Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (52 page)
Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
It’s important to note, however, that the operators who managed the command servers that communicated with Stuxnet
did
have the ability to halt the spread of the weapon once they saw it getting out of control. Stuxnet had a disinfect feature that allowed the attackers to remove it from an infected machine. As Stuxnet began to spread wildly out of control and the attackers started seeing infected machines reporting in to their server from Indonesia, Australia, and elsewhere, they could have sent out a disinfect command to delete the code from those machines. There were a limited number of possible reasons that they didn’t do this. “Either they didn’t care that it was spreading or it was spreading faster than they expected and they couldn’t strike it down,” says O’Murchu. O’Murchu doesn’t think it was due to incompetence. “They had total control over infected machines, and I think it was a conscious decision to [do nothing].” Even after news of Stuxnet’s spread made it back to Washington, a remarkable decision was made to let the operation continue with still no apparent attempt to halt its spread. Although, again, the details are murky, according to Sanger’s sources, at least two more versions of Stuxnet were released after March, but were tweaked to remove the “bug” that caused the previous one to spread.
On April 14, the attackers did compile another version of Stuxnet, but the payload this time was exactly the same as the March one. Although the same spreading mechanisms were in this one, it didn’t spread as far and wide as the March version.
31
No other versions of Stuxnet dating after this have been found in the wild.
It’s possible that subsequent versions of Stuxnet were unleashed but were so much more tightly controlled that they’ve never been found. There was a hint of this when researchers found the random driver file in July 2010 that they thought was associated with Stuxnet. It was the driver discovered by ESET that had been signed with the certificate from J-Micron. As noted, the driver was found by itself, without any main Stuxnet file accompanying it, but it’s believed this may have been part of another Stuxnet attack.
In the April attack, Foolad Technique was the first victim that was hit, as it had been in the June 2009 attack. The worm struck the company on April 26 and appeared to infect the same computer it had infected the previous year. Weeks later on May 11, the digital weapon was unleashed on three computers belonging to a company using the domain name Kala, believed to be Kala Electric or Kala Electronics, the front company that Iran used to manage Natanz and secretly procure components for its nuclear program—the same company that Alireza Jafarzadeh had mentioned in his 2002 press conference exposing Natanz.
32
Behpajooh was hit with this same version of Stuxnet on May 13.
Notably, although Neda Industrial Group doesn’t show up in the logs for the 2010 infection samples that researchers examined, Behrooz, the control engineer who had posted to the Siemens user forum the previous year, popped up again complaining of continued problems. On June 2, he wrote that all Windows computers at his company were still experiencing the same problem they had the previous year.
Workers at other companies chimed in to say that they, too, were having the same problem. One user, who also wrote that all of the PCs at his company were infected, said the problem appeared to be confined to Iran. “[B]ecause you can see many people in Iran [on the forum] have the same problem from at least 1 [month] ago,” he wrote. The discussion continued
throughout July, with Behrooz so frustrated at times that he ended some of his messages with an angry, red-faced emoticon. Then suddenly, on July 24, he posted a message saying finally the mystery had been solved. He included a link to a news article about Stuxnet, which had recently been publicly exposed, and ended his message with three grinning emoticons. Of course it would be several more months before he and the rest of the world learned what it was targeting.
UNLIKE THE 2009
assault, it’s unclear what effect the attacks in 2010 had on Natanz. Sanger writes that after the attackers unleashed a third version of Stuxnet in 2010, it caused 984 centrifuges to come “to a screeching halt.”
33
As noted previously, there were at this time exactly 984 centrifuges enriching in six cascades in unit A26, but there is no indication in IAEA reports that they stopped enriching. In September, there were still six cascades in unit A26 enriching gas and another six spinning under vacuum. It’s possible that the centrifuges in question did halt and then recovered or were replaced at some point between the IAEA’s May and September reports. It’s also possible that Sanger’s sources confused the dates and were referring to the 1,000 or so centrifuges that technicians removed in late 2009 and early 2010 that the IAEA had captured with their cameras.
It’s difficult to know what exactly occurred with the centrifuges in 2010 because in June that year, officials in Iran began accusing the IAEA of leaking information to the press about its operations. In a June 3 letter, Iran warned the agency that if confidential information about the nuclear program “leaks, in any way, and/or [is] conveyed to the media,” there would be consequences, the first being that Iran would withdraw its approval for some of the IAEA inspectors who were allowed to visit its
nuclear facilities.
34
That same month, Iran made good on the threat and removed two names from its approved list of about 150 IAEA inspectors, citing “false and wrong statements” the IAEA had made in its May report. The report had claimed that some nuclear equipment had gone missing in Iran. Then in September, two more inspectors were banned, on grounds that they had leaked information to the media before the IAEA had released it publicly in its report.
35
The rebuke appeared to have a detrimental effect on the amount of public information the IAEA published about Natanz thereafter. By November, the IAEA had stopped listing details about the centrifuges in its quarterly reports. Instead of listing the number of centrifuges installed and enriching in each unit, it aggregated the numbers from all three units—A24, A26, and A28—into a single count. This eliminated the primary means the public had for determining the effects Stuxnet had on the plant.
36
What we do know is that in July 2010, the centrifuges were still only producing at 45 to 66 percent capacity. ISIS noted for the first time in one of its reports, published in July, that “sabotage” might be the cause of some of the problems at Natanz.
37
Stuxnet had by then been discovered and publicly exposed, but its link to Iran’s nuclear program and Natanz was still several months away.
It’s also clear that the number of installed and enriching centrifuges fluctuated radically in 2010. In November 2009, at the plant’s peak, Iran had 8,692 centrifuges installed. That number was down to 8,528 in May 2010 (with 3,936 enriching), but increased to 8,856 in September (with 3,772 enriching) before dropping to 8,426 in November (with 4,816 enriching). It’s possible centrifuges continued to break during the year even after Stuxnet was discovered and that this was the reason for the fluctuation. Although the large jump of 1,000 centrifuges enriching from September to November suggests that the plant had recovered from the lingering effects of Stuxnet, Iran still had 3,600 centrifuges installed that were just sitting in cascades, not enriching.
38
This suggests at least some continuing problems. It wasn’t long after this, on November 16, that officials at Natanz shut down the plant completely for six days following Symantec’s revelation that Stuxnet was designed to sabotage frequency converters.
39
Some time that same month, they also added more centrifuges to six of the cascades, suggesting they may have
been trying to alter the configuration of the cascades to thwart Stuxnet’s payload.
40
BACK IN WASHINGTON,
conversations about Stuxnet had continued throughout 2010. Sometime during the early summer, CIA director Leon Panetta and Gen. James Cartwright had broken the news of the worm’s out-of-control spreading to the president. The revelation prompted a lot of questions from Obama. Was there any sign that the Iranians had discovered it yet? If yes, could they determine what it was doing or trace it back to its source? He was also concerned about collateral damage to the machines infected outside Natanz. And taking all of this into account, should they now cancel the operation? His advisers reminded him that the worm was a highly targeted precision weapon that launched its payload only on machines that met a specific criteria; although it would affect other machines to a certain degree, simply by the nature of infecting them, it wouldn’t harm them.
Satisfied that the operation was still in their control for the most part, Obama ordered them to proceed.
41
Given Stuxnet’s complexity and the long odds against it being uncovered or deciphered, the decision must have seemed completely reasonable
at the time. Indeed, even the initial reaction from Symantec and other security companies after Stuxnet was exposed seemed to confirm that their covert operation was safe—every sign indicated that the security community, stymied by the malware’s complexity and unfamiliarity, had abandoned their work on the code after releasing signatures to detect it and had moved on.
But Washington hadn’t counted on the dogged determination of the Symantec researchers to get to the bottom of the mysterious code or on Ralph Langner’s blunt and vocal candor about what it was attacking. As the months went on and more information came out from Langner and Symantec, all anyone in Washington and Tel Aviv could do was sit and watch as each piece of the puzzle fell into place, until finally the picture was complete.
1
A timestamp in the version of Stuxnet that was launched in June 2009 indicates that the attackers compiled the malware June 22 at 4:31 p.m. local time (the local time on the computer that compiled the code) and that it struck its first victim the following day at 4:40 a.m. (the victim’s local time), an apparent difference of twelve hours, depending on the time zone the compilation computer was in. The infection time came from a log file that was buried in every sample of Stuxnet that was found. Each time Stuxnet infected a computer, it recorded the time (based on the computer’s internal clock) in this log. It’s not known if the attackers launched the attack right after they compiled it—and the malware then took twelve hours to reach its victim—or if they waited to launch it until the next day.
2
David Albright,
Peddling Peril: How the Secret Nuclear Trade Arms America’s Enemies
(New York: Free Press, 2010), 202–3.
3
David Albright and Jacqueline Shire, “IAEA Report on Iran: Centrifuge and LEU Increases; Access to Arak Reactor Denied; No Progress on Outstanding Issues,” June 5, 2009, available at
isis-online.org/publications/iran/Iran_IAEA_Report_Analysis_5June2009.pdf
.
4
Albright,
Peddling Peril
, 202–3.
5
Albright and Shire, IAEA Report, June 5, 2009.
6
Foolad Technique appears to operate under the domain name ISIE. It may be that ISIE was either acquired by Foolad or was a division of that company.
7
In 2006 an Iranian American was indicted for attempting to smuggle banned weapons technology into Iran. The defendant had purchased pressure sensors from a company in Minneapolis and sent them to a middleman in Dubai who was supposed to forward them to Behpajooh. See “Dubai Firm Implicated in Iran ‘Bomb Component’s Investigation in US,”
Khaleej Times
, May 12, 2006.
8
One of Neda’s other customers was a gas pressurization station on Kharg Island in Iran, the site of one of the explosions that drew Eric Chien’s attention in 2010 after Stuxnet was discovered. According to Neda’s website, between 2008 and 2010 the company renovated control systems at the plant’s Turbo Compressor units. There’s no evidence that the explosion at the plant was caused by digital sabotage, but the fact that Stuxnet infected computers at Neda shows how simple it could be to conduct digital attacks against other types of facilities in Iran.
9
In 2004, a trading company in Dubai ordered 7,500 microcontrollers from an Arizona firm and diverted the shipment to Neda, evidently for use by Iran’s military. The case is
US District Court, Mayrow General Trading et al., Indictment
, September 11, 2008, available at
dodig.mil.iginformation/Mayrow%20Mayrow%20Superseding%20Indictment.pdf
.
10
Although he posted his comments under the name Behrooz, he signed his messages at the bottom with “M. R. Tajalli.” A search on Behrooz and the other name led to a LinkedIn profile and others identifying him as Mohammad Reza Tajalli, a control engineer who had been working for Neda since 2006. Tajalli specialized in control systems for the oil industry, according to his LinkedIn profile. He did not respond to queries from the author.
11
See chapter 13,
this page
and
this page
.
12
William Broad, “A Tantalizing Look at Iran’s Nuclear Program,”
New York Times
, April 29, 2008.
13
The centrifuges have a cap at each end and balance precariously on a ball bearing attached to a pin or needle. The top part of the needle is attached to the cap that is located at the bottom of the centrifuge, while the bottom half of the needle, with the bearing, is inserted in a cup that is attached to a spring. This entire contraption allows the centrifuge to sway slightly as it spins while also keeping it stabilized. Too much movement, however, can destabilize the centrifuge and wear out these parts.
14
In author interviews, several sources suggested that the centrifuges in A24 might have been configured differently than those in A26—that the frequency converters used to control them were a different model. If true, it’s possible that Stuxnet 0.5, which targeted the valves on centrifuges and cascades, was used against A24, and that subsequent versions of Stuxnet, which targeted frequency converters, were used against the cascades in A26. This might explain why the cascades in A24 had problems in 2008, when Stuxnet 0.5 was released, but had fewer problems in 2009, when the later version of Stuxnet was performing its sabotage.
15
IAEA, “Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolution 1737 (2006), 1747 (2007), 1803 (2008) and 1835 (2008) in the Islamic Republic of Iran,” February 18, 2010, available at
iaea.org/Publications/Documents/Board/2010/gov2010-10.pdf
.
16
“Statements by President Obama, French President Sarkozy, and British Prime Minister Brown on Iranian Nuclear Facility,” September 25, 2009, at the Pittsburgh Convention Center in Pittsburgh, Pennsylvania, available at
whitehouse.gov/the-press-office/2009/09/25/statements-president-obama-french-president-sarkozy-and-british-prime-minister-Brown-on-Iranian-Nuclear-Facility
.
17
Satellite images initially captured what looked like tunnels and underground construction occurring at Fordow, then in 2008 they captured workers stacking large cement pads outside the entrance to a tunnel. The pads resembled the cement platforms that are used in enrichment plants to hold cascades. The United States toyed with the idea of sneaking a special operations team into Iran to rig the pads so that they would destroy the centrifuges at a later date, but the risky endeavor never advanced beyond this. See David E. Sanger,
Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power
(New York: Crown, 2012), 152, 155.
18
The Defense Science Board, which advised the Pentagon to build the weapon in 2004, wrote that a tunnel facility buried deep within rock could pose “a significant challenge” even to the new bombs. “Several thousand pounds of high explosives coupled to the tunnel are needed to blow down blast doors and propagate a lethal air blast,” they wrote. William Broad, “Iran Shielding Its Nuclear Efforts in Maze of Tunnels,”
New York Times
, January 5, 2010.
19
“Statements by President Obama, French President Sarkozy, and British Prime Minister Brown on Iranian Nuclear Facility,” the White House.
20
A year later, in September 2010, while the Symantec researchers and Ralph Langner were still deciphering Stuxnet’s payload, the Iranian dissident group that had exposed Natanz claimed it had information about yet another secret uranium enrichment plant being built near Abyek, about 120 kilometers west of Tehran. See David E. Sanger, “Dissidents Claim Iran Is Building a New Enrichment Site,”
New York Times
, September 9, 2010.
21
Broad, “Iran Shielding Its Nuclear Efforts.”
22
US State Department cable, “40th Joint Political-Military Group: Executive,” November 18, 2009, published by WikiLeaks at
wikileaks.org/cable/2009/11/09TELAVIV2500.html
.
23
Dieter Bednarz, Erich Follath, and Holger Stark, “Intelligence from Tehran Elevates Concern in the West,”
Der Spiegel
, January 25, 2010.
24
Erich Follath and Holger Stark, “The Birth of a Bomb: A History of Iran’s Nuclear Ambitions,”
Der Spiegel
, June 17, 2010.
25
Olli J. Heinonen, “Iran Ramping Up Uranium Enrichment,” Power and Policy blog, July 20, 2011, published by the Belfer Center at Harvard Kennedy School, July 20, 2011, available at
powerandpolicy.com/2011/07/20/Iran-ramping-up-uranium-enrichment/#.UtM6Z7SYf8M
.
26
“Remarks of President Obama Marking Nowruz,” the White House, March 20, 2010, available at
whitehouse.gov/the-press-office/remarks-president-obama-marking-nowruz
.
27
It spent nearly a month working its way through computers at Behpajooh and, on April 24, it struck gold when it hit a computer identified by the name “Manager 115.” Stuxnet recorded that this computer contained a zip folder with Step 7 project files stored in it. Over the next couple of months, the malware broke out of Behpajooh’s network and spread to other companies. The companies are identified in the log file only by their domain names, which may or may not also be the company’s name. For example, they include MSCCO, Melal, and S-Adari.
28
There were ten “patient zeroes” at the five companies that were infected. That is, ten machines at these five companies were targeted by the attackers. And from these ten machines, the Symantec researchers were able to chart a constellation of about 12,000 other infections. Of these five companies, Behpajooh was responsible for 69 percent of those 12,000 infections.
29
Compilation and infection times aren’t always accurate. The system clocks on either the compiling machine or the victim machine in this case could have been out of date or the code could have been compiled in a time zone different from the victim’s time zone. In comparing the amount of time that elapsed between the time the three versions of Stuxnet were compiled and when they infected their first machines, the researchers assumed the compiling machine and the victim machines were in the same time zone.
30
Sanger,
Confront and Conceal
, 204.
31
Although the attack struck some companies multiple times, it was not always the same machine each time. The attackers might have been looking for better-placed machines each time or ones that gave them different routes of access to the target. It’s not clear why the April version didn’t spread as widely as the March one did, since it had all of the same zero-day spreading mechanisms and also hit Behpajooh, the company hit in the March attack from which Stuxnet spread widely around the world. It’s possible the machines hit in the April attack were not as broadly connected as the ones hit in March, reducing its spread.
32
The domain name of a computer can sometimes identify the name of the company that owns it, but not always.
33
Sanger,
Confront and Conceal
, 206. Sanger writes that the NSA picked up intelligence intercepts indicating that the centrifuges had come to a halt.
34
Iran accused the IAEA of leaking information to Reuters for a May 14 story and to the Associated Press for a May 30 story.
35
Fereydoon Abbasi, who was appointed head of the Iranian Atomic Energy Organization after the attempt on his life in 2010, accused the West in a 2014 interview of using the IAEA reports about Iran’s nuclear activities to “calibrate” its sabotage against the nuclear program and to “size up the level of destruction they have exerted” on Iran’s nuclear machinery with each round of attack. “By accessing the leaked data from our reports they can tell how many centrifuges are operating in Iranian nuclear facilities and how many are about to be installed with what parts needed,” he said. When Iran submits reports to the IAEA about the design of its nuclear facilities and the equipment it plans to procure for the program, intelligence agencies use the list to “booby-trap the devices” and “set up viruses in their control systems,” he added. The Iranians got more careful over time about showing IAEA inspectors the exact equipment they installed in the cascade rooms—at one point they even placed stickers over brand names on equipment to prevent inspectors from identifying them. They also followed inspectors around with a camera to watch everything they did. Abassi also said that Stuxnet was not the first or the last such attack by the US and Israel against the nuclear program, and that they had repeatedly infiltrated the supply chain for Iran’s nuclear program to sabotage vacuum valves, valve pumps, and other equipment. “Spy agencies adjust their attacks based on our needs; they obstruct conventional channels to our purchase and leave open only those that they can exert full control over to transfer their modified stuff to our facilities,” he said, accusing Siemens of being complicit in the program. “This is how they penetrated our electronic infrastructures, bugged on us, and installed malwares like the Stuxnet. They set up the virus in the gauges we had purchased from Siemens and also [put] explosives in the devices.” See “How West Infiltrated Iran’s Nuclear Program, Ex-Top Nuclear Official Explains,”
Iran’s View
, March 28, 2014,
www.iransview.com/west-infiltrated-irans-nuclear-program-ex-top-nuclear-official-explains/1451
.
36
A former IAEA official told me the reason the reports changed in late 2010 had nothing to do with the accusations from Iran, but was due to uncertainty about the accuracy of the data collected. After the Iranians removed gas from some of the centrifuges in 2009 and 2010 and decommissioned other centrifuges, they continued to operate some cascades with fewer than 164 working centrifuges in them. This made IAEA officials realize they had no way of knowing how many centrifuges in each cascade were actually functional and enriching gas at any one time, he said. They had simply assumed in the past that if a cascade was enriching uranium, all of the 164 centrifuges in the cascade were involved in enriching the uranium.
37
David Albright, Paul Brannan, and Andrea Stricker, “What Is Iran’s Competence in Operating Centrifuges?” ISIS, July 26, 2010, available at
isis-online.org/isis-reports/detail/what-is-irans-competence-in-operating-centrifuges/8
.
38
Ivan Oelirch, with the Federation of American Scientists, notes that in fact there were more centrifuges enriching at this point, but they were only operating at 20 percent of their efficiency.
39
David Albright et al., “Natanz Enrichment Site: Boondoggle or Part of an Atomic Bomb Production Complex?” ISIS, September 21, 2011, available at
isis-online.org/isis-reports/detail/natanz-enrichment-site-boondoogle-or-part-of-an-atomic-bomb-production-comp
.