach its target after infecting machines at Neda and these other companies, but between June and August the number of centrifuges enriching uranium at Natanz began to drop. Whether this was the result solely of the new version of Stuxnet or the lingering effects of the previous version is unknown. But by August that year, only 4,592 centrifuges were enriching at the plant, a decrease of 328 centrifuges since June. The problem, again, was in unit A26, where previous issues had occurred. In June, there had been twelve cascades in this unit enriching gas. But by November, gas had been removed from half of them and only six of the A26 cascades were now enriching. The total number of centrifuges enriching at Natanz had dropped to 3,936, a decrease of 984 in five months. What’s more, although new machines were still being installed, none of them were being fed gas. In A28 as well, seventeen cascades were now installed, but none of these nearly 3,000 centrifuges was enriching gas.

Clearly there were problems with the cascades, and technicians had no idea what they were. The changes mapped precisely, however, to what Stuxnet was designed to do.

This version of Stuxnet, as mentioned previously, increased the frequency of the centrifuge rotors to 1,410 Hz for fifteen minutes—a speed of almost 1,000 miles per hour—then after three weeks decreased it to 2 Hz for fifty minutes.
11
The changes, after a number of cycles, would have begun to damage the centrifuges and affect the level of enrichment in the gas.

But Albright and his colleagues determined that it would have taken the centrifuge motors longer than fifteen minutes to reach 1,410 Hz—the frequency that would have been most damaging to the centrifuges. They
likely would only have reached 1,324 to 1,381 Hz in that time. Nonetheless, as the varying speed and constant acceleration and deceleration continued over time, it would have created incremental stress and damage to the centrifuge rotors. The increased speed would also have caused the aluminum centrifuges to expand and become imbalanced.

The IR-1s were already fragile by design, and the slightest imperfection could set them off—dust in the chamber, for example, could cause them to self-destruct. The head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, revealed during an interview in 2006 that in the early days of the enrichment program, the IR-1s had disintegrated frequently due to
germs
on the machine. Initially, they couldn’t figure out why the centrifuges were exploding, but he said they ultimately attributed the problem to technicians assembling the centrifuges without gloves. Microbes left behind on the machines literally pulverized them once the machines began to spin. “When we say a machine is destroyed,” he told the interviewer, “we mean that it turns into powder.”
12

The centrifuges had bearings at their top and base that helped keep them steady, like a spinning top.
13
A spinning centrifuge had to be brought up to speed slowly. Once it was going, it was beautiful and elegant to watch. But in the blink of an eye everything could go wrong. If a centrifuge began to wobble, it would spiral quickly out of control. The centrifuge casing itself was hefty and wouldn’t shatter, but it might split lengthwise, like a hot dog in a microwave, or bend and cause the caps at each end to blow out. And inside the casing, the rotor and other components would break apart.

The increased speed caused by Stuxnet could have induced vibrations that would have eventually worn down the bearings after a number of attack cycles, causing the centrifuges to become imbalanced and topple. But
with false data being fed back to operators, they wouldn’t have seen the destruction coming or have been able to figure out in the aftermath what had gone wrong.

The second attack sequence, which reduced the frequency of the centrifuges to 2 Hz for fifty minutes, made it appear the attackers were also trying to degrade the enriched uranium, not just damage the centrifuges. A centrifuge spinning at 1,064 Hz would take time to slow down to 2 Hz. In fifty minutes, it would likely only decrease to about 864 Hz, Albright and his team determined, before the sabotage ended and the speed returned to normal. But by reducing the speed of a centrifuge even just 50 to 100 Hz, Stuxnet could reduce the enrichment by half. In uranium enrichment, centrifuges need to spin consistently at high speed to separate the U-235 and U-238 isotopes in the gas. If the speed varies, particularly if it slows for fifty minutes, this disrupts the separation process. Technicians at Natanz would have been expecting to get one grade of uranium from the cascade but would have received something else instead. This effect was much more subtle than destroying centrifuges outright, and would not have been enough on its own to slow Iran’s program. But combined with the other effects, it worked to sabotage the program from a different angle. In this attack sequence not only was the percentage of the enrichment affected, but the volume of the enriched uranium that was produced became erratic. In February 2009, the centrifuges had been producing about .62 separative work units, but in May this had dropped to .49. And in June and August, it varied between .51 and .55.

Back in the United States, Albright and his colleagues at ISIS read the IAEA reports, noting the changes at Natanz, and weren’t surprised to see that Iran was having problems, given how rapidly technicians had installed the cascades in unit A26. He learned from sources that technicians at Natanz had reduced the speed of the centrifuges in an effort to address the problems, but Albright suspected that something more than routine breakage and technical difficulties was going on. He contacted sources in the government and at the IAEA to get a reading on what was happening but got no definitive answers.

As 2010 arrived, the numbers at Natanz continued to drop. The number of installed centrifuges was at 8,692, but the number of centrifuges actively enriching uranium now was down to 3,772, a drop of 1,148 since June. Until now, the problems had been confined to A26, but now they appeared to be spreading to A24 and A28 as well. The gas had been removed from one cascade in A24, for example.
14

Other books

Regency Masquerade by Loy, Vera
Faces in the Pool by Jonathan Gash
Circus Escape by Lilliana Rose
The Wonderful Wizard of Oz by Lyman Frank Baum
Jade Dragon by James Swallow
Blood Forever by Mancusi, Mari
Mr. Peanut by Adam Ross
Good Night, Mr. Holmes by Carole Nelson Douglas