Stuxnet — Modem Mischief Podcast

Cold Open

SFX: Car screeching to a halt, doors opening and closing

On April 8, 2008, one of Iran’s most important (and dangerous) men stepped out of his car. He was greeted by scientists, advisors, and a press corp rapidly snapping pictures. His plan was simple: enveil and publicize one of the most secretive nuclear enrichment facilities in the world.

That man, dressed in his signature earth tone jacket and button-down shirt, was none other than the Iranian president, Mahmoud Ahmadinejad. And the tour, which was partly his idea, was to let the world know that Iran was going to ascend to the status of a “nuclear power” on the global stage and there was no one that could stop it.

SFX: Footsteps

As the tour got underway, Ahmadinejad was led underground by technicians and the head of Iran’s atomic energy organization. There, in the belly of the nuclear enrichment facility known as Natanz, the world got its first look at what the Iranian government had been working towards for decades.

Halls of centrifuges, small metal tubes used for enriching uranium into a usable form for either nuclear power or weapons, lined the underground chambers. A steady hum oscillated throughout the halls, the sound of centrifuges working tirelessly.

Iran’s cover for nuclear enrichment had been the relentless pursuit of nuclear energy, a relatively clean and efficient way to create energy for the country. But one curious member of Ahmadinajad’s entourage tipped analysts off to the idea that perhaps Iran had more nefarious motives for their nuclear program.

In multiple publicity photos, standing right next to the president, was the country’s defense minister, Mostafa Mohammad Najjar. What was the defense minister doing touring a nuclear enrichment facility to power atomic energy? Many in the international community saw Najjar’s presence as a confirmation that the Natanz enrichment facility might be providing more than just nuclear fuel for generators. A confirmation that would worry countries in the region as well as across oceans.

As the tour continued, President Ahmadinejad was shown the latest centrifuges made by Iranian manufactures, as well as the advanced computer system that monitored the pressure and functionality of the generators.

Ahmadinejad leaned over a computer monitor, engrossed and entranced by the sheer scale of Natanz’s enrichment capabilities. It’s a small moment on the tour, a moment captured by a photograph that highlights the president’s excitement and commitment to the program.

But thousands of miles away, at the U.S.’s National Security Agency headquarters in Fort Meade, Maryland, analysts were getting their first clues as to whether a secret operation at Natanz was working.

In the picture of President Ahmadinejad inspecting the computer monitor, there’s another monitor in the foreground of the photo. It’s on that monitor that the analysts saw some very interesting clues.

On the screen, it shows each centrifuge as a green cube. There are rows of cubes lining the interface. The analysts at the NSA confirmed that this is how the Iranian scientists monitor the operational status of each centrifuge.

But there are also a few cubes in the photo that are not green. They’re red, indicating that there’s been some kind of malfunction in very specific centrifuges. The centrifuges could be offline, they could be getting replaced, or they could be simply running at reduced capacity.

The analysts at the NSA looked around at the team that may have been responsible for getting those few centrifuges compromised. And they weren’t Navy Seals. They weren’t CIA operatives in suits either. Instead, the analysts were looking at a team of computer nerds. And these nerds weren’t deadlifting in their off time. They weren’t trail running with fifty pounds of gear. They were probably wearing golden capes and talking about the latest episode of Aqua Teen Hunger Force.

And that photograph was a small indicator of how effective those NSA hackers’ work was. But what they didn’t realize at the time was just how dangerous their operation would become.

Because at that point, no one in the world knew about the hackers’ computer worm that they had uploaded to the Natanz nuclear enrichment facility. Even as the Iranian president toured the facility, this special computer worm was working its way through the industrial computers that regulated the centrifuges.

But things were about to get messier, murkier, and potentially drag the world into industrial catastrophe.

The NSA analysts and hackers were working on Operation Olympic Games, but today, you might recognize the operation for what it created: Stuxnet: the first offensive cyberweapon used to inflict physical damage in the real world.

On this episode: building one of the most complex computer worms to roam the world, state-sponsored cyberattacks, and cyber-diplomacy in the Middle East. I’m Keith Korneluk and this is Modem Mischief.

Act 1

When cybersecurity analysts first detected Stuxnet in June of 2010, they were stunned. Analysts from the biggest names in cybersecurity like Symantec, and Ralph Langner spent months, and eventually years analyzing the code.

Stuxnet’s code was 20 times the size of your average virus. It had 4 zero-day exploits, meaning it could exploit flaws in operating systems that even the developers weren’t aware of. For reference, these zero-day exploits sell on the black market for usually $100,000 each.

Stuxnet’s code also contained two digital certificates that made the code appear legitimate in the eyes of a computer. Later analysis done by Symantec showed that these digital certificates were stolen from two companies in Hsinchu Science Park in Taiwan.

But perhaps the most curious part of Stuxnet’s code was its target. It wasn’t a surveillance virus. It wasn’t stealing credit card info, passwords, or even screen captures. Stuxnet had a very, hyper-specific target: industrial computers.

By targeting specific industrial computers like programmable logic controllers used to manage everything in manufacturing from valves to motors, the analysts concluded that Stuxnet was used for industrial sabotage.

As they continued to sink countless hours into dissecting Stuxnet, they discovered a curious origin: Stuxnet seemed to have come from five different manufacturers in Iran.

And that’s when two very important details dawned on the cybersecurity community. One, diplomatic tensions between Iran and the U.S. were the highest they’d been since the Iranian hostage crisis in 1979, no thanks to Iran’s burgeoning nuclear enrichment program.

SFX: Angry protesting, gunfire, bombs exploding

In the news, it seemed like every day stories were breaking about nuclear scientists getting assassinated in broad daylight, Iranian pipelines exploding, and Israel becoming ever cautious of Iranian nuclear capability.

And, two, that the version of Stuxnet they were analyzing had a version number: 1.1.

This meant that there had been other versions of Stuxnet before the one they were analyzing. That’s when the analysts realized that they were just scratching the surface of a multinational, interagency cyberwarfare operation.

Beat

It isn’t easy to make a nuclear bomb. It’s expensive, requires nuclear scientists, and perhaps most importantly, it requires specialized machines to spin uranium. These machines, called centrifuges, are necessary for creating the purity of uranium used to make a bomb or run a nuclear power plant.

And in 1975, one enterprising scientist decided to throw his hat into the ring of international arms production. His name was Abdul Qadeer Khan, better known as A.Q. Khan. He was a Pakistani metallurgist working for Urenco in the Netherlands. Khan had witnessed decades of animosity between his homeland and neighboring India, and it certainly didn’t put his mind at ease when India began testing nuclear weapons in 1974.

To help his country, and make fistfuls of cash on the side, Khan stole the Urenco blueprints for nuclear centrifuges and fled to Pakistan. Before long, Khan became the head of the Pakistani Nuclear Program.

Throughout the ’80s, ’90s, and 2000s, Khan and his research laboratory sold nuclear technology and components to the highest bidders in the world. Perhaps the most important thing Khan sold was the P1 centrifuge. From North Korea to Libya, some of the most authoritarian regimes in the world were getting their hands on nuclear technology. And Iran was not going to be left behind in the nuclear arms race.

By 1987, Iran was in the final year of its almost 8-year war with neighboring Iraq. Hundreds of thousands of soldiers and civilians had died in the conflict. And the possibility of a stalemate was very real.

To ensure dominance in the region, Iranian officials began coordinating with A.Q. Khan in Pakistan, beginning the long journey to nuclear armament. Slowly but surely, Iran began stockpiling nuclear centrifuges.

But Iran’s need for a nuclear program became more urgent.

SFX: War: marching, gunfire, G.H.W. Bush addressing the American people

In 1991, after Iraq invaded and annexed the small Arabian peninsula country of Kuwait, a coalition of U.S.-led forces descended upon Kuwait and Iraq in what became known as Operation Desert Storm and Desert Saber. While it took 8 years of fighting to draw a ceasefire between Iran and Iraq, it only took one month, one week, and four days for Iraq to sign a ceasefire treaty with the U.S. coalition forces.

History would repeat itself when the U.S.-led forces invaded Iraq in 2003, deposing and capturing Saddam Husein in a matter of months.

All of this convinced Iran that its sovereignty was at stake. They knew that if they developed a nuclear weapons program they would be protected from imperialism, invasion, and annexation. They were not going to suffer the same fate as the highly-destabilized Iraq.

To address the need for nuclear weapons, Iran started building a top-secret enrichment facility in the town of Natanz. There, in the shadow of the snow-capped Karkas mountains in remote central Iran, nuclear scientists began working around the clock to create an enrichment process using the Pakistani P1 centrifuges given to them by A.Q. Khan.

By 2002, a group of Iranian dissidents in France exposed nuclear facilities in Iran, most notably the Natanz enrichment facility. Iran covered by saying their nuclear facilities were for atomic energy, not weapon creation.

Facing criticism from the International Atomic Energy Agency, the U.S., and the United Nations, Iran entered into the Paris Agreement in 2004. Iran was going to suspend nuclear enrichment programs while it negotiated with France, Germany, and the U.K. to find a solution.

Beat

While European nations were hoping for a peaceful and diplomatic solution for Iran’s nuclear program, the U.S. and Israel had some very different means of addressing the problem.

In 2003, the U.S. intelligence agencies had a massive breakthrough. They seized a cargo ship full of nuclear centrifuges bound for Libya. While on one hand, this was a crushing blow to the Libyan nuclear program, the CIA realized they had discovered something better. The centrifuges were similar, if not the same ones, that A.Q. Khan designed for Iran.

So, without wasting any time, the centrifuges were sent to Oakridge National Laboratories in Tennessee and the Negev Nuclear Research Center in Dimona, Israel. They deconstructed the centrifuges, learned about their vulnerabilities, and constructed modified versions based on intelligence that Iran was making new centrifuges — P2s.

But back in Iran, there was one man, a hard-line fundamentalist, who was going to change everything.

In 2005, Mahmoud Ahmadinejad was elected President of Iran. Having lived through multiple armed conflicts, Ahmadinejad’s approach to diplomacy was akin to earlier Iranian leaders: nuclear deterrence.

Ahmadinejad withdrew Iran from the 2004 Paris Agreement and restarted the nuclear program with renewed fervor. For years, though, Iran wasn’t able to produce the amount of enriched uranium it needed to efficiently create nuclear fuel for weapons or power plants. The centrifuges they had, whether they were P1s or P2s, were unreliable and would wear down over the course of years it would take to refine uranium.

The solution, presented to Ahmadinejad, was to bootstrap the centrifuges with the latest and greatest in industrial digital manufacturing technology. By placing the centrifuges in a cascade, that is connecting them all through pipes, valves, and switches, they could easily replace one centrifuge in a cascade without shutting down production at the entire facility. And that’s exactly what they did at the Natanz nuclear enrichment facility.

But what Iran didn’t realize was that in introducing industrial computers and programmable logic controllers, they were exposing themselves to complexities and vulnerabilities. Because if a group of hackers ever found their way into the cascade network, they could cause an awful lot of trouble — perhaps even a catastrophic explosion.

And that’s exactly what the U.S.’s National Security Agency and CIA were working on.

SFX: Typing

For months, on-net operators — the NSA’s fancy way of saying hackers — at Fort Meade in Maryland and Sandia National Laboratories in New Mexico worked on a code that could manipulate the same industrial computers that were used to regulate the cascade of centrifuges in Natanz.

Additionally, Mossad, Israel’s intelligence agency, also worked on code that could manipulate industrial computers.

Once the on-net operators in the U.S. had some working code, they decided to try it on some working centrifuges, namely the confiscated P1s.

They started by assembling the centrifuges in the same way they were configured in the Natanz facility — just without the uranium inside. They lined them up in a cascade, had the pressure releases, shut-off valves, and overflow regulation ready through the programmable logic controllers. Then, they uploaded that first version of Stuxnet onto the computer.

SFX: high pitch increasing in decibel levels

Before long, they could hear the dreadful noise of the centrifuges spinning out of control. High pitched whine came from all of the centrifuges, joining together to create an ear-ringing cacophony.

SFX: Metallic explosion

Then, the centrifuges burst open in a violent shredding of metal on metal. The intelligence officers immediately called for a meeting with President George Bush. They swept up the pieces of a destroyed P1 centrifuge, bagged them, and took the first plane to Washington, D.C. From there they took the busted centrifuge down to the situation room, laid it out on the table, and asked for the president.

President Bush, a little unsure of what he was looking at, asked for an explanation. The intelligence officers, no doubt proud of their work, explained that the computer worm that they built had caused the very centrifuge he was looking at to tear itself apart.

President Bush picked up a piece of the shard off the table. He nodded, examining the industrial destruction scattered on the conference table. He set the metal debris down again and looked the officers sternly in the eye.

“I think this might be worth it,” he said. And that’s when Operation Olympic Games really started to heat up.

But there was just one problem for the operation to work: the CIA and Mossad needed to find a way to get into Natanz because Natanz was one of the most secure compounds in Iran. The entire building ran on its own network, meaning the computers in Natanz couldn’t be accessed via the internet. It was completely air-gapped.

But fortunately for Operation Olympic Games, there was one intelligence agency that was already working on an access point.

In 2004, the CIA had asked the Dutch intelligence agency, AIVD, to gain access to Natanz, mostly for intelligence gathering purposes. Because there was no way to gain access to the facility remotely, the AIVD had to use a mole to get in. And that mole, unidentified to this day, was an Iranian engineer who worked for two front companies set up and funded by the AIVD.

The first company had some faulty data that raised the suspicions of the Iranian authorities, and the company was denied a contract to work at the Natanz facility. The second company, however, succeeded.

In 2007, Natanz’s cascades featuring some 1,700 centrifuges finally began enriching uranium. After decades of research, procurement, and diplomatic posturing, Iran was making considerable progress on its nuclear program.

So, when the dutch mole arrived as a mechanic to service some of the machinery at Natanz, he had been given a very important tool: a USB stick. He most likely wasn’t told what was on it but told only that he needed to place it inside a computer at Natanz.

As the mole approached Natanz in the front company’s truck, he went past dozens of massive anti-aircraft guns aimed high at the sun. He cleared the security checkpoint and was led to the elevators, plunging him down more than 50 feet below ground. From there, he was led to the machinery that the company was contracted to work on.

And at some point, in the whirling heart of the Iranian nuclear program, th e mole made his way to a computer, plugged the USB stick into it, and waited. He dragged and dropped the computer worm onto the hard drive, removed the USB stick, and returned to work.

The mole wasn’t sure if it had worked, but little did he know, he was just opening Pandora's box.

Act 2

A screaming comes across the sky. All over Israel, thousands of people leave their homes to look at the bright sun beating down over the Mediterranean Sea. On any given day, the sun would shine brilliantly, but in June of 2008, the sun was completely blotted out.

Above the heads of the Israelis and countless other citizens from the nearby region flew over 100 fighter jets. Some jets, like the F16 and the F15, were designed to deliver devastating payloads to ground targets. Others, like the massive four-engine aerial refueling tankers, made sure that those fighter jets made it to their targets. Other aircraft, like the helicopters whirling over the ocean, fanning sea spray high into the air, were designed to rescue any downed pilots.

All-day long these aircraft fanned the sky. From Israel to Southern Greece, the jets tore through the spotless Mediterranean sky. But what was their purpose? What were they preparing for? Who was their eventual target?

For the intelligence analysts within the Department of Defence in the U.S., they feared that their worst nightmare was going to happen. On that day in June of 2008, Israel flexed the entire might of their air force across the eastern Mediterranean. And the U.S. thought it might have something to do with one of Israel’s neighbors.

For decades, Iran, located around 1000 miles from Israel, had been working to create its nuclear program. Originally inspired by the threat of Iraq and eventually the U.S., the Iranian government was keen on defending their homeland by building their own nuclear weapons.

In Israel’s eyes, they saw the development of nuclear weapons — anywhere near them — as a threat to Israelis. In 1981, they carried out the only recorded air attack on a nuclear enrichment facility, at Osirak, crippling Iraq’s nuclear program. In 2007, Israel leveled a suspected Syrian nuclear facility using the same F15 and F16 bombers that were racing through the sky in June of 2008.

At that moment, more than ever before, the U.S. realized something needed to be done. Israel, ever fearful of the possibility of a nuclear threat in the region, was posturing and preparing to bomb Iran’s nuclear facility in Natanz.

By this point, the United Nations, various European coalitions, and the U.S. had tried to diplomatically curtail Iran’s nuclear program. But the Iranian government was determined to secure its sovereignty and safety from foreign attack through nuclear weapons development.

Fortunately for the U.S., there was a plan already in the making. The possibility of destroying Iran’s nuclear enrichment facility at Natanz would certainly be considered an act of war. But what if there was a way to simply slow down production, to ensure that no matter how hard the Iranian nuclear scientists worked, they’d never process enough uranium to make a nuclear weapon?

That’s exactly what Stuxnet was designed to do.

Stuxnet is one of the most complicated computer worms to have ever been unleashed. But the first version of Stuxnet, the one that the Dutch mole had uploaded to the Natanz network, was subtle.

Stuxnet was designed to be untraceable. If the Iranian government could irrefutably prove it came from an NSA/Mossad collaboration, they would certainly see it as an act of sabotage and respond with force. To make the worm untraceable, the operators removed any kind of command and control functions, which typically require an operator on the outside to “dictate” to the worm what to do next.

This meant the operators had to make Stuxnet completely autonomous. It needed to function with no direction from the outside. As a result, the code was incredibly dense and complicated, with directives to spread autonomously, monitor equipment, and manipulate the industrial logic controllers autonomously.

So what exactly was Stuxnet doing in its early versions?

Simply put, Stuxnet was never trying to cause a catastrophic explosion or shutdown. Instead, Stuxnet’s plans played out over months.

For starters, its goal was to spread to every computer in the Natanz facility. From there, the worm would jump onto the industrial logic controllers and begin recording data. Stuxnet would then save the legitimate data that essentially said, “Everything is working normally, A-OK.” From there, Stuxnet could shut off the legitimate data stream and, instead, feed the recorded data back while it began its sabotage.

The first versions of Stuxnet were primarily focusing on the valves that controlled the pressure within the centrifuge. As the uranium spun, Stuxnet tweaked the valves to increase the pressure in the centrifuge, putting stress on the rotor that spins inside the centrifuge.

This stress, while never fully breaking the centrifuge, was instead designed to shorten the lifespan of the centrifuge. Instead of operating for around 10 years, the increased pressure would wear out the rotor, shortening the lifespan significantly. The intelligence agencies involved in the operation hoped that over years, Iran would be constantly replacing their centrifuges, never efficiently achieving nuclear enrichment.

This inefficiency, in return, would create a lack of confidence in the Iranian nuclear scientists in charge of the program. This demoralization, the NSA hoped, would eventually cause Iran to abandon their nuclear program.

But, as seen in Ahmadinejad’s tour of Natanz in 2008, progress was slow. It seemed that the Iranian’s were expanding their enrichment capabilities faster than Stuxnet was slowing things down.

So, when Israel began their military drills in 2008, just months after the press tour of Natanz, the operators at the NSA and Mossad’s cyberwarfare Unit 8200, saw the need to increase the aggressiveness of Stuxnet. If the on-net operators couldn’t slow down the enrichment process at Natanz, they feared that the Israeli army may take matters into their own hands, much as they had in Iraq and Syria years earlier.

There was also another problem that reared its head: the Dutch mole had lost access to the Natanz facility. For one reason or the other, the contract with the front company had ended, and the mole was no longer able to feed updates to Stuxnet.

As a result, not only did the NSA and Unit 8200 need to increase the payload of the computer worm, they needed to also find a way to get the new version of Stuxnet inside the computers at Natanz.

That’s when the Tailored Access Operations, the group of on-net operators at NSA overseeing Stuxnet, included stolen digital certificates in Stuxnet’s code. They also included four zero-day exploits that were designed to increase the spreadability of the code.

The operators also tweaked Stuxnet’s payload. Instead of focusing on the pressure inside the centrifuge, Stuxnet was now going to directly target the rotor within the centrifuge. By speeding up and dramatically slowing down the rotor, Stuxnet could damage the machines faster — all the while still feeding back the recorded data that showed all systems were functioning normally.

To get Stuxnet into Natanz, Tailored Access Operations chose five manufacturing partners that were supplying the Natanz facility with centrifuge parts and maintenance. Once Stuxnet found its way onto a computer at these manufacturers, it would spread like wildfire across the whole network. However, because the computers weren’t connected to the specific programmable logic controllers that were used at Natanz, they didn’t inflict any damage. Instead, they used the manufacturer’s computers as hosts who, much like rats carrying disease-ridden fleas, would unwittingly transfer Stuxnet into Natanz.

And, at some point during 2008, the new and improved version of Stuxnet was released in Natanz.

Beat

SFX: Electronic tone to simulate what Natanz would sound like.

For the engineers monitoring the centrifuges at Natanz, they were used to hearing the sound of thousands of centrifuges spinning at a constant rate. The steady oscillation provided some comfort to the engineers walking the halls and monitoring the machines. It meant everything was surely working properly.

Normally, the sound created by the centrifuges is due to the rotor spinning at around 63,000 revolutions per minute.

So when that constant pitch started to change, across a whole cascade of centrifuges — roughly 984 of them — the engineers started to panic.

SFX: Play the sound of the centrifuges speeding up

The pitch of the centrifuges went higher and higher, signaling that the rotors were spinning way faster than they were ever meant to and that the centrifuges could explode or get damaged. While the engineers didn’t have the number for it at the time, Stuxnet was forcing the rotors to spin at 84,000 rotations per minute — more than 40% above operating capacity.

The distraught engineers checked their computer monitors, searching for any sign that the centrifuges were malfunctioning. But all they saw were green cubes and normal operating numbers. The engineers had no explanation for what was going on, and even as they tried to shut the centrifuge cascade down, the shut-off program wasn’t responding.

Chaos descended on Natanz.

SFX: running footsteps

The engineers feared that the facility would suffer catastrophic failure if they couldn’t slow the rotors down. They continued smashing the big red shut-off button, but nothing was responding.

But just as they were getting ready to evacuate the facility, the high-pitched whining tone of the out-of-control rotors began to return to its normal pitch. And within a few minutes, everything sounded just as it always had.

The engineers figured it must have been some glitch within the software that allowed the mistake to happen. They kept a close eye on the machines, watching to see if it would happen again, and, much to their surprise, operations remained normal. At least for a few weeks.

But after a month of normalcy, Stuxnet was designed to strike again. This time, though, it would decelerate the rotors from the normal 63,000 revolutions per minute to just 120 revolutions per minute.

SFX: Decelerating oscillations

Again, the Iranian engineers and operators panicked. They could hear evidence of a malfunction happening, yet their computers were giving them normal data. The engineers feared that if the rotors spun at such a low frequency, they’d start hitting the walls of the centrifuge, possibly exploding and destroying themselves.

But sure enough, after a few minutes of panic, normal systems were restored and the centrifuges returned to their normal tone.

While there hadn’t been any catastrophic damage, once the computers began showing the real-time data — not the false data Stuxnet had recorded weeks before — signs of centrifuge damage emerged. By August of 2009, the Iranian engineers had taken 600 centrifuges offline. As the Stuxnet attacks continued to cause damage to the centrifuges and sow doubt at the facility’s safety, the Iranians removed another 300 centrifuges. And by January of 2010, another 164 centrifuges were removed from the enrichment process.

President Ahmadinejad, hearing about the issues at Natanz, grew frustrated with what little progress was being made at Natanz. It felt like two steps forward, one step back for their nuclear program.

But for the NSA and Mossad, Stuxnet was doing its job. And it was doing it damn well. Even if the Iranian engineers were able to repair and replace the centrifuges, it was costing them time, money, and confidence. Iran’s nuclear program was becoming costly, inefficient, and more and more like an unachievable dream. And the best part, at least in the eyes of the U.S. and Israeli governments, was that Iran had no idea that Stuxnet was the root cause of all of their problems.

But the top-secret nature of the program was about to be blown wide open. All the careful coding, programming, and spycraft that made Stuxnet effective wouldn’t matter anymore. And it was all thanks to a small, independent cyber security firm in Belarus.

Act 3

When on-net operators were creating the code for the more aggressive version of Stuxnet, they knew they needed to make it spread faster. The choice to “infect” 5 different companies with the bug was a surefire way to make sure that Stuxnet made it into Natanz.

But what the NSA and Mossad didn’t account for — or, if they did account for this, they chose to ignore it — was where else Stuxnet may spread. In their heart of hearts, the people who designed the code knew it wouldn’t damage other industrial computers besides the ones at Natanz. Because they designed Stuxnet to only operate in the hyper-specific conditions of the Natanz enrichment facility.

But the agencies couldn’t tell the world that. They couldn’t even tell their government that. And they didn’t. It would take an independent and international civilian review of the Stuxnet code to show what was going on.

On a sunny Saturday in June of 2010, Sergey Ulasen was attending a wedding in his native Belarus when he received a call from tech support at his work.

SFX: Windows error sound

Turns out one of his clients in Iran was getting BSODs, or blue screen of death errors, as well as excessive rebooting. Even the computers that had a freshly installed copy of Windows were experiencing these alarming errors. As Sergey learned more, he realized that every computer on this client's network seemed to be having these issues.

Sergey realized he needed to get to the office to find out more about the malware that plagued his client’s network.

SFX: Phone ringing, office noises

Come Monday, Sergey was getting remote access to the computer network in Iran. As he started searching and analyzing the computer, he discovered the malware drivers, the source of the problem. But he also saw that the malware had legitimate digital certificates that made Windows trust the program.

When Sergey saw the full picture — the program's ability to use a rootkit to hide in plain sight, the stolen digital certificates, the complexity of the code — he realized that there was nothing else like this computer worm in the world. He immediately started sharing his discovery online in cyber security industry forums.

For months, the cyber security industry frantically searched for clues as to where Stuxnet came from, what its purpose was, and how to stop it.

At the Department of Homeland Security, the Director of Cybersecurity, Seán McGurk, was asked to investigate Stuxnet. As Seán and his team started doing their analysis of the code, they believed the threat Stuxnet posed to U.S. industry was grave. He immediately called his higher-ups, eventually testifying before Congress about the danger Stuxnet posed for the U.S. economy.

Meanwhile, top advisors in the Obama administration were furious — including Vice President Joe Biden. They were told that Stuxnet wouldn’t leave Natanz, that the Iranian government wouldn’t find out about it, and that it wouldn’t become a media circus.

As President Obama and government officials were asked to comment on Stuxnet, they denied all involvement. The Israeli government denied all involvement. But the sophistication of Stuxnet, from the stolen digital certificates to the highly targeted payload, indicated that it couldn’t have been thrown together by some hackers or a criminal gang. Rather, Stuxnet was almost assuredly designed by a state-sponsored team of hackers — and at the time, the NSA and Mossad’s Unit 8200 were the only likely suspects.

As the months passed and the media pressed government officials for answers, it was this crowdsourced analysis of the Stuxnet code that revealed some incredible clues. For starters, the cyber security experts noticed that Stuxnet targeted very specific kinds of industrial computers. Additionally, it only executed its payload when very specific conditions were met.

In September of 2010, Ralph Langner, a cyber security expert determined that Stuxnet’s payload target matched the configurations of centrifuges at Natanz. It was then he realized Stuxnet’s only target was the Natanz nuclear enrichment facility.

By November of 2010, Iran halted operations at Natanz to completely purge Stuxnet from its machines. For weeks, the Iranian engineers completely wiped the industrial computers and purged the network of Stuxnet.

Stuxnet’s operational life had come to end.

While Stuxnet succeeded in slowing down the production of enriched uranium at Natanz, it could have been more effective had it not spread so aggressively to the outside world. Had Stuxnet just stayed within Natanz, it’s likely the worm would have completely shaken the confidence of Iran’s officials. On top of that, Iran would have no idea who was behind the cyber attack.

Instead, the Iranian officials were able to rid themselves of Stuxnet and double-down on their operations, vowing to avenge the country responsible for the attack.

Israel, on the other hand, increased their efforts to slow down Iran’s nuclear program. It is believed that Mossad and their associates in Iran assassinated four Iranian nuclear scientists from November 2010 to November 2020.

While a large-scale conflict due to the Iranian nuclear program has been avoided, Stuxnet was perhaps one of the most peaceful and humanitarian solutions to stopping Iran’s nuclear program. The economic sanctions under President Trump did very little other than to sow disdain towards the U.S. and pass the burden off to the civilian populace. Israel’s more aggressive, but targeted, assassinations are certainly high profile and cost lives.

But Stuxnet was a peaceful computer worm. Designed not to completely cripple the centrifuges, but instead wear them out, Stuxnet would have put a stop to Iran’s nuclear progress. It wouldn’t have cost lives — save for any scientists executed for incompetence by the Iranian regime — and it wouldn’t have forced thousands of Iranians to ration food, medicine, and fuel.

The beauty of Stuxnet was in fact what made it so terrifying: it had one job and one target. This is great for whoever is in charge of determining what the job and target are, but terrifying for anyone on the receiving side.

But perhaps one of the most dangerous parts about Stuxnet is that it’s out there on the internet. Anyone can search the code for Stuxnet. They can analyze it, copy it, augment it, and even repurpose the code for their own gains.

For the years that followed, many cyber security experts warned of a wave of Stuxnet-related attacks. Many industrial centers around the world feared an attack.

But perhaps the most terrifying part of Stuxnet is the precedent it set for the future of international cyberwarfare.

Act 4

In the nearly 11 years since Stuxnet was first discovered, there’s only been one cyberattack that had a direct impact on the physical world. In December of 2015, part of the Ukrainian Power Grid was crippled by a cyber-physical attack. Over 200,000 Ukrainians celebrated Christmas without power.

The reality of cyber-physical attacks is that they are rare. Many analysts in the industry thought these attacks would be happening more frequently. But instead, they have become a selling point for many cyber security companies.

Countries could likely be waging cyber operations on each other. We just might not know about it until many years later.

As for Iran’s nuclear program, they’ve been steadily increasing their stockpile of enriched uranium for the past decade. In 2021, Iran had roughly 3,241 kilograms of enriched uranium. As far as nuclear weapons capabilities, that translates to about 3 nuclear weapons if they enriched the uranium further.

However, in April of 2021, an explosion occurred at the Natanz nuclear enrichment facility. While the Iranian media and officials blamed the explosion on an Israeli cyberattack, they have since claimed that the saboteur was an Iranian national who planted explosives and fled the country.

The future of both Iran’s nuclear program and cyber warfare is uncertain. How much do we really know about either of these topics? What classified secrets still exist that we won’t see for another decade or two? Only time will tell.

Credits

Thanks for listening to Modem Mischief. Don’t forget to hit the follow button in your favorite podcast app right now so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. Tell your friends, your enemies, put it in a note to Santa. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Goto Patreon.com/ModemMischief for more. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jonah Svihus. Edited, mixed and mastered by Greg Bernhard aka Gary Bernhard. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!