by Kim Zetter
Based on clues Falliere and his colleagues had found in the three versions of Stuxnet discovered so far, it seemed there might in fact be another version out in the wild. The version numbers of the three variants, for example, were out of sequence. The attackers themselves had numbered them—the June 2009 variant was version 1.001, while the March and April 2010 variants were 1.100 and 1.101. Gaps in the numbers suggested that other variants had at least been developed—including a 1.00 version that pre-dated all three of the ones already identified—even if they were never released in the wild.
Whatever the 417 code was attacking, it was different from the 315 attack. Unlike the 315 attack, the 417 code targeted a system that consisted of 984 devices configured into six groups of 164. And during the attack, only 110 of the 164 devices in each group got sabotaged. Unfortunately, the 417 code contained no magic values to help the Symantec team identify what it attacked—like the ones that helped identify the frequency converters. Langner and his team, who analyzed the 417 code at the same time Symantec did, surmised that the 417 code might be targeting the cascade itself, not the individual centrifuges, perhaps the pipes and valves that controlled the flow of gas in and out of the cascades. But without more details in the code to offer definitive proof, neither Langner nor Symantec could say for sure what the 417 attack was doing. After months of work and extensive progress in other regards, they all had to resign themselves to the fact that they had reached another dead end—it seemed that Stuxnet was determined to hold on to at least one of its mysteries.
In the absence of a clear understanding of the 417 attack code, the Symantec researchers decided to publish what they did know—which were the final details of the 315 assault.
So on November 12, 2010, exactly four months after VirusBlokAda had first announced its discovery of the Stuxnet code, Symantec published a blog post announcing that Stuxnet was attacking a very unique configuration of specific frequency converters. “Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities,” Chien wrote in the Symantec team’s typically cryptic and cautious style.6 He never mentioned the Iranian nuclear program by name, or even centrifuges, but the message behind his words was clear.
Four days after Symantec published its post, technicians at Natanz brought all of the spinning centrifuges at the plant to a complete halt. For six days, until November 22, all enrichment activity at the facility stopped. Iranian officials offered no explanation for the sudden freeze, but the Symantec researchers suspected administrators at the plant were tearing apart the computers for any lingering traces of Stuxnet. Although information about the worm had been in the public domain for months, the revelations until now hadn’t been specific about what devices Stuxnet attacked or how it conducted its operation, and Stuxnet had been meticulously crafted to make it hard for anyone to find its malicious code on the PLCs or to trace the sabotage to its source. Symantec’s latest report, however, provided all the evidence operators needed to connect the problems they were having at Natanz to the digital weapon. Although antivirus firms had long ago released signatures to detect Stuxnet’s files, they could only detect the ones on Windows machines—not the rogue code that Stuxnet injected into the PLCs. And since Stuxnet was like an octopus with many tentacles to help it spread, technicians at Natanz would have had to wipe and restore every machine at the plant to completely disinfect the stubborn code from their systems.
It was clear now that Stuxnet’s days were finally over. Not only would it no longer be able to mess with the centrifuges at Natanz, but any future problems with systems at the plant would immediately spark suspicion that malicious code was the cause. It would be much more difficult to pull off a similar stealth attack in the future without scrutiny quickly focusing on the control systems.
With nearly all the mysteries of Stuxnet now resolved, the Symantec researchers focused on tidying up some loose ends and finalizing their lengthy dossier about the code before turning their attention to other things.
But a week after the halted centrifuges at Natanz resumed their operation, the story of Stuxnet took a darker and more sinister turn, suggesting that efforts to thwart the enrichment program weren’t yet done. If the use of malicious code was no longer a viable option, other means to halt the program were still at the attackers’ disposal.
THE RUSH-HOUR TRAFFIC on Artesh Boulevard in northern Tehran was particularly congested the morning of November 29, 2010, when Majid Shahriari, a slim forty-year-old professor of nuclear physics maneuvered his Peugeot sedan through the bumper-to-bumper gridlock on his way to work. It was only seven forty-five on that Monday morning, but a layer of smog already hovered in the air as Shahriari inched his way toward Shahid Beheshti University, where he was a lecturer. With him in the car were his wife, also a nuclear physics professor and mother of two, and a bodyguard.
As the sedan approached a busy intersection, assailants on a motorcycle suddenly pulled alongside Shahriari’s vehicle and brazenly slapped a “sticky” bomb to the driver’s-side door. Seconds after they zipped away, the bomb exploded, shattering the car’s rear window and leaving the driver’s-side door a twisted mess of molten metal. Shahriari was instantly killed; his wife and bodyguard were injured, though spared. A small pit in the asphalt next to the car testified to the force of the blast.7
Not long after, in another part of the city, Fereydoon Abbasi, a fifty-two-year-old expert in nuclear isotope separation, was also making his way through traffic toward the same destination, when, out of the corner of his eye, he spotted a motorcycle approaching. A second later he heard the distinctive sound of something being attached to his door. Abbasi was a member of Iran’s Revolutionary Guard, so his defensive instincts were more honed than Shahriari’s. He quickly leapt from the car and pulled his wife from her seat. Although the two were injured when the bomb exploded, both of them survived the attack.
News reports indicated the two scientists were targeted for their prominent roles in Iran’s nuclear program. “They’re bad people,” an unnamed US official said afterward, “and the work they do is exactly what you need to design a bomb.”8
Shahriari was an expert in neutron transport—essential to creating nuclear chain reactions for reactors and bombs—and Western news reports claimed that only political appointees ranked higher than Shahriari in Iran’s nuclear program. Iran’s nuclear chief, Ali Akbar Salehi, told reporters that he had been working on a “major project” for Iran’s Atomic Energy Organization (AEOI), but didn’t elaborate.9
Abbasi was even more important to the program. He was one of only a few specialists in Iran who had expertise in separating uranium isotopes, a core part of the uranium enrichment process. He was also on the UN Security Council’s sanctions list for his role as a senior scientific adviser to Iran’s Ministry of Defense and for his close working relationship with Mohsen Fakhrizadeh-Mahabadi, an officer in the Iranian Revolutionary Guard. If Iran did indeed have a nuclear weapons program, Fakhrizadeh-Mahabadi was believed to be its architect.
President Ahmadinejad wasted no time laying blame for the attacks on “the Zionist regime and Western governments.”10 Saeed Jalili, general secretary of Iran’s Supreme National Security Council, called the attacks an act of desperation by powerless enemies.11 “When the enemy sees no other option, he resorts to the methods of terror,” he said. “This is not a sign of strength, but of weakness.”12 After his recovery, Abbasi was appointed head of the AEOI, as if to assert Iran’s determination to achieve its nuclear goals despite enemy plots against it. Abbasi was said to keep a photo of Shahriari in his office to remind him of that resolve.13
But the two attacks on busy streets in broad daylight had their desired effect and sent a message to anyone involved in Iran’s nuclear program that no one was safe or beyond the reach of assassins. Other Iranian scientists reportedly called in sick to work for several days after the bombings to avoid the fa
te of their colleagues.14
In response to the accusations from Ahmadinejad, the US State Department offered only a brief statement. “All I can say is we decry acts of terrorism wherever they occur and beyond that, we do not have any information on what happened,” spokesman Philip J. Crowley said.15 Israel declined to respond, at least directly. Instead, on the day of the attacks, Israeli prime minister Benjamin Netanyahu announced the retirement of Mossad chief Meir Dagan after eight years of service as the spy agency’s leader. The timing of the announcement seemed to suggest that the attacks on the scientists and on the centrifuges at Natanz were part of Dagan’s swan song. Dagan was known to favor assassination as a political weapon.16 Upon his appointment as head of Mossad in 2002, then–Prime Minister Ariel Sharon crudely praised him for his skill at separating Arabs from their heads.
The day of the assaults on the scientists, President Ahmadinejad seemed to tie the attacks to Stuxnet and provide what appeared to be the first official confirmation that the digital weapon had struck Natanz. As he condemned Israel and the West for the bombing attacks, he also blamed them for a virus attack that he said had been unleashed on Iran’s nuclear program a year earlier. The virus had been embedded in software “installed in electronic parts,” he said, and had damaged some of Iran’s centrifuges. But he downplayed the effects of the attack, saying the worm had created problems for only “a limited number of our centrifuges,” before workers discovered and immobilized it.17 Though he didn’t identify the digital attack by name or the facility where the centrifuges were damaged, it seemed clear to everyone that he was referring to Stuxnet and Natanz.
When news of the attacks on the scientists reached Ralph Langner in Germany, his stomach dropped. He wondered if his team’s work exposing Stuxnet had pushed the attackers to take even more drastic measures than he’d expected them to take once their digital attack was exposed. It underscored for him the reality that their work on Stuxnet had placed them in the midst of a very dark and bloody business.
Symantec’s researchers were no less shaken by the news. During the months they had worked on Stuxnet, black humor and paranoia had hung in the air, a by-product of the uncertainty about who was behind the attack or what they were capable of doing. O’Murchu began hearing strange clicking sounds on his phone, making him think it was tapped, and one Friday afternoon as he left the office to go home, he joked to Chien and Falliere that if he turned up dead over the weekend, he wanted them to know in advance that he wasn’t suicidal. Chien for his part had begun glancing around his neighborhood each morning when he left the house to see if anyone was watching him. He never seriously believed he was in danger, though, and the day that news of the attacks on the scientists broke, he joked to O’Murchu that if motorcyclists ever approached his car, he’d take out the driver with a quick swerve of his wheels. But when he drove away from work that day and stopped at the first traffic light, he was momentarily startled when he saw a motorcyclist pull up behind in his rearview mirror.
None of them really thought assassins would target them for their work on Stuxnet, but it was clear that the dynamics of virus hunting had changed with Stuxnet, and that going forward companies like theirs would be forced to make new risk calculations about the information they exposed.
At various points in their work on Stuxnet, they had indeed debated at times whether to withhold information they uncovered or to release it anonymously. In the end, although they did withhold some of the details they found—such as the identity of Stuxnet’s five initial victims—they decided in favor of disclosure, believing that the more information they released, the better it would be for everyone to defend against Stuxnet and any copycat attacks. There was just one thing, they concluded, that would have merited censorship, and that was the identity of the attackers. But in the end this was a moot point, since they never did uncover definitive proof of who was behind the attack.
In fact, they also never found incontrovertible proof that Stuxnet targeted Natanz. Although the information about the frequency converters added a major piece to the Stuxnet puzzle, they found no evidence that the specific configuration Stuxnet targeted existed at Natanz. It took David Albright and his colleagues at the Institute for Science and International Security to provide the last bit of evidence.
SYMANTEC PUBLISHED ITS last report on the frequency converters in mid-November, but it wasn’t until two weeks later that Albright made the final connection. It happened one day in December when he was sitting in a meeting with his staff at ISIS, along with a handful of centrifuge experts they had invited to their office to discuss Iran’s nuclear program, and the group began puzzling over a mystery that had been bothering them for more than a year.
ISIS had published the satellite images of Natanz back in 2002 to pressure Iran into letting UN inspectors examine the enrichment plant, and Albright and his staff had been following Iran’s nuclear progress ever since, sometimes gleaning information from government sources but mostly gathering it from the quarterly reports the IAEA published about its inspections. The latter reports were the only inside view that most Iran-watchers had of Natanz.
For eighteen months, Albright and his staff had been scratching their heads over fluctuating numbers that appeared in the reports. Every three months, the inspectors listed the number of centrifuges and cascades the Iranians had installed at Natanz, as well as the number of centrifuges that were actually enriching gas, as opposed to the ones that were just sitting in cascades empty. They also reported the amount of gas Iranian technicians fed into the centrifuges and the amount of enriched gas the centrifuges produced from this.
For most of 2007 and 2008 all of these numbers had risen fairly steadily with occasional glitches. But in mid- to late 2009, the numbers began to noticeably change. The amount of enriched gas being produced by the centrifuges suddenly dropped, and centrifuges that were once spinning in eleven out of eighteen cascades in one of the rooms at Natanz were eventually disconnected. There was no indication in the reports about why this occurred, though it was clear that something was wrong.
Albright and his colleagues had puzzled over the changes for many months, considering the data from various angles: perhaps the problems were due to poorly manufactured components or inferior materials, or perhaps the technicians had simply installed the pipes and valves in the cascades incorrectly, causing gas to leak out of them. None of the explanations, however, seemed to account for all of the changes they had seen in the reports. Now in December 2010 as they sat with their guests discussing the anomalies, someone mentioned Stuxnet and Symantec’s recent report about the frequency converters. Albright hadn’t read the report, but knew that Iran used frequency converters made by Vacon, the Finnish company mentioned by Symantec, and that it had also purchased converters in the past from Turkey and Germany. But he had never heard of Fararo Paya converters before. This was significant: he and his staff closely followed Iran’s procurement and manufacturing activities for the nuclear program and weren’t aware that Iran was making its own converters. If Iran was using such converters at Natanz, then the attackers had knowledge of the enrichment program that even some of its closest watchers didn’t possess.
When the meeting was over and he went back to his desk, Albright pulled up the report from Symantec to examine it carefully. He also found a report that Langner had written about the disabled 417 attack code. He spent the next couple of weeks sifting through the technical details of the attacks and even contacted Chien for explanations about some of the things he didn’t understand. As he and Chien were talking one day, something struck him that he hadn’t noticed before. Each time Stuxnet completed a round of sabotage on the frequency converters, it reset their frequency to 1,064 Hz. The number leapt out at him. Albright knew that centrifuge motors had different optimal frequencies for operating, depending on the model of the centrifuge and the materials from which it was made. And the optimal frequency for the IR-1 centrifuges at Natanz was exactly 1,064 Hz.
What’s
more, the 1,064 Hz frequency was very specific to IR-1 centrifuges. No other centrifuge had this nominal frequency, and there was no country outside of Iran that used them. (Although the IR-1s were based on the P-1 centrifuge design that Pakistan had used during the early years of its enrichment program, Pakistan had since moved on to more advanced designs, which operated at different frequencies.)
The optimal frequency for the IR-1s wasn’t widely known, however. Albright knew it only because a government source had told him in 2008. But even though the optimal frequency was 1,064 Hz, the source told him that Iran actually operated its centrifuges at a slightly lower frequency, which Albright and his staff learned was 1,007 Hz, due to their tendency to break at higher speeds. Albright thought about the discrepancy for a minute. Either the Stuxnet attackers weren’t aware that Iran had made this change, or Iran had reduced the frequency of its centrifuges some time after the attackers had already written their code.
But this wasn’t the only detail that stood out to Albright. He also noticed that when Stuxnet conducted its attack, it increased the frequency of the converters to 1,410 Hz for fifteen minutes, which was nearly the maximum frequency an IR-1 rotor could withstand before it would begin to break from stress.
Then he looked at what Symantec and Langner had written about the 417 attack code. Although what they knew about the attack was still pretty sketchy, they knew it targeted devices that were configured into six arrays of 164 devices each. Centrifuges at Natanz, Albright knew, were installed 164 to a cascade, suggesting the 417 attack had targeted six cascades containing 984 centrifuges.
Chien also told Albright that instead of changing frequencies like the 315 attack, the 417 attack sequence appeared to simply be turning devices on or off. Albright and his colleagues ran down the list of components in a uranium enrichment plant that might fit this scenario, and the only one that made sense to them was valves.