Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Page 40
The IAEA reports told the story in a series of dry numbers.
During his April 2008 tour, Ahmadinejad had announced optimistically that technicians would soon add 6,000 centrifuges to the 3,000 centrifuges already installed in the underground hall. But after reaching just 3,772 centrifuges that August, the technicians stopped, and no new centrifuges were added in the next three months. Production levels were also way down. Since the start of enrichment in early 2007, technicians had fed 7,600 kg of gas into the cascades, but by August 2008 the centrifuges had produced only 480 kg of enriched uranium, instead of the 760 they should have produced. The low production numbers continued the rest of 2008. Between August and November technicians fed 2,150 kg of gas into the cascades but produced only 150 kg of enriched uranium during that time. As in 2007, they appeared to be losing an unusual amount of gas.
Despite all of these problems, however, 2008 overall was a better year for Iran than 2007.33 Whereas Natanz had produced only 75 kg of enriched uranium in all of 2007, by the end of 2008, this had jumped to 630 kg. Albright and his colleagues at ISIS estimated that with further enriching under optimal conditions, Iran could turn 700 to 800 kg of low-enriched uranium into 20 to 25 kg of weapons-grade uranium, enough for a crude nuclear weapon. Nonetheless, there was no getting around the fact that Iran’s nuclear program wasn’t at the level it should have been at that point.
The timing of the problems in late 2008 appeared to coincide with how Stuxnet 0.5 was designed to work. Once Stuxnet infected a 417 PLC, the sabotage took time to unfold. The reconnaissance stage took at least a month while Stuxnet recorded data to play back to operators, and the cascades had to be active for a period of time before the sabotage kicked in—at least 35 days in the case of a single cascade, or more than 297 days for all six cascades combined. Once the attack was finished, another 35 days passed before it began again. The problems in late 2008 seemed to be concentrated in unit A26, where technicians had begun to install centrifuges in the spring. If Stuxnet was introduced to controllers for that unit in late 2007 or early 2008, it could have taken months for the attack’s negative effects—from the increase of pressure inside the centrifuges—to show.
Notably, around this time, a Canadian-Iranian man tried to purchase a batch of pressure transducers from two Western manufacturers to ship to Iran. The devices were used for, among other things, measuring the pressure of gas inside a centrifuge. Between December 2008 and March 2009, Mahmoud Yadegari bought ten transducers at a cost of $11,000 and shipped two of them to Iran via Dubai. He placed an order for twenty more from a second firm, but the company rejected the order after he failed to certify the identity of the end recipient. He was arrested that April after authorities were tipped off about the suspicious order.34 Was Iran attempting to purchase transducers to replace ones that appeared to be failing at Natanz or was there no connection between Yadegari’s efforts and the problems that occurred at Natanz?
As Iran entered 2009, technicians began rapidly adding new centrifuges and cascades to unit A26. Nine cascades were under vacuum in this unit by February. But instead of being fed gas, the centrifuges sat in their cascades empty. In the past, technicians had begun to feed gas into new cascades as soon as they were installed, but for some reason now they weren’t. At the same time, the number of separative work units—a measurement of how much work each centrifuge expends in the enrichment process—fell dramatically from .80 to .55 for the centrifuges that were enriching in A24 and A26. The level of enrichment also dropped from 4 percent, where it had hovered through most of 2008, to 3.49 percent. If the effects were caused by Stuxnet, it appeared the digital weapon was doing exactly what it was designed to accomplish.
But then the attackers decided to switch things up.
AS 2009 BEGAN, president-elect Barack Obama was invited to the White House to meet with President Bush for the standard debriefing that passed between incoming presidents and their predecessor as the two prepared to exchange the baton. During the conversation, Bush laid out the details of the digital attack and the subtle magic it had been working over the last year to undermine the centrifuges at Natanz.35 There had been progress in setting the Iranian program back a bit, but the operation needed more time to succeed. If it was to continue, however, it needed to be authorized by a sitting president, which meant Obama had to renew the Presidential Finding that approved it. Given that other options had failed up to then, and an airstrike was the only likely alternative, Obama ultimately needed little persuasion.36
In the summer of 2008, while still in the midst of his presidential campaign, Obama had made a whistle-stop tour in Israel, where he told the Israelis that he felt their pain. A nuclear-armed Iran, he said, would be “a grave threat” to peace not just in the Middle East, but around the world.37 He promised that under his leadership all options would remain on the table to prevent Iran from obtaining nuclear weapons. Although in essence this meant a military option as well, Obama, like Bush, wanted to avoid a military engagement at all costs. Therefore, a covert operation that used bytes over bombs was a more welcome choice.
Coming into office, Obama already faced a lot of pressure on multiple fronts. Little progress had been made with Iran via diplomatic channels, and sanctions weren’t having much of their desired effect either. And there was concern that the Israelis might take matters into their own hands if the United States didn’t show results soon. For these and other reasons, Obama decided not only to reauthorize the digital sabotage program but to accelerate it. It was in this environment that he gave the green light for a new, more aggressive, version of Stuxnet to launch—the one that targeted the frequency converters at Natanz.
Why fire off a new attack when the first one seemed to be succeeding? The operation against the valves was effective but slow. Stuxnet’s creators were running out of time and needed a faster attack that would target the centrifuges more directly and set Iran’s program back more definitively. They also wanted to confuse technicians with a different set of problems.
The irony was that while Obama was authorizing this new attack against Iran’s computer systems, he was also announcing new federal initiatives to secure cyberspace and critical infrastructure in the United States—to protect them, that is, from the very sort of destruction that Stuxnet produced.38 The nation’s digital infrastructure was a strategic national asset, he said during a speech weeks after his inauguration, and protecting it was a national security priority. “We will ensure that these networks are secure, trustworthy and resilient,” he said. “We will deter, prevent, detect and defend against attacks and recover quickly from any disruptions or damage.”39
While Obama was reauthorizing the covert operation, its details were already at risk of being exposed. It was no secret that the United States and its allies were engaged in efforts to sabotage Iran’s nuclear program. In February 2009, the Telegraph in London reported that Israel had launched an extensive covert war against Iran’s nuclear program that included hit men, front companies, double agents, and sabotage.40 In the article, a former CIA officer seemed to hint at Stuxnet’s existence by revealing that the sabotage was designed to slow the progress of the program in such a way that the Iranians would never know what caused it. The goal, he said, was to “delay, delay, delay until you can come up with some other solution or approach.… It’s a good policy, short of taking them out militarily, which probably carries unacceptable risks.”
Around the same time, the New York Times also revealed that a new covert campaign against Iran had been launched, but didn’t go into detail.41
It’s unclear if the Iranians saw these news stories or, if they did, connected them to the problems they were having at Natanz. They were certainly well aware of the risks of sabotage, having already experienced it in 2006 with the power regulators from Turkey. But suspecting that something was being sabotaged was one thing. Homing in on the part or component that was causing it was another.
As the attackers were preparing to launch the next v
ersion of Stuxnet, Obama made good on another of the campaign pledges he’d made with regard to Iran. During the campaign, he had promised to engage in more robust diplomacy with the Islamic Republic. As part of this promise, he made the unprecedented move of directly addressing the Muslim world during his televised inauguration speech. “We seek a new way forward, based on mutual interest and mutual respect,” he said. “To those leaders around the globe who seek to sow conflict, or blame their society’s ills on the West—know that your people will judge you on what you can build, not what you destroy.”42
He addressed Iranians directly again on March 20, when he appealed to the Islamic Republic’s leaders and its people in a speech broadcast through Voice of America on Nowruz, the Persian New Year.
“In this season of new beginnings, I would like to speak clearly to Iranian leaders,” he said. The United States was interested in pursuing constructive ties with Iran that were “honest and grounded in mutual respect,” he said, and was seeking a future in which the Iranian people, their neighbors, and the wider international community could live “in greater security and greater peace.” He closed his address with a quote from the Persian poet Saadi: “The children of Adam are limbs to each other, having been created of one essence.” The United States, he said, was prepared to extend a hand in friendship and peace, “if you are willing to unclench your fist.”43
But while Obama was extending one metaphorical hand in peace to the Iranian people, other hands were preparing a new round of digital attacks on Natanz.
* * *
1 The comment appeared in a post about Ahmadinejad’s tour published on the Arms Control Wonk website. William J. Broad, “A Tantalizing Look at Iran’s Nuclear Program,” New York Times, April 29, 2008.
2 It took only a day or two for a batch of gas to run through a cascade and finish enriching, according to Albright, but centrifuges spin nonstop for years as new batches of gas are constantly fed into them.
3 Joby Warrick, “U.S. Is Said to Expand Covert Operations in Iran,” Washington Post, June 30, 2008.
4 The code that infected the OB1 and OB35 blocks in the PLCs—organizational blocks that controlled the reading of commands on the PLCs and the alarm system—had a compilation date of February 7, 2001. The code that sabotaged the frequency converters and manipulated the valves had similar timestamps. For example, there were thirty blocks of code in the 315 attack that sabotaged the Vacon and Fararo Paya frequency converters; two of these appeared to have been compiled in May 2000, while the timestamp for the remaining blocks was September 23, 2001. The code blocks used to manipulate the valves in the 417 attack had a timestamp from the same September day, though three hours later, as if the person compiling them had taken a dinner break, then returned to finish the job.
5 As noted previously, cascades are configured into a number of enrichment stages, with each stage containing a different number of centrifuges, depending on how many are needed for that stage in the enrichment process.
6 Author interview with Albright, November 2013. The first module of cascades, known as A24, is believed to have been struck by Stuxnet version 0.5, which targeted only valves on the centrifuges, not the frequency converters. Later versions that targeted the frequency converters are believed to have focused on a different module, A26, which Iran began installing in late 2007 or early 2008.
7 Iran has accused the IAEA of providing the United States and Israel with intelligence about its nuclear program. But even if the IAEA didn’t provide information willingly, hacking IAEA computers to obtain information about Natanz was an option for Western and Israeli intelligence agencies. Recent news stories have revealed how US intelligence agencies spied on the UN Security Council, the IAEA’s umbrella organization, and hacked into the videoconferencing system of the UN to glean information about UN activities.
8 See this page for more information about Neda.
9 The contents of the document dated May 4, 2003, and titled, “Related to a PLC device Siemens TTE sold to Kimian Madaan [sic] for G’chin mine” was shared with me by someone who was given access to it. The letter was from Tehran Tamman Engineering to Kimia Maadan and indicated that Iran had obtained hardware and software for monitoring and controlling a SIMATIC S7-300 PLC in 2002. The next year, according to the document, Iran obtained another S7-300 and two S7-400s, as well as Siemens SIMATIC WinCC software to monitor the PLCs. The equipment was described in the letter as a “computerized system to monitor and control industrial process via information received from physical measurement transmitters, such as pressure, temperature, and controllers on valves, heating/cooling, using specialized software.” The description closely matches what a control system for a cascade would do.
10 When Stuxnet was discovered in 2010 and it was revealed that the digital weapon was attacking Siemens controllers, many in the public wondered if Iran even had Siemens controllers installed at Natanz. But just the previous year, the British Navy had intercepted a secret shipment of 111 boxes of Siemens controllers at a port in Dubai that were apparently bound for Iran’s uranium enrichment program. Siemens had shipped them to a buyer in China, where they were forwarded to Iran through Dubai. The discovery of the shipment caused a bit of an international incident—since the sale of technology for Iran’s nuclear program is banned under UN sanctions—and eventually forced Siemens to announce in early 2010 that it would initiate no new business in Iran after the summer of 2010.
11 David E. Sanger and Thom Shanker, “N.S.A. Devises Radio Pathway into Computers,” New York Times, January 14, 2014.
12 In 2011, Ralph Langner suggested that tests the Idaho National Lab conducted in the summer of 2008 on the Siemens PCS7 system—which included the Step 7 and WinCC software and S7-400 PLCs—were used to uncover vulnerabilities for Stuxnet to attack. The tests were done as part of the lab’s vendor-assessment program, whereby researchers examined various industrial control systems for security vulnerabilities. Langner first suggested the INL tests played a role in developing Stuxnet after he uncovered a PowerPoint presentation that INL had produced about the tests. But the INL tests were conducted between July and September 2008, and we now know that the earliest-discovered version of Stuxnet—Stuxnet 0.5—had been developed before these tests occurred and was already in the wild in November 2007, when someone had uploaded it to the VirusTotal website. And if the timestamp on Stuxnet’s rogue Step 7 .DLL is to be believed, it was compiled in 2006. INL leaders insisted to reporters during a tour of the lab in 2011, in which the author participated, that it did not provide information about vulnerabilities in the Siemens system to anyone to develop Stuxnet.
13 It’s been suggested by some that Germany and Great Britain, two countries in the Urenco consortium that produced the original centrifuges that served as the design for Iran’s IR-1s, may have provided some assistance with understanding the centrifuges.
14 The numbers vary depending on the account. The United States told reporters that Libya had been caught with 4,000 centrifuges, but by ISIS’s count, it was more like 200. The rest were simply components for centrifuges—the casings were there (the hollow aluminum cylinder) as well as other components, but they were missing the rotors to make them work.
15 Jody Warrick, “U.S. Displays Nuclear Parts Given by Libya,” Washington Post, March 15, 2004.
16 William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011.
17 Oak Ridge sits on former farmland, and “chicken ranch” may refer to a real chicken ranch that existed on the land in the 1940s before the farmers were displaced when the government bought up their land for the war effort.
18 The NNSA is housed at Oak Ridge in the Multi-Program Research Facility, or MRF, a large SIGINT facility that contains a supercomputer in its basement that is used in part for doing data mining for the NSA. Other staff at the MRF, many of them former CIA and NSA employees, are technically astute and work on various other
compartmentalized programs, including efforts to crack encryption and data fusion—what workers sometimes call “data diarrhea”—which involves fusing data from various branches of intelligence around the world.
19 Various methods are used to do this, such as examining gas plumes from suspect factories for trace particles or measuring the temperature of water near suspect sites. Many nuclear facilities are built near rivers and other water sources and the temperature of the water can be indicative of nuclear activity. Another method involves measuring the flickering of lights in factory windows from long distances. Since centrifuges operate at specific frequencies, the pattern in flickering lights can sometimes provide clues as to the presence and kind of centrifuges being used in a building.
20 David E. Sanger, Confront and Conceal (New York: Crown, 2012), 197.
21 Given that the first version of Stuxnet appeared in the field in November 2007, it suggests the sabotage might have begun that year. David Sanger writes that multiple versions of the worm were released while Bush was still in office; only one version from that period has been found by researchers. The others date from Obama’s term in office.
22 In 2008, Iran hanged an Iranian electronics vendor named Ali Ashtari, who Iranian news reports say confessed to trying to introduce Mossad-produced viruses and GPS units into equipment used by members of the Revolutionary Guard. After Stuxnet was discovered, there were reports that said he helped get Stuxnet into Natanz. But news from Iran is often unreliable, since it generally comes from state-affiliated publications with an agenda. Over the years Iran has accused many people of being spies for the Mossad, often with little evidence to support the claim.
23 Stuxnet 0.5 expected its target, for example, to have between two and twenty-five auxiliary valves and between three and thirty pressure transducers for measuring the gas pressure at each stage of the cascade.