Book Read Free

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

Page 42

by Kim Zetter


  Most telling, however, was the fact that technicians had begun to disconnect and remove centrifuges from some of the cascades. In August, the IAEA had installed more cameras in the underground hall to keep pace with the facility’s growth as technicians installed more cascades. Now they were capturing images of workers scurrying about as they removed centrifuges from the units. In January, the IAEA reported that technicians had removed an unspecified number of centrifuges from eleven of the cascades in A26 and had also removed all 164 centrifuges from a cascade in A28. None of the remaining sixteen cascades in A28 were enriching.15 The Washington Post would later report that 984 centrifuges were replaced during this period, the equivalent of six entire cascades.

  But Stuxnet’s work still wasn’t done.

  AS 2009 CAME to a close, pressure on the United States to halt Iran’s nuclear program was growing.

  In late September, while the numbers at Natanz were dropping, President Obama announced at the UN Security Council Summit on Nuclear Nonproliferation and Nuclear Disarmament that a new secret uranium enrichment facility had been discovered in Iran. This one was located on a military base, buried more than 150 feet beneath a mountain at Fordow, about 30 kilometers from the holy city of Qom.

  The plant was much smaller than the one at Natanz and was designed to hold only 3,000 centrifuges, compared to Natanz’s 47,000. But it was big enough to enrich uranium for one or two bombs a year, if Iran decided to use it for that purpose. “Iran has a right to peaceful nuclear power that meets the energy needs of its people. But the size and configuration of this facility is inconsistent with a peaceful program,” Obama said during his announcement about Fordow.16

  The Iranians told the IAEA’s Mohamed ElBaradei that the plant was just a backup for Natanz, that the threat of a military strike against Natanz had prompted them to build it as a contingency. The new plant was still under construction and wasn’t expected to be completed until 2011, but according to US intelligence, work on it had likely begun sometime between 2002 and 2004, which meant IAEA inspectors had passed the secret site numerous times on their way to Natanz over the years without knowing of its existence. Obama learned about the plant earlier that year during his pre-inauguration briefing at the White House, but intelligence agencies had known about it since at least 2007, when the head of Iran’s Revolutionary Guard defected to the West and told the CIA that Iran was building a second secret enrichment plant somewhere within its borders. Since then, satellite reconnaissance had uncovered the site at Fordow.17

  The Fordow plant, though smaller than Natanz, actually presented a much graver danger than Natanz. With IAEA inspectors closely monitoring the latter site, it was unlikely Iran could secretly divert nuclear material from that plant to enrich it to weapons-grade material. Secret plants like Fordow, however, where weapons-grade enrichment could be done without the IAEA’s knowledge, were far more worrying.

  Fordow was also a particular concern because it was being built under more than a hundred feet of solid rock, putting it out of reach of the current crop of bunker-busting bombs and possibly even a new generation of bombs the United States was developing.18

  The UK’s prime minister, Gordon Brown, responded to the news of Fordow by calling Iran’s nuclear program “the most urgent proliferation challenge that the world faces today.” He said that the international community had no choice but to “draw a line in the sand” over Iran’s “serial deception of many years.”19

  Iranian officials, however, seemed unperturbed by the revelations about Fordow, asserting defiantly that they planned to build ten more uranium enrichment plants in the coming decades to fuel a fleet of nuclear power plants they also planned to build.20 The enrichment plants would all be buried deep under mountains to protect them from attack, the head of the AEOI said.21

  In the wake of the Fordow news, Israel became more insistent that something had to be done about Iran’s nuclear program. At a November meeting in Tel Aviv, an Israeli military leader told US officials that 2010 would be a “critical year” in the showdown with Iran. If they didn’t act soon, Iran would harden its nuclear sites, and it would become more and more difficult to take them out.22 The US had already secretly promised Israel a shipment of the new generation of bunker-busting bombs it was producing, but that ordnance was still six months away from delivery.

  In January of 2010, the pressure mounted when a document leaked to the media disclosed a secret military branch of Iran’s nuclear research program known as the FEDAT. The branch was said to be headed by Mohsen Fakhrizadeh, a professor at Imam Hossein University in Tehran.23 The next month, the IAEA indicated it had received “broadly consistent and credible” information that Iran had been developing nuclear weapons. “This raises concerns about the possible existence in Iran of past or current undisclosed activities related to the development of a nuclear payload for a missile.”24

  On top of this, negotiations meant to ease concerns over Iran’s growing stockpile of low-enriched uranium collapsed. For years, Iran had said it needed the uranium to produce fuel rods for its research reactor in Tehran to conduct cancer research and oncology treatments, but the United States and others had always been concerned that the uranium at some point would be further enriched for weapons. So in mid-2009, a White House adviser devised a clever compromise to resolve the West’s concerns over the uranium. Under the White House plan, Iran would send most of this low-enriched uranium to Russia and France so that these two countries could turn it into fuel rods for the Iranian reactor. The proposal was an ingenious one because it would provide Iran with all the fuel it said it needed for its reactor, while robbing Iranian officials of the opportunity to further enrich their stockpile into weapons-grade material.

  Iranian officials had said in 2009 that they needed time to consider the proposal. But on January 19, they announced that they were rejecting it. That wasn’t all. They also announced that they had already taken some of the low-enriched uranium produced in the underground hall at Natanz and begun to further enrich it to nearly 20 percent in the pilot plant—a level they said they needed for medical research.25

  Six days later, the team behind Stuxnet began preparations for a new round of attacks.

  Throughout his first year in office, President Obama had kept close tabs on the digital weapon’s progress. There was a lot riding on its success, and so far the news had been good. In fact, it was better than expected. Even though Stuxnet had targeted limited numbers of centrifuges, the Iranians were magnifying its effects by disabling entire cascades of centrifuges in their effort to uncover the source of the problems, thus contributing to further delays in their program. They still seemed to have no idea that the problems lay in the computers controlling their cascades, so there was no reason at this point to stop the sabotage. Particularly when the pressure to take military action against Iran was growing.

  So on January 25, the attackers signed Stuxnet’s two driver files with the digital certificate stolen from RealTek in Taiwan. On March 1, they compiled their code. Then they appeared to wait.

  On March 20, Nowruz arrived, and Obama again delivered a pointed message about peaceful cooperation to the Iranian people as he’d done during the previous Persian New Year celebration. But this time, he spoke directly about Iran’s nuclear program. “Together with the international community, the United States acknowledges your right to peaceful nuclear energy—we insist only that you adhere to the same responsibilities that apply to other nations,” he said. “We are familiar with your grievances from the past—we have our own grievances as well, but we are prepared to move forward. We know what you’re against; now tell us what you’re for.”

  His tone grew darker as he made a veiled reference to Iran’s recent rejection of the compromise proposal for nuclear fuel. “Faced with an extended hand,” Obama said, “Iran’s leaders have shown only a clenched fist.”26

  In the weeks prior to his speech, Iranian technicians had been working hard to recover from the problems crea
ted by Stuxnet, getting the number of cascades in unit A24 back up to capacity with all eighteen cascades enriching, and restoring centrifuges they had removed from several cascades in A26. They also increased the amount of gas they were feeding into the centrifuges that were still operating to make up for the lost time and to increase the output of enriched gas. But they had no idea they were about to get hit again.

  Celebrations for the Persian New Year ran for thirteen days in Iran, though only the first four days were an official public holiday. It was on March 23, the fourth day of the holiday when most workers were still at home with their families and friends, that the next wave of Stuxnet struck. The payload was identical to the one unleashed the previous June, but this version included the larger collection of zero-day exploits and other spreading mechanisms, including the .LNK exploit that ultimately led to its discovery.

  Despite all of these extra bells and whistles, however, the attackers appeared to target only a single company this time—Behpajooh. It’s not clear when they unleashed their code, but it struck the first machines at Behpajooh around six a.m. on March 23. Behpajooh had been hit in the 2009 attack as well, and it would be hit in a subsequent attack that struck the following month, in April 2010. It was, in fact, the only company known to have been hit in all three rounds, suggesting it might have had a higher value as a conduit to reach the target computers at Natanz than the others. It was also, unfortunately, the victim that launched thousands of other infections in and outside Iran.

  Over subsequent days, as vacationing workers returned to their offices, the worm began to replicate wildly, spreading first through Behpajooh’s offices in Iran, the UK, and Asia before breaking free and infecting other companies in those countries and beyond.27 Later, when the Symantec researchers analyzed various samples of Stuxnet gathered from infected computers, they were able to trace thousands of infections back to these initial infections at Behpajooh.28

  Why the attackers increased their firing power to reach their target at this point is unclear. Perhaps the two years they’d spent inside Natanz’s computers had merely made them reckless, overconfident. But the most likely explanation is that the earlier versions of Stuxnet had been delivered via an insider or someone with close access to the target machines. If Stuxnet’s creators had subsequently lost this access, they would’ve felt the need to ramp up the spreading power to improve their chances of reaching their target. One piece of circumstantial evidence supporting this explanation is the different delays between when the attacks were compiled and when they infected their first victims. In the June 2009 attack, only about twelve hours had passed between the time the worm was compiled and when it struck its first victim.29 But the March 2010 version was compiled on the morning of March 1, then didn’t infect its first machine until March 23. (The last known version to be released, in April, had a similarly long delay of twelve days between the compilation date and infection.) The short infection time in 2009 suggested that the attackers may have used an inside accomplice or unwitting victim who had been preselected for the operation. When it came time to unleash subsequent versions of Stuxnet, the attackers may have had to wait longer until an opportunity arose to unleash it.

  As Stuxnet spread far and wide, it phoned home to its controllers via the command-and-control servers—and so it wasn’t long before officials in Washington learned that their worm had gone rogue. At that point it became clear that an operation that had been one of the most tightly held secrets in Washington for more than three years was suddenly at risk of being exposed.

  How had a digital weapon so carefully crafted and controlled for so long come undone now? Fingers pointed to Israel initially. In the spring of 2010 the White House, the NSA, and the Israelis had reportedly “decided to swing for the fences” with their sights on a specific group of 1,000 centrifuges they wanted to attack.30 This likely was a group of six cascades in unit A26. The previous round of Stuxnet had reduced A26 from twelve cascades enriching uranium to just six. It may have been these final six that the attackers now wanted to take out. Six cascades of 164 centrifuges each added up to 984 centrifuges. The Israelis apparently added the final touches—the extra zero days and other spreading mechanisms—in order to supersize it. Sanger reports that sources told him that the worm was launched inside Natanz and escaped when an Iranian scientist connected his laptop to an infected control computer at the plant and then carried the infection out on his laptop to the internet. But this doesn’t correspond to the forensic evidence researchers found in the code. As previously noted, each sample of Stuxnet contained a log file that tracked every machine it infected. These files showed that the first infections occurred at computers belonging to Behpajooh and the other companies, computers that appeared to be generic systems, not programming computers inside Natanz that contained Step 7 files or the Siemens software. It was possible that these were laptops belonging to contractors who were working inside Natanz. But Sanger also writes that the worm should have recognized when its environment changed and it landed on machines outside of its target environment. There was nothing in any of the versions of Stuxnet that researchers examined, however, that served as a mechanism for recognizing this and preventing Stuxnet from spreading outside Natanz. The only limitations Stuxnet had were on where it ignited its payload, not where it spread.

  It’s important to note, however, that the operators who managed the command servers that communicated with Stuxnet did have the ability to halt the spread of the weapon once they saw it getting out of control. Stuxnet had a disinfect feature that allowed the attackers to remove it from an infected machine. As Stuxnet began to spread wildly out of control and the attackers started seeing infected machines reporting in to their server from Indonesia, Australia, and elsewhere, they could have sent out a disinfect command to delete the code from those machines. There were a limited number of possible reasons that they didn’t do this. “Either they didn’t care that it was spreading or it was spreading faster than they expected and they couldn’t strike it down,” says O’Murchu. O’Murchu doesn’t think it was due to incompetence. “They had total control over infected machines, and I think it was a conscious decision to [do nothing].” Even after news of Stuxnet’s spread made it back to Washington, a remarkable decision was made to let the operation continue with still no apparent attempt to halt its spread. Although, again, the details are murky, according to Sanger’s sources, at least two more versions of Stuxnet were released after March, but were tweaked to remove the “bug” that caused the previous one to spread.

  On April 14, the attackers did compile another version of Stuxnet, but the payload this time was exactly the same as the March one. Although the same spreading mechanisms were in this one, it didn’t spread as far and wide as the March version.31 No other versions of Stuxnet dating after this have been found in the wild.

  It’s possible that subsequent versions of Stuxnet were unleashed but were so much more tightly controlled that they’ve never been found. There was a hint of this when researchers found the random driver file in July 2010 that they thought was associated with Stuxnet. It was the driver discovered by ESET that had been signed with the certificate from J-Micron. As noted, the driver was found by itself, without any main Stuxnet file accompanying it, but it’s believed this may have been part of another Stuxnet attack.

  In the April attack, Foolad Technique was the first victim that was hit, as it had been in the June 2009 attack. The worm struck the company on April 26 and appeared to infect the same computer it had infected the previous year. Weeks later on May 11, the digital weapon was unleashed on three computers belonging to a company using the domain name Kala, believed to be Kala Electric or Kala Electronics, the front company that Iran used to manage Natanz and secretly procure components for its nuclear program—the same company that Alireza Jafarzadeh had mentioned in his 2002 press conference exposing Natanz.32 Behpajooh was hit with this same version of Stuxnet on May 13.

  Notably, although Neda Industrial
Group doesn’t show up in the logs for the 2010 infection samples that researchers examined, Behrooz, the control engineer who had posted to the Siemens user forum the previous year, popped up again complaining of continued problems. On June 2, he wrote that all Windows computers at his company were still experiencing the same problem they had the previous year.

  Workers at other companies chimed in to say that they, too, were having the same problem. One user, who also wrote that all of the PCs at his company were infected, said the problem appeared to be confined to Iran. “[B]ecause you can see many people in Iran [on the forum] have the same problem from at least 1 [month] ago,” he wrote. The discussion continued throughout July, with Behrooz so frustrated at times that he ended some of his messages with an angry, red-faced emoticon. Then suddenly, on July 24, he posted a message saying finally the mystery had been solved. He included a link to a news article about Stuxnet, which had recently been publicly exposed, and ended his message with three grinning emoticons. Of course it would be several more months before he and the rest of the world learned what it was targeting.

  UNLIKE THE 2009 assault, it’s unclear what effect the attacks in 2010 had on Natanz. Sanger writes that after the attackers unleashed a third version of Stuxnet in 2010, it caused 984 centrifuges to come “to a screeching halt.”33 As noted previously, there were at this time exactly 984 centrifuges enriching in six cascades in unit A26, but there is no indication in IAEA reports that they stopped enriching. In September, there were still six cascades in unit A26 enriching gas and another six spinning under vacuum. It’s possible that the centrifuges in question did halt and then recovered or were replaced at some point between the IAEA’s May and September reports. It’s also possible that Sanger’s sources confused the dates and were referring to the 1,000 or so centrifuges that technicians removed in late 2009 and early 2010 that the IAEA had captured with their cameras.

 

‹ Prev