Zero Days (2016) Movie Script

Through the darkness
of the pathways that we marched,
evil and good lived
side by side.
And this is the nature of...
Of life.
We are in an unbalanced
and inequivalent confrontation
between democracies
who are obliged
to play by the rules
and entities who think
democracy is a joke.
You can't convince fanatics
by saying,
"hey, hatred paralyzes you,
love releases you."
There are different rules that
we have to play by.
Female newsreader: Today, two of
Iran's top nuclear scientists
were targeted by hit squads.
Female newsreader 2:
...In the capital Tehran.
Male newsreader: ...The latest
in a string of attacks.
Female newsreader 3: Today's
attack has all the hallmarks
of major strategic sabotage.
Female newsreader 4:
Iran immediately accused
the U.S. and Israel
of trying to damage
its nuclear program.
Mahmoud ahmadinejad:
I want to categorically deny
any United States involvement
in any kind of act of violence
inside Iran.
Covert actions can help,
can assist.
They are needed, they are not
all the time essential,
and they, in no way,
can replace political wisdom.
Alex gibney:
Were the assassinations in Iran
related to
the stuxnet computer attacks?
Uh, next question, please.
Male newsreader:
Iran's infrastructure
is being targeted
by a new and dangerously
powerful cyber worm.
The so-called stuxnet worm
is specifically designed,
it seems,
to infiltrate and sabotage
real-world power plants
and factories and refineries.
Male newsreader 2: It's not
trying to steal information
or grab your credit card,
they're trying to get into
some sort of industrial plant
and wreak havoc trying
to blow up an engine or...
Male newsreader 3:
Male newsreader 4:
No one knows
who's behind the worm
and the exact nature
of its mission,
but there are fears Iran
will hold Israel
or America responsible
and seek retaliation.
Male newsreader 5:
It's not impossible that
some group of hackers did it,
but the security experts
that are studying this
really think this required
the resource of a nation-state.
Man: Okay, and spinning.
Gibney: Okay, good.
Here we go.
What impact, ultimately,
did the stuxnet attack have?
Can you say?
I don't want to
get into the details.
Gibney: Since the event
has already happened,
why can't we talk more openly
and publicly about stuxnet?
Yeah, I mean, my answer
is because it's classified.
I... I won't knowledge...
You know, knowingly
offer up anything
i consider classified.
Gibney: I know that you
can't talk much about stuxnet,
because stuxnet
is officially classified.
You're right on
both those counts.
But there has been
a lot reported
about it in the press.
I don't want
to comment on this.
I read it in the newspaper,
the media, like you,
but I'm unable
to elaborate upon it.
People might find it frustrating
not to be able to talk about it
when it's in the public domain,
I find it frustrating.
Yeah, I'm sure you do.
I don't answer that question.
i can't comment.
I do not know
how to answer that.
Two answers before you even
get started, I don't know,
and if I did, we wouldn't talk
about it anyway.
Gibney: How can you have
a debate if everything's secret?
I think right now
that's just where we are.
No one wants to...
Countries aren't happy
about confessing
or owning up to what they did
because they're not quite sure
where they want
the system to go.
And so whoever
was behind stuxnet
hasn't admitted
they were behind it.
Asking officials about stuxnet
was frustrating and surreal,
like asking the emperor
about his new clothes.
Even after the cyber weapon
had penetrated computers
all over the world,
no one was willing
to admit it was loose
or talk about
the dangers it posed.
What was it about
the stuxnet operation
that was hiding in plain sight?
Maybe there was a way
the computer code
could speak for itself.
Stuxnet first surfaced
in Belarus.
I started with a call
to the man who discovered it
when his clients in Iran
began to panic
over an epidemic
of computer shutdowns.
Had you ever seen anything
quite so sophisticated before?
Eric chien:
On a daily basis, basically
we are sifting through
a massive haystack looking for
that proverbial needle.
We get millions of pieces
of new malicious threats
and there are millions of
attacks going on
every single day.
And only way are trying to
protect people
and their computers and...
And their systems
and countries' infrastructure
from being taken down
by those attacks.
But more importantly, we have
to find the attacks that matter.
When you're talking about
that many,
impact is extremely important.
Eugene kaspersky: Twenty years
ago, the antivirus companies,
they were hunting
for computer viruses
because there were not so many.
So we had, like,
tens of dozens a month,
and there was just
little numbers.
Now, we collect millions
of unique attacks every month.
Vitaly kamluk: This room we call
a woodpecker's room
or a virus lab,
and this is where
virus analysts sit.
We call them woodpeckers
because they are
pecking the worms,
network worms, and viruses.
And we see, like, three
different groups of hackers
behind cyber-attacks.
They are traditional
cyber criminals.
Those guys are interested
only in illegal profit.
And quick and dirty money.
Activists, or hacktivists,
they are hacking for fun
or hacking to push
some political message.
And the third group
is nation-states.
They're interested in
high-quality intelligence
or sabotage activity.
Chien: Security companies
not only share information
but we also share
binary samples.
So when
this threat was found
by a Belarusian
security company
on one of their customer's
machines in Iran,
the sample was shared amongst
the security community.
When we try to name threats,
we just try to pick
some sort of string,
some sort of words,
that are inside
of the binary.
In this case, there was
a couple of words in there
and we took pieces of each,
and that formed stuxnet.
I got the news about stuxnet
from one of my engineers.
He came to my office,
opened the door,
and he said, "so, Eugene,
of course you know that
we are waiting
for something really bad.
It happened."
Gibney: Give me some
sense of what it was like
in the lab at that time.
Was there a palpable
sense of amazement
that you had something
really different there?
Well, I wouldn't call it
It was a kind of a shock.
It went beyond our worst fears,
our worst nightmares,
and this continued
the more we analyzed.
The more we researched,
the more bizarre
the whole story got.
We look at so much malware
every day that
we can just look at the code
and straightaway we can say,
"okay, there's something bad
going on here,
and I need to
investigate that."
And that's the way it was
when we looked at stuxnet
for the first time.
We opened it up and there was
just bad things everywhere.
Just like, okay, this is bad
and that's bad,
and, you know,
we need to investigate this.
And just suddenly
we had, like,
a hundred questions
The most interesting thing
that we do is detective work
where we try to track down
who's behind a threat,
what are they doing,
what's their motivation,
and try to really stop it
at the root.
And it is kind of
You get this new puzzle
and it's very difficult
to put it down,
you know, work until, like,
4:00 am in the morning
and figure these things out.
And I was in that zone where
I was very consumed by this,
very excited about it,
very interested to know
what was happening.
And Eric was also
in that same sort of zone.
So the two of us were, like,
back and forth all the time.
Chien: Liam and I continued
to grind at the code,
sharing pieces,
comparing notes,
bouncing ideas
off of each other.
We realized that
we needed to do
what we called deep analysis,
pick apart the threat,
every single byte,
every single zero, one,
and understand everything
that was inside of it.
And just to give you
some context,
we can go through and understand
every line of code
for the average threat
in minutes.
And here we are
one month into this threat
and we were just starting
to discover what we call
the payload
or its whole purpose.
When looking at
the stuxnet code,
it's 20 times the size
of the average piece of code
but contains almost
no bugs inside of it.
And that's extremely rare.
Malicious code always has
bugs inside of it.
This wasn't the case
with stuxnet.
It's dense and every piece
of code does something
and does something right
in order to conduct its attack.
One of the things that
surprised us
was that stuxnet
utilized what's called
a zero-day exploit,
or basically,
a piece of code
that allows it to spread
without you having
to do anything.
You don't have to, for example,
download a file and run it.
A zero-day exploit
is an exploit that
nobody knows about
except the attacker.
So there's no protection
against it.
There's been
no patch released.
There's been zero days
you know, against it.
That's what attackers value,
because they know 100 percent
if they have
this zero-day exploit,
they can get in
wherever they want.
They're actually
very valuable.
You can sell these
on the underground
for hundreds
of thousands of dollars.
Then we became more worried
because immediately we
discovered more zero days.
And again, these zero days
are extremely rare.
Inside stuxnet we had,
you know, four zero days,
and for the entire rest
of the year,
we only saw
12 zero days used.
It blows all... everything else
out of the water.
We've never seen this before.
Actually, we've never seen it
since, either.
Seeing one in a malware
you could understand
because, you know, the malware
authors are making money,
they're stealing people's credit
cards and making money,
so it's worth their while
to use it,
but seeing four zero days,
could be worth
half a million dollars
right there,
used in one piece
of malware,
this is not your ordinary
criminal gangs doing this.
This is...
This is someone bigger.
It's definitely
not traditional crime,
not hacktivists.
Who else?
It was evident
on a very early stage
that just given
the sophistication
of this malware...
Suggested that
there must have been
a nation-state involved,
at least one nation-state
involved in the development.
When we look at code
that's coming from
what appears to be
a state attacker
or state-sponsored attacker,
usually they're scrubbed clean.
They don't... they don't leave
little bits behind.
They don't leave
little hints behind.
But in stuxnet
there were actually
a few hints left behind.
One was that, in order to
get low-level access
to Microsoft windows,
stuxnet needed to use
a digital certificate,
which certifies that
this piece of code
came from
a particular company.
Now, those attackers obviously
couldn't go to Microsoft
and say,
"hey, test our code out for us.
And give us
a digital certificate."
So they essentially
stole them...
From two companies
in Taiwan.
And these two companies have
nothing to do with each other
except for
their close proximity
in the exact same
business park.
Digital certificates
are guarded very, very closely
behind multiple doors
and they require multiple
people to unlock.
Security: ...To the camera.
Chien: And they need to provide
both biometrics
- and, as well, pass phrases.
It wasn't like
those certificates were
just sitting on some machine
connected to the Internet.
Some human assets
had to be involved, spies.
O'murchu: Like a cleaner who
comes in at night
and has stolen
these certificates
from these companies.
It did feel like walking
onto the set
of this James Bond movie
and you...
You've been embroiled
in this thing that,
you know, you...
You never expected.
We continued to search,
and we continued
to search in code,
and eventually we found some
other bread crumbs left
we were able to follow.
It was doing something
with Siemens,
Siemens software,
possibly Siemens hardware.
We'd never ever seen that
in any malware before,
something targeting Siemens.
We didn't even know why
they would be doing that.
But after googling,
very quickly we understood
it was targeting
Siemens plcs.
Stuxnet was targeting
a very specific hardware device,
something called a plc or
a programmable logic controller.
Langner: The plc is kind of
a very small computer
attached to
physical equipment,
like pumps,
like valves, like motors.
So this little box is
running a digital program
and the actions
of this program
turns that motor on, off,
or sets a specific speed.
Chien: Those program
module controllers
control things like
power plants, power grids.
This is used in factories,
it's used in
critical infrastructure.
Critical infrastructure,
it's everywhere around us,
financial services,
health care.
So the payload of stuxnet
was designed
to attack some
very important part
of our world.
The payload is gonna be
What happens there could be
very dangerous.
Langner: The next
very big surprise came
when it infected
our lab system.
We figured out that
the malware was probing
for controllers.
It was quite picky
on its targets.
It didn't try to manipulate any
given controller in a network
that it would see.
It went through several checks,
and when those checks failed,
it would not implement
the attack.
It was obviously probing
for a specific target.
You've got to put this
in context that,
at the time,
we already knew,
well, this is the most
sophisticated piece of malware
that we have ever seen.
So it's kind of strange.
Somebody takes that huge effort
to hit one specific target?
Well, that must be
quite a significant target.
Chien: So at symantec we have
probes on networks
all over the world
watching for
malicious activity.
O'murchu: We'd actually seen
infections of stuxnet
all over the world,
in the U.S., Australia,
in the u.K., in France,
Germany, all over Europe.
Chien: It spread to any windows
machine in the entire world.
You know,
we had these organizations
inside the United States
who were in charge of
industrial control
facilities saying,
"we're infected.
What's gonna happen?"
O'murchu: We didn't know if
there was a deadline coming up
where this threat
would trigger
and suddenly would,
like, turn off all, you know,
electricity plants
around the world
or it would start
shutting things down
or launching some attack.
We knew that stuxnet could have
very dire consequences,
and we were
very worried about
what the payload
and there was
an imperative speed
that we had to race
and try and, you know,
beat this ticking bomb.
Eventually, we were able to
refine the statistics a little
and we saw that
Iran was the number one
infected country in the world.
Chien: That immediately raised
our eyebrows.
We had never
seen a threat before
where it was
predominantly in Iran.
And so we began to follow
what was going on
in the geopolitical world,
what was happening
in the general news.
And at that time, there were
actually multiple explosions
of gas pipelines
going in and out of Iran.
Unexplained explosions.
O'murchu: And of course,
we did notice that at the time
there had been assassinations
of nuclear scientists.
So that was worrying.
We knew there was
something bad happening.
Gibney: Did you get concerned
for yourself?
I mean, did you begin to start
looking over your shoulder
from time to time?
Yeah, definitely
looking over my shoulder
and... and being careful about
what I spoke about on the phone.
I was... pretty confident
my conversations on my...
On the phone were
being listened to.
We were only half joking
when we would
look at each other
and tell each other
things like,
"look, I'm not suicidal.
If I show up dead on Monday,
you know, it wasn't me."
We'd been publishing
information about stuxnet
all through that summer.
And then in November,
the industrial control system
sort of expert
in Holland contacted us...
And he said all of these
devices that would be inside of
an industrial control system
hold a unique identifier number
that identified the make
and model of that device.
And we actually had a couple
of these numbers in the code
that we didn't know
what they were.
And so we realized
maybe what he was referring to
was the magic numbers we had.
And then when we searched
for those magic numbers
in that context,
we saw that what
had to be connected
to this industrial control
system that was being targeted
were something called
frequency converters
from two
specific manufacturers,
one of which was in Iran.
And so at this time,
we absolutely knew
that the facility
that was being targeted
had to be in Iran
and had equipment made
from iranian manufacturers.
When we looked up
those frequency converters,
we immediately found out
that they were actually
export controlled by the
nuclear regulatory commission.
And that immediately
lead us then
to some nuclear facility.
Gibney: This was more than
a computer story,
so I left the world
of the antivirus detectives
and sought out journalist,
David sanger,
who specialized in
the strange intersection
of cyber, nuclear weapons,
and espionage.
The emergence of the code
is what put me on alert
that an attack was under way.
And because of the
covert nature of the operation,
not only were official
government spokesmen
unable to talk about it,
they didn't even know about it.
the more I dug into it,
the more I began to find
who had been involved
in some piece of it
or who had witnessed
some piece of it.
And that meant
talking to Americans,
talking to Israelis,
talking to Europeans,
because this was obviously
the first, biggest,
and most sophisticated
example of a state
or two states
using a cyber weapon
for offensive purposes.
I came to this with
a fair bit of history,
understanding the iranian
nuclear program.
How did Iran get its first
nuclear reactor?
We gave it to them...
Under the shah,
because the shah was considered
an American ally.
Thank you again for your
warm welcome, Mr. president.
Gary samore: During
the Nixon administration,
the U.S. was very enthusiastic
about supporting
the shah's
nuclear power program.
And at one point,
the Nixon administration
was pushing the idea
that Pakistan and Iran
should build a joint plant
together in Iran.
There's at least
some evidence that
the shah was thinking about
acquisition of nuclear weapons,
because he saw, and we were
encouraging him to see Iran
as the so-called policemen
of the persian Gulf.
And the iranians have always
viewed themselves
as naturally the dominant power
in the middle east.
Samore: But the revolution,
which overthrew
the shah in '79,
really curtailed the program
before it ever got any
head of steam going.
Part of our policy against Iran
after the revolution
was to deny them
nuclear technology.
So most of the period
when I was involved
in the '80s and the '90s
was the U.S. running
around the world
and persuading potential
nuclear suppliers
not to provide even peaceful
nuclear technology to Iran.
And what we missed
was the clandestine transfer
in the mid-1980s
from Pakistan to Iran.
Rolf mowatt-larssen:
Abdul qadeer Khan
is what we would call
the father of
the Pakistan nuclear program.
He had the full authority
and confidence
of the Pakistan government
from its inception
to the production
of nuclear weapons.
I was a CIA officer for...
For over two decades,
operations officer,
worked overseas
most of my career.
The a.Q. Khan network
is so notable
because aside from building
the Pakistani program
for decades...
It also was the means
by which other countries
were able to develop
nuclear weapons,
including Iran.
A.Q. Khan acting on behalf
of the Pakistani government
with officials in Iran
and then there was a transfer
which took place
through Dubai
of blueprints for
nuclear weapons design
as well as some hardware.
Throughout the mid-1980s,
the iranian program
was not very well-resourced.
It was more of
an r & d program.
It wasn't really
until the mid-'90s
that it started to take off
when they made the decision
to build the nuclear weapons
You know,
we can speculate what,
in their mind,
motivated them.
I think it was
the U.S. invasion of Iraq
after Kuwait.
You know, there was an
eight-year war
between Iraq and Iran,
we had wiped out Saddam's
forces in a matter of weeks.
And I think that was enough
to convince the rulers
in Tehran
that they needed to pursue
nuclear weapons more seriously.
George Bush: States like these
and their terrorist allies
constitute an axis of evil,
arming to threaten
the peace of the world.
Samore: From 2003 to 2005
when they feared that
the U.S. would invade them,
they accepted limits
on their nuclear program.
But by 2006, the iranians
had come to the conclusion
that the U.S. was bogged down
in Afghanistan and Iraq
and no longer had the capacity
to threaten them,
and so they felt it was safe to
resume their enrichment program
they started producing
low enriched uranium,
producing more centrifuges,
installing them
at the large-scale underground
enrichment facility at natanz.
Gibney: How many times
have you been to natanz?
Not that many, because I left
few years ago, the dia,
but I was there quite...
Quite a few times.
Natanz is just in the middle
of the desert.
When they were building it
in secret,
they were calling it
desert irrigation facility.
For the local people,
you want to sell why you
are building a big complex.
There is a lot of artillery
and air force.
It's better protected
against attack from air
than any other nuclear
installation I have seen.
So this is
deeply underground.
But then inside, natanz is like
any other centrifuge facility.
I have been all over the world,
from Brazil to Russia, Japan,
so they are all alike
with their own features,
their own centrifuges,
their own culture,
but basically,
the process is the same.
And so are the monitoring
activities of the iaea.
There are basic principles.
You want to see what goes in,
what goes out,
and then on top of that
you make sure that
it produces
low enriched uranium
instead of anything to do with
the higher enrichments
and nuclear weapon
grade uranium.
Emad kiyaei:
Iran's nuclear facilities
are under 24-hour watch.
Of the united nations
nuclear watchdog,
the iaea, the international
atomic energy agency.
Every single gram of iranian
fissile material...
Is accounted for.
They have, like, basically
seals they put
on fissile materials.
There are iaea seals.
You can't break it
without getting noticed.
Heinonen: When you look
at the uranium
which was there in natanz,
it was a very special uranium.
This is called isotope 236,
and that was a puzzle to us,
because you only see
this sort of uranium
in states which
have had nuclear weapons.
We realized that
they had cheated us.
This sort of equipment
has been bought
from what they call
a black market.
They never pointed out
it to a.Q. Khan
at that point of time.
What I was surprised
was the sophistication
and the quality control
and the way they have
the manufacturing
was really professional.
It was not something,
you know, you just create
in a few months' time.
This was a result
of a long process.
A centrifuge,
you feed uranium gas
in and you have a cascade,
thousands of centrifuges,
and from the other end
you get enriched uranium out.
It separates uranium based on
spinning the rotors.
It spins so fast,
300 meters per second,
the same as
the velocity of sound.
These are tremendous forces
and as a result,
the rotor, it twists,
looks like a banana
at one point of time.
So it has to be balanced
because any small vibration
it will blow up.
And here comes another trouble.
You have to raise
the temperature
but this very thin
rotor was...
They are made from
carbon fiber,
and the other pieces,
they are made from metal.
When you heat
carbon fiber, it shrinks.
When you heat metal,
it expands.
So you need to balance not only
that they spin,
they twist,
but this temperature behavior
in such a way that
it doesn't break.
So this has to be
very precise.
This is what makes them
very difficult to manufacture.
You can model it,
you can calculate it,
but at the very end,
it's actually based
on practice and experience.
So it's a...
It's a piece of art, so to say.
Heinonen: Iranians are very
proud of their centrifuges.
They have a lot of
public relations videos
given up always in April
when they have what they call
a national nuclear day.
Kiyaei: Ahmadinejad came into
his presidency saying
if the international community
wants to derail us
we will stand up to it.
If they want us to sign more
and more additional protocols
and other measures,
no, we will not.
We will fight for our rights.
Iran is a signature to nuclear
non-proliferation treaty,
and under that treaty, Iran has
a right to a nuclear program.
We can have enrichment.
Who are you, world powers,
to come and tell us that we
cannot have enrichment?
This was his mantra,
and it galvanized
the public.
Sanger: By 2007, 2008,
the U.S. government
was in a very bad place with
the iranian program.
President bush recognized
that he could not even
come out in public
and declare that the iranians
were building a nuclear weapon,
because by this time,
he had gone through
the entire wmd fiasco in Iraq.
He could not really take
military action.
Condoleezza rice said to him
at one point,
"you know, Mr. president,
I think you've invaded
your last Muslim country,
even for the best of reasons."
He didn't want to let
the Israelis
conduct a military operation.
It's 1938, and Iran is Germany
and it's racing...
To arm itself
with atomic bombs.
Iran's nuclear ambitions
must be stopped.
They have to be stopped.
We all have to stop it, now.
That's the one message
i have for you today.
- Thank you.
Israel was saying
they were gonna bomb Iran.
And the government here
in Washington
did all sorts of scenarios
about what would happen
if that Israeli attack occurred.
They were all
very ugly scenarios.
Our belief was that if
they went on their own
knowing the limitations...
No, they're a very good
air force, all right?
But it's small
and the distances are great
and the target's disbursed
and hardened, all right?
If they would have
attempted a raid
on a military plane,
we would have been assuming that
they were assuming
we would finish
that which they started.
In other words,
there would be many of us
in government thinking that
the purpose of the raid
wasn't to destroy
the iranian nuclear system,
but the purpose of the raid
was to put us at war with Iran.
Israel is very much
concerned about
Iran's nuclear program,
more than the United States.
It's only natural because
of the size of the country,
because we live in this
America lives thousands and
thousands miles away from Iran.
The two countries agreed on
the goal.
There is no page between us
that Iran should not have
a nuclear military capability.
There are some differences
on how to...
How to achieve it
and when action is needed.
Yadlin: We are taking
very seriously
leaders of countries who call to
the destruction
and annihilation of our people.
If Iran will get
nuclear weapons,
now or in the future...
It means that for the first time
in human history
islamic zealots,
religious zealots,
will get their hand on
the most dangerous,
devastating weapons,
and the world should
prevent this.
Samore: The Israelis believe
that the iranian leadership
has already made the decision
to build nuclear weapons
when they think
they can get away with it.
The view in the U.S.
is that the iranians
haven't made that
final decision yet.
To me, that doesn't make
any difference.
I mean, it really doesn't make
any difference,
and it's probably unknowable,
unless you can put, you know,
supreme leader khamenei
on the couch and interview him.
I think, you know,
from our standpoint,
stopping Iran from getting
the threshold capacity
is, you know,
the primary policy objective.
Once they have
the fissile material,
once they have the capacity to
produce nuclear weapons,
then the game is lost.
Hayden: President bush once said
to me, he said,
"Mike, I don't want any
president ever to be faced
with only two options,
bombing or the bomb."
He... he wanted options that...
That made it...
Made it far less likely
he or his successor
or successors
would ever get to that point
where that's...
That's all you've got.
We wanted to be energetic enough
in pursuing this problem
that... that the Israelis would
certainly believe,
"yeah, we get it."
The intelligence cooperation
between Israel
and the United States
is very, very good.
And therefore, the Israelis
went to the Americans
and said, "okay, guys,
you don't want us to bomb Iran.
Okay, let's do it differently."
And then the American
intelligence community started
rolling in joint forces
with the Israeli
intelligence community.
One day a group of intelligence
and military officials showed up
in president bush's office
and said,
"sir, we have an idea.
It's a big risk.
It might not work,
but here it is."
Langner: Moving forward in
my analysis of the codes,
I took a closer look
at the photographs
that had been published
by the iranians themselves
in a press tour from 2008
of ahmadinejad
and the shiny centrifuges.
Sanger: Well, photographs
of ahmadinejad
going through
the centrifuges at natanz
had provided some
very important clues.
There was a huge amount
to be learned.
First of all,
those photographs showed
many of the individuals
who were guiding ahmadinejad
through the program.
And there's one very famous
photograph that shows
ahmadinejad being shown
You see his face, you can't see
what's on the computer.
And one of the scientists
who was behind him
was assassinated
a few months later.
Langner: In one of
those photographs,
you could see parts
of a computer screen.
We... we refer to that
as a scada screen.
The scada system is basically
a piece of software
running on a computer.
It enables the operators
to monitor the processes.
What you could see
when you look close enough
was a more detailed view
of the configuration
there were these six groups
of centrifuges
and each group
had 164 entries.
And guess what?
That was a perfect match
to what we saw
in the attack code.
It was absolutely clear
that this piece of code
was attacking an array
of six different groups
of, let's just say,
thingies, physical objects,
and in those six groups,
there were 164 elements.
Gibney: Were you able to do
any actual physical tests?
Or it was all just
code analysis?
Yeah, so, you know,
we obviously
couldn't set up our own sort
of nuclear enrichment facility.
So... but what we did was
we did obtain some plcs,
the exact models.
We then ordered an air pump,
and that's what we used
sort of as our sort of
proof of concept.
O'murchu: We needed
a visual demonstration
to show people
what we discovered.
So we thought of different
things that we could do,
and we... we settled
on blowing up a balloon.
We were able to write a program
that would inflate a balloon,
and it was set to stop
after five seconds.
So it would inflate the balloon
to a certain size
but it wouldn't
burst the balloon
and it was all safe.
And we showed everybody,
this is the code
that's on the plc.
And the timer says,
"stop after five seconds."
We know that's
what's going to happen.
And then we would infect
the computer with stuxnet,
and we would
run the test again.
Here is
a piece of software
that should only exist
in a cyber realm
and it is able to affect
physical equipment
in a plant or factory
and cause physical damage.
physical destruction.
At that time, things became
very scary to us.
Here you had malware
potentially killing people
and that was something that was
always Hollywood-esque to us
that we'd always laugh at
when people made
that kind of assertion.
Gibney: At this point, you had
to have started developing
theories as to
who had built stuxnet.
It wasn't
lost on us that
there were probably
only a few countries
in the world that would want
and have the motivation
to sabotage
Iran's nuclear enrichment
The U.S. government
would be up there.
Israeli government certainly
would be... would be up there.
You know, maybe u.K.,
France, Germany,
those sorts of countries,
but we never found any
information that
would tie it back 100 percent
to... to those countries.
There are no telltale signs.
You know, the attackers don't
leave a message inside
saying, you know,
"it was me."
And even if they did,
all of that stuff can be faked.
So it's very, very difficult
to do attribution
when looking at
computer code.
Gibney: Subsequent work
that's been done
leads us to believe that
this was the work of
a collaboration between Israel
and the United States.
Yeah, yeah.
Gibney: Did you have
any evidence
in terms of your analysis
that would lead you
to believe that
that's correct also?
Nothing that I could
talk about on camera.
Well, can I ask why?
Well, you can,
but I won't answer.
Gibney: But even in the case
of nation-states,
I mean, one of
the concerns is...
Gibney: This was beginning
to really piss me off.
Even civilians with an interest
in telling the stuxnet story
were refusing to address
the role of Tel Aviv
and Washington.
But luckily for me,
while D.C.
is a city of secrets,
it is also a city of leaks.
They're as regular as
a heartbeat
and just as hard to stop.
That's what I was counting on.
Finally, after speaking to a
number of people on background,
I did find a way of confirming,
on the record,
the American role in stuxnet.
In exchange for details
of the operation,
I had to agree to find a way
to disguise the source
of the information.
- Gibney: We're good?
- Man: We're on.
Gibney: So the first question
I have to ask you
is about secrecy.
I mean, at this point,
everyone knows about stuxnet.
Why can't we talk about it?
It's a covert operation.
Gibney: Not anymore.
I mean, we know what happened,
we know who did it.
Well, maybe you don't know
as much as you think you know.
Gibney: Well, I'm talking to you
because I want to
get the story right.
Well, that's the same reason
I'm talking to you.
Gibney: Even though it's
a covert operation?
Look, this is not
a snowden kind of thing, okay?
I think what he did
was wrong.
He went too far.
He gave away too much.
Unlike snowden,
who was a contractor,
I was in NSA.
I believe in the agency,
so what I'm willing to give you
will be limited,
but we're talking
because everyone's getting
the story wrong
and we have to get it right.
We have to understand
these new weapons.
The stakes are too high.
Gibney: What do you mean?
We did stuxnet.
It's a fact.
You know, we came
so fucking close to disaster,
and we're still on the edge.
It was a huge multinational,
interagency operation.
In the U.S. it was CIA,
NSA, and the military
cyber command.
From britain, we used
Iran intel out of gchq,
but the main partner
was Israel.
Over there,
Mossad ran the show,
and the technical work
was done by unit 8200.
Israel is really the key
to the story.
Melman: Oh, traffic in Israel
is so unpredictable.
Gibney: Yossi, how did you get
into this whole stuxnet story?
I have been covering
the Israeli intelligence
in general, in the Mossad
in particular
for nearly 30 years.
In '82, I was a London-based
and I covered a trial
of terrorists,
and I became more familiar
with this topic of terrorism,
and slowly but surely, I
started covering it as a beat.
Israel, we live in
a very rough neighborhood
where the...
The Democratic values,
western values, are very rare.
But Israel pretends
to be a free, Democratic,
westernized society,
posh neighborhoods,
rich people,
youngsters who are having
almost similar mind-set
to their American
or western European
On the other hand,
you see a lot of scenes
and events which resemble
the real middle east,
terror attacks, radicals,
fanatics, religious zealots.
I knew that Israel
is trying to slow down
Iran's nuclear program,
and therefore,
i came to the conclusion that
if there was a virus
infecting Iran's computers,
it's... it's one more element
in... in this larger picture
based on past precedents.
1981 I was an f-16 pilot,
and we were told that,
unlike our dream
to do dogfights
and to kill migs,
we have to be prepared
for a long-range mission
to destroy a valuable target.
Nobody told us what is
this very valuable
strategic target.
It was 600 miles from Israel.
So we train our self
to do the job,
which was very difficult.
No air refueling at that time.
No satellites
for reconnaissance.
Fuel was on the limit.
Pilot: What?
Whoa! Whoa!
Yadlin: At the end of the day,
we accomplished
the mission.
Gibney: Which was?
Yadlin: To destroy
the Iraqi nuclear reactor
near Baghdad,
which was called osirak.
And Iraq never was able
to accomplish
its ambition to have
a nuclear bomb.
Melman: Amos yadlin,
general yadlin,
he was the head
of the military intelligence.
The biggest unit
within that organization
was unit 8200.
They'd block telephones,
they'd block faxes,
they're breaking
into computers.
A decade ago,
when yadlin became
the chief of
military intelligence,
there was no
cyber warfare unit in 8200.
So they started recruiting
very talented people,
hackers either
from the military
or outside the military
that can contribute
to the project of building
a cyber warfare unit.
Yadlin: In the 19th century,
there were only army and Navy.
In the 20th century,
we got air power
as a third dimension of war.
In the 21st century,
cyber will be
the fourth dimension of war.
It's another kind of weapon
and it is for unlimited range
in a very high speed
and in
a very low signature.
So this give you
a huge opportunity...
And the superpowers
have to change
the way we think
about warfare.
Finally we are transforming
our military
for a new kind of war
that we're fighting now...
And for wars of tomorrow.
We have made our military
better trained,
better equipped,
and better prepared
to meet the threats
facing America today
and tomorrow
and long in the future.
Sanger: Back in the end
of the bush administration,
people within
the U.S. government
were just beginning
to convince president bush
to pour money into
offensive cyber weapons.
Stuxnet started off
in the defense department.
Then Robert gates,
secretary of defense,
reviewed this program
and he said,
"this program shouldn't be
in the defense department.
This should really be under
the covert authorities
over in
the intelligence world."
So the CIA was
very deeply involved
in this operation,
while much of
the coding work was done
by the
national security agency
and unit 8200,
its Israeli equivalent,
working together with a newly
created military position
called U.S. cyber command.
And interestingly, the director
of the national security agency
would also have
a second role
as the commander
of U.S. cyber command.
And U.S. cyber command
is located
at fort Meade in the
same building as the NSA.
Col. Gary d. Brown:
I was deployed for a year
giving advice on air operations
in Iraq and Afghanistan,
and when I was returning home
after that,
the assignment I was given
was to go
to U.S. cyber command.
Cyber command is a...
Is the military command
that's responsible for
essentially the conducting
of the nation's military affairs
in cyberspace.
The stated reason
the United States
decided it needed
a cyber command
was because of an event called
operation buckshot yankee.
Chris inglis:
In the fall of 2008,
we found some
adversaries inside
of our classified networks.
While it wasn't completely true
that we always assumed that
we were successful
at defending things
at the barrier,
at the... at the kind of
perimeter that we might have
between our networks
and the outside world,
there was a large confidence
that we'd been
mostly successful.
But that was a moment in time
when we came to
the quick conclusion that it...
It's not really ever secure.
That then accelerated
the department of defense's
progress towards
what ultimately
became cyber command.
Good morning.
Good morning.
Good morning, sir. Cyber has
one item for you today.
Earlier this week,
antok analysts
detected a foreign adversary
using known methods
to access the U.S.
military network.
We identified
the malicious activity
via data collected through
our information assurance
and signals from
intelligence authorities
and confirmed
it was a cyber adversary.
We provided data to our
cyber partners within the dod...
You think of NSA
as an institution
that essentially uses
its abilities in cyberspace
to help defend communications
in that space.
Cyber command extends
that capability
by saying that they will then
take responsibility to attack.
Hayden: NSA has no
legal authority to attack.
It's never had it,
I doubt that it ever will.
It might explain why
U.S. cyber command
is sitting out at
fort Meade on top of
the national security agency,
because NSA has the abilities
to do these things.
Cyber command has the authority
to do these things.
And "these things" here
refer to the cyber-attack.
This is a huge change
for the nature of
the intelligence agencies.
The NSA was supposed
to be a code-making
and code-breaking operation
to monitor the communications
of foreign powers
and American adversaries
in the defense
of the United States.
But creating a cyber command
meant using
the same technology
to do offense.
Once you get inside an
adversary's computer networks,
you put an implant
in that network.
And we have tens of thousands
of foreign computers
and networks that the
United States put implants in.
You can use it to monitor
what's going across
that network and you can use it
to insert cyber weapons,
If you can spy on a network,
you can manipulate it.
It's already included.
The only thing you need
is an act of will.
NSA source:
I played a role in Iraq.
I can't tell you
whether it was military or not,
but I can tell you
NSA had combat support teams
in country.
And for the first time,
units in the field
had direct access to NSA intel.
Over time, we thought
more about offense
than defense, you know,
more about attacking
than intelligence.
In the old days, sigint units
would try to track radios,
but through NSA in Iraq,
we had access
to all the networks
going in and out
of the country.
And we hoovered up
every text message,
email, and phone call.
A complete surveillance state.
We could find the bad guys,
say, a gang making ieds,
map their networks,
and follow them in real time.
Soldier: Roger.
NSA source: And we could
lock into cell phones
even when they were off
and send a fake text
from a friend,
suggest a meeting place,
and then capture...
Soldier: 1A, clear to fire.
...or kill.
Soldier: Good shot.
Brown: A lot of the people
that came to cyber command,
the military guys,
came directly from
an assignment
in Afghanistan or Iraq,
'cause those are the people
with experience
and expertise in operations,
and those are the ones you want
looking at this
to see how
cyber could facilitate
traditional military operations.
NSA source:
Fresh from the surge,
I went to work at NSA in '07
in a supervisory capacity.
Gibney: Exactly where
did you work?
NSA source: Fort Meade.
You know, I commuted
to that massive complex
every single day.
I was in tao-s321,
"the roc."
Gibney: Okay, the tao,
the roc?
Right, sorry. Tao is
tailored access operations.
It's where
NSA's hackers work.
Of course,
we didn't call them that.
Gibney: What did you call them?
NSA source: On net operators.
They're the only people at NSA
allowed to break in
or attack on the Internet.
Inside tao headquarters
is the roc,
remote operations center.
If the U.S. government
wants to get in somewhere,
it goes to the roc.
I mean, we were flooded
with requests.
So many that we could
only do about, mm,
30% of the missions that were
requested of us at one time,
through the web
but also by hijacking
shipments of parts.
You know, sometimes the CIA
would assist
inputting implants
in machines,
so once inside
a target network,
we could just...
Or we could attack.
Inside NSA was a strange
kind of culture,
two parts macho military
and two parts cyber geek.
I mean, I came from Iraq,
so I was used to,
"yes, sir. No, sir."
But for the weapons
we needed more
"think outside the box" types.
From cubicle to cubicle,
you'd see lightsabers,
those naruto action figures,
lots of
aqua teen hunger force.
This one guy,
they were mostly guys,
who liked to wear
a yellow hooded cape,
he used a ton of gray legos
to build a massive death star.
Gibney: Were they all working
on stuxnet?
NSA source:
We never called it stuxnet.
That was the name invented
by the antivirus guys.
When it hit the papers,
we're not allowed to read about
classified operations,
even if it's in
the New York times.
We went out of our way
to avoid the term.
I mean,
saying "stuxnet" out loud
was like saying "Voldemort"
in Harry Potter.
The name that
shall not be spoken.
Gibney: What did
you call it then?
The natanz attack,
and this is out there already,
was called
olympic games or og.
There was a huge operation
to test the code
on plcs
here are fort Meade
and in sandia, new Mexico.
Remember during the bush era
when Libya turned over
all the centrifuges?
Those were the same models
the iranians got
from a.Q. Khan.
We took them to oak Ridge
and used them
to test the code
which demolished the insides.
At dimona, the Israelis also
tested on the p1's.
Then, partly by using
our intel on Iran,
we got the plans for
the newer models, the ir-2's.
We tried out different
attack vectors.
We ended up focusing on ways to
destroy the rotor tubes.
In the tests we ran,
we blew them apart.
They swept up the pieces,
they put it on an airplane,
they flew it to Washington,
they stuck it in the truck,
they drove it through the gates
of the white house,
and dumped the shards out
on the conference room table
in the situation room.
And then they invited
president bush
to come down
and take a look.
And when he could pick up
the shard
of a piece of centrifuge...
He was convinced
this might be worth it,
and he said,
"go ahead and try."
Gibney: Was there legal concern
inside the bush administration
that this might be
an act of undeclared war?
If there were concerns,
i haven't found them.
That doesn't mean that
they didn't exist
and that some lawyers
weren't concerned about it,
but this was
an entirely new territory.
At the time, there were really
very few people
who had expertise specifically
on the law of war and cyber.
And basically what we did was
looking at, okay,
here's our broad direction.
Now, let's look...
Technically what can we do
to facilitate
this broad direction?
After that, maybe the...
I would come in
or one of my lawyers
would come in and say,
"okay, this is what we may do."
There are many things
we can do,
but we are not allowed
to do them.
And then after that,
there's still a final level
that we look at and that's,
what should we do?
Because there are many things
that would be
technically possible
and technically legal
but a bad idea.
For natanz,
it was a CIA-led operation,
so we had to have
agency sign-off.
Gibney: Really?
Someone from the agency
stood behind the operator
and the analyst
and gave the order to launch
every attack.
Chien: Before they had
even started this attack,
they put inside of the code
the kill date,
a date at which it would stop
O'murchu: Cutoff dates,
we don't normally see that
in other threats,
and you have to think,
"well, why is there
a cutoff date in there?"
And when you realize that,
well, stuxnet was probably
written by government
and that there are laws
regarding how you can use
this sort of software,
that there may have been a legal
team who said, "no, you...
You need to have
a cutoff date in there,
and you can only do this
and you can only go that far
and we need to check
if this is legal or not.
That date is a few days before
Obama's inauguration.
So the theory was that
this was an operation
that needed to be stopped
at a certain time
because there was
gonna be a handover
and that more approval
was needed.
Are you prepared to take
the oath, senator?
I am.
Barack Hussein Obama...
- I, Barack...
- Do solemnly swear...
I, Barack Hussein Obama,
do solemnly swear...
Sanger: Olympic games was
reauthorized by president Obama
in his first year in office,
It was fascinating because it
was the first year of
the Obama administration and
they would talk to you
endlessly about cyber defense.
Obama: We count on
computer networks
to deliver our oil and gas,
our power, and our water.
We rely on them for
public transportation
and air traffic control.
But just as we failed
in the past
to invest in
our physical infrastructure,
our roads,
our Bridges, and rails,
we failed to invest
in the security
of our digital infrastructure.
Sanger: He was running
east room events
trying to get people to focus
on the need to
defend cyber networks
and defend
American infrastructure.
But when you asked questions
about the use of
offensive cyber weapons,
everything went dead.
No cooperation.
White house wouldn't help,
Pentagon wouldn't help,
NSA wouldn't help.
Nobody would talk to you
about it.
But when you dug into
the budget
for cyber spending during
the Obama administration,
what you discovered was
much of it was being spent
on offensive cyber weapons.
You see phrases like
"title 10 cno."
Title 10 means operations
for the U.S. military,
and cno means
computer network operations.
This is considerable evidence
that stuxnet was just
the opening wedge
of what is a much broader
U.S. government effort now
to develop an entire new class
of weapons.
Chien: Stuxnet wasn't just
an evolution.
It was really a revolution
in the threat landscape.
In the past, the vast majority
of threats that we saw
were always controlled by
an operator somewhere.
They would infect
your machines,
but they would have what's
called a callback
or a command-and-control
The threats would actually
contact the operator
and say, what do you want me
to do next?
And the operator would
send down commands
and say, maybe, search through
this directory,
find these folders,
find these files,
upload these files to me,
spread to this other machine,
things of that nature.
But stuxnet couldn't have
a command-and-control channel
because once it got
inside in natanz
it would not have been able to
reach back out to the attackers.
The natanz network
is completely air gapped
from the rest of the Internet.
It's not connected to
the Internet.
It's its own isolated network.
Generally, getting across
an air gap is...
Is one of the more difficult
that attackers will face
just because of the fact that
there... everything is in place
to prevent that.
You know, everything, you know,
the policies and procedures
and the physical network
that's in place is
specifically designed to prevent
you crossing the air gap.
But there's no
truly air-gapped network
in these real-world production
People gotta get new code
into natanz.
People have to get log files off
of this network in natanz.
People have to upgrade
People have to upgrade
This highlights
one of the major
security issues
that we have in the field.
If you think,
"well, nobody can attack
this power plant
or this chemical plant
because it's not connected
to the Internet,"
that's a bizarre illusion.
NSA source: The first time we
introduced the code into natanz
we used human assets,
maybe CIA,
more likely Mossad,
but our team was kept in
the dark about the trade craft.
We heard rumors in Moscow,
an iranian laptop infected
by a phony Siemens technician
with a flash drive...
A double agent in Iran
with access to natanz,
but I don't really know.
What we had to focus on
was to write the code
so that, once inside,
the worm acted on its own.
They built in all the code
and all the logic
into the threat to be able
to operate all by itself.
It had the ability
to spread by itself.
It had the ability to figure
out, do I have the right plcs?
Have I arrived in natanz?
Am I at the target?
And when it's on target,
it executes autonomously.
That also means you...
You cannot call off the attack.
It was definitely
the type of attack
where someone had decided
that this is
what they wanted to do.
There was no turning back
once stuxnet was released.
When it began to actually
execute its payload,
you would have a whole bunch
of centrifuges
in a huge array of cascades
sitting in a big hall.
And then just off that hall
you would have
an operators room,
the control panels in
front of them, a big window
where they could
see into the hall.
Computers monitor
the activities
of all these centrifuges.
So a centrifuge, it's driven
by an electrical motor.
And the speed of
this electrical motor
is controlled by another plc,
by another
programmable logic controller.
Chien: Stuxnet would wait
for 13 days
before doing anything,
because 13 days is
about the time it takes
to actually fill an entire
cascade of centrifuges
with uranium.
They didn't want to attack when
the centrifuges essentially
were empty or at the beginning
of the enrichment process.
What stuxnet did
was it actually would sit there
during the 13 days
and basically record
all of the normal activities
that were happening
and save it.
And once they saw
them spinning for 13 days,
then the attack occurred.
Centrifuges spin
at incredible speeds,
about 1,000 hertz.
Langner: They have
a safe operating speed,
63,000 revolutions per minute.
Chien: Stuxnet caused the
uranium enrichment centrifuges
to spin up to 1,400 hertz.
Langner: Up to 80,000
revolutions per minute.
What would happen
was those centrifuges
would go through what's called
a resonance frequency.
It would go through a frequency
at which the metal would
basically vibrate
and essentially shatter.
There'd be uranium gas
And then the second attack
they attempted
was they actually tried
to lower it to two hertz.
They were slowed down
to almost standstill.
Chien: And at two hertz, sort of
an opposite effect occurs.
You can imagine a toy top
that you spin
and as the top begins to
slow down, it begins to wobble.
That's what would happen
to these centrifuges.
They'd begin to wobble
and essentially shatter
and fall apart.
And instead of sending back
to the computer
what was really happening,
it would send back
that old data
that it had recorded.
So the computer's sitting
there thinking,
"yep, running at 1,000 hertz,
everything is fine.
Running at 1,000 hertz,
everything is fine."
But those centrifuges are
potentially spinning up wildly,
a huge noise would occur.
It'd be like, you know,
a jet engine.
So the operators
then would know, "whoa,
something is
going wrong here."
They might look at their
monitors and say, "hmm,
it says it's 1,000 hertz," but
they would hear that in the room
something gravely bad
was happening.
Not only are the operators
fooled into thinking
everything's normal,
but also any kind of automated
protective logic
is fooled.
Chien: You can't just turn
these centrifuges off.
They have to be brought down
in a very controlled manner.
And so they would hit,
literally, the big red button
to initiate
a graceful shutdown,
and stuxnet intercepts
that code.
So you would have
these operators
slamming on that button
over and over again
and nothing would happen.
Yadlin: If your cyber weapon
is good enough,
if your enemy is not
aware of it,
it is an ideal weapon,
because the enemy
even don't understand
what is happening to it.
Gibney: Maybe even better if
the enemy begins to doubt
- their own capability.
- Absolutely.
Certainly one must conclude
that what happened
at natanz
must have driven
the engineers crazy,
because the worst thing
that can happen
to a maintenance engineer
is not being able to figure out
what the cause
of specific trouble is.
So they must have been
analyzing themselves to death.
Heinonen: You know, you see
centrifuges blowing up.
You look the computer screens,
they go with the proper speed.
There's a proper gas pressure.
Everything looks beautiful.
Sanger: Through 2009
it was going pretty smoothly.
Centrifuges were blowing up.
The international atomic energy
agency inspectors
would go in to natanz
and they would see that
whole sections of the
centrifuges had been removed.
The United States knew
from its intelligence channels
that some iranian scientists
and engineers
were being fired because
the centrifuges were blowing up
and the iranians had assumed
that this was because
they had been making errors
or manufacturing mistakes.
Clearly this was
somebody's fault.
So the program was doing
exactly what it was supposed
to be doing,
which was it was
blowing up centrifuges
and it was leaving no trace
and leaving the iranians
to wonder
what they got hit by.
This was the brilliance
of olympic games.
You know, as a former director
of a couple of big
3-letter agencies,
slowing down 1,000 centrifuges
in natanz...
Abnormally good.
There was a need for... for...
For buying time.
There was a need for
slowing them down.
There was the need to try
to push them
to the negotiating table.
I mean, there are a lot
of variables at play here.
Sanger: President Obama would go
down into the situation room,
and he would have laid out
in front of him
what they called
the horse blanket,
which was a giant schematic
of the natanz
nuclear enrichment plan.
And the designers
of olympic games
would describe to him
what kind of progress they made
and look for him
for the authorization
to move on ahead
to the next attack.
And at one point
during those discussions,
he said to a number
of his aides,
"you know,
I have some concerns
because once word of this
gets out,"
and eventually he knew
it would get out,
"the Chinese may use it
as an excuse
for their attacks on us.
The Russians might or others."
So he clearly
had some misgivings,
but they weren't big enough
to stop him
from going ahead with
the program.
And then in 2010,
a decision was made
to change the code.
Our human assets
weren't always able to get
code updates into natanz
and we weren't told
exactly why,
but we were told we had to have
a cyber solution
for delivering the code.
But the delivery systems
were tricky.
If they weren't aggressive
enough, they wouldn't get in.
If they were too aggressive,
they could spread
and be discovered.
Chien: When we got
the first sample,
there was some configuration
information inside of it.
And one of the pieces in there
was a version number, 1.1
and that made us realize,
well, look, this likely isn't
the only copy.
We went back through
our databases looking for
anything that
looks similar to stuxnet.
Chien: As we began to collect
more samples,
we found a few earlier versions
of stuxnet.
O'murchu: And when we
analyzed that code,
we saw that versions
previous to 1.1
were a lot less aggressive.
The earlier version
of stuxnet,
it basically required
humans to do a little bit
of double clicking
in order for it to spread
from one computer
to another.
And, so, what we believe
after looking at that code
is two things,
one, either they didn't
get in to natanz
with that earlier version,
because it simply wasn't
aggressive enough,
wasn't able to jump over
that air gap,
and/or two,
that payload as well
didn't work properly, didn't
work to their satisfaction,
maybe was not
explosive enough.
There were
slightly different versions
which were aimed
at different parts
of the centrifuge cascade.
Gibney: But the guys at symantec
figured you changed the code
because the first variations
couldn't get in
and didn't work right.
We always found a way
to get across the air gap.
At tao, we laughed
when people thought they were
protected by an air gap.
And for og, the early versions
of the payload did work.
But what NSA did...
Was always low-key
and subtle.
The problem was that
unit 8200, the Israelis,
kept pushing us
to be more aggressive.
Chien: The later version
of stuxnet 1.1,
that version had multiple ways
of spreading.
Had the four zero days inside
of it, for example,
that allowed it to spread
all by itself
without you doing anything.
It could spread via
network shares.
It could spread via USB keys.
It was able to spread via
network exploits.
That's the sample that
introduced us
to stolen digital certificates.
That is the sample that,
all of a sudden,
became so noisy
and caught the attention
of the antivirus guys.
In the first sample
we don't find that.
And this is very strange,
because it tells us that
in the process
of this development
the attackers
were less concerned
with operational security.
Chien: Stuxnet actually kept
a log inside of itself
of all the machines that
it infected along the way
as it jumped from one machine
to another
to another to another.
And we were able to gather up
all the samples
that we could acquire,
tens of thousands of samples.
We extracted all of those logs.
O'murchu: We could see the
exact path that stuxnet took.
Chien: Eventually, we were able
to trace back
this version of stuxnet
to ground zero,
to the first five infections
in the world.
The first five infections
are all outside a natanz plant,
all inside of organizations
inside of Iran,
all organizations
that are involved in
industrial control systems
and construction
of industrial control
clearly contractors who were
working on the natanz facility.
And the attackers knew that.
They were electrical companies.
They were piping companies.
They were, you know,
these sorts of companies.
And they knew...
They knew the technicians
from those companies
would visit natanz.
So they would infect
these companies
and then technicians
would take their computer
or their laptop or their USB...
That operator then goes down
to natanz
and he plugs in his USB key,
which has some code
that he needs to update
into natanz,
into the natanz network,
and now stuxnet
is able to get inside natanz
and conduct its attack.
These five companies
were specifically targeted
to spread stuxnet into natanz
and that it wasn't that... that
stuxnet escaped out of natanz
and then spread
all over the world
and it was this big mistake
and "oh, it wasn't meant
to spread that far
but it really did."
No, that's not the way
we see it.
The way we see it is that they
wanted it to spread far
so that they could get it
into natanz.
Someone decided that we're
gonna create something new,
something evolved,
that's gonna be
far, far, far more aggressive.
And we're okay, frankly,
with it spreading all over
the world to innocent machines
in order to go after
our target.
The Mossad had the role,
had the... the assignment
to deliver the virus
to make sure that stuxnet
would be put in place in natanz
to affect the centrifuges.
Meir dagan,
the head of Mossad,
was under growing pressure
from the prime minister,
Benjamin netanyahu,
to produce results.
Inside the roc,
we were furious.
The Israelis took our code for
the delivery system
and changed it.
Then, on their own,
without our agreement,
they just fucking launched it.
2010 around the same time
they started killing
iranian scientists...
And they fucked up
the code!
Instead of hiding,
the code started shutting down
so naturally, people noticed.
Because they were in a hurry,
they opened pandora's box.
They let it out
and it spread
all over the world.
The worm spread quickly
but somehow
it remained unseen
until it was identified
in Belarus.
Soon after,
Israeli intelligence confirmed
that it had made its way into
the hands
of the Russian
federal security service,
a successor to the kgb.
So it happened that the formula
for a secret cyber weapon
designed by
the U.S. and Israel
fell into the hands
of Russia
and the very country
it was meant to attack.
Kiyaei: In international law,
when some country
or a coalition of countries
targets a nuclear facility,
it's a act of war.
Please, let's be frank here.
If it wasn't Iran,
let's say a nuclear facility
in United States...
Was targeted in the same way...
The American government
would not
sit by and let this go.
Gibney: Stuxnet is an attack
in peacetime
on critical infrastructures.
Yes, it is. I'm...
Look, when I read about it,
I read it, I go,
"whoa, this is a big deal."
Sanger: The people who were
running this program,
including Leon panetta,
the director of the CIA
at the time,
had to go down
into the situation room
and face president Obama,
vice president biden
and explain that this program
was suddenly on the loose.
Vice president biden,
at one point
during this discussion,
sort of exploded
in biden-esque fashion
and blamed the Israelis.
He said, "it must have been
the Israelis
who made a change
in the code
that enabled it to get out."
Richard Clarke: President Obama
said to the senior leadership,
"you told me it wouldn't
get out of the network. It did.
You told me the iranians would
never figure out
it was the United States.
They did.
You told me it would have
a huge affect
on their nuclear program,
and it didn't."
Sanger: The natanz plant is
inspected every couple of weeks
by the international atomic
energy agency inspectors.
And if you line up what
you know about the attacks
with the inspection reports,
you can see the effects.
Heinonen: If you go to
the iaea reports,
they really show that all
of those centrifuges
were switched off
and they were removed.
As much as almost couple
of thousand got compromised.
When you put this
I wouldn't be surprised
if their program got delayed
by the one year.
But go then to year 2012-13
and looking how the centrifuges
started to come up again.
Iran's number of centrifuges
went up exponentially,
to 20,000, with a stockpile
of low enriched uranium.
This isn't...
These are high numbers.
Iran's nuclear facilities
with the construction
of fordow
and other highly protected
So ironically, cyber warfare...
Assassination of
its nuclear scientists,
economic sanctions,
political isolation...
Iran has gone through
"a" to "x"
of every chorus of policy
that the U.S., Israel,
and those who ally with them
have placed on Iran,
and they have actually made
Iran's nuclear program
more advanced today
than it was ever before.
Mossad operative:
This is a very
very dangerous
minefield that we are walking,
and nations who decide
to take these covert actions
should be taking
into consideration
all the effects,
including the moral effects.
I would say
that this is the price
that we have to pay in this...
In this war,
and our blade
of righteousness
shouldn't be so sharp.
Gibney: In Israel
and in the United States,
the blade of righteousness
cut both ways,
wounding the targets
and the attackers.
When stuxnet infected
American computers,
the department
of homeland security,
unaware of the cyber weapons
launch by the NSA,
devoted enormous resources
trying to protect Americans
from their own government.
We had met the enemy
and it was us.
Sen Paul mcgurk: The purpose of
the watch stations that
you see in front of you
is to aggregate the data
- coming in from multiple feeds
of what the cyber threats
could be,
so if we see threats
we can provide
real-time recommendations
for both private companies,
as well as federal agencies.
Male journalist:
Yep, absolutely. We'd be
more than happy to discuss that.
Female journalist:
Sen, is it...
Mcgurk: Early July of 2010
we received a call
that said that this piece
of malware was discovered
and could we take a look at it.
When we first started
the analysis,
there was that
"oh, crap" moment, you know,
where we sat there and said,
this is something
that's significant.
It's impacting
industrial control.
It can disrupt it to the point
where it could cause harm
and not only damage
to the equipment,
but potentially harm
or loss of life.
We were very concerned
because stuxnet
was something that
we had not seen before.
So there wasn't a lot of sleep
that night.
Basically, light up the phones,
call everybody we know,
inform the secretary,
inform the white house,
inform the other departments
and agencies,
wake up the world,
and figure out what's going on
with this particular malware.
Good morning,
chairman lieberman,
ranking member Collins.
Something as simple
and innocuous as this
becomes a challenge
for all of us to maintain
accountability control of our
critical infrastructure systems.
This actually contains
the stuxnet virus.
I've been asked on
a number of occasions,
"did you ever think
this was us?"
And at... at no point did that
ever really cross our mind,
because we were looking at it
from the standpoint of,
is this something that's coming
after the homeland?
You know, what... what's going
to potentially impact,
you know, our industrial control
based here in the United States?
You know, I liken it to,
you know, field of battle.
You don't think the sniper
that's behind you
is gonna be shooting at you,
'cause you expect him to be
on your side.
We really don't know
who the attacker was
in the stuxnet case.
So help us understand
a little more
what this thing is
whose origin and destination
we don't understand.
Gibney: Did anybody
ever give you any indication
that it was something
that they already knew about?
No, at no time did I get
the impression from someone
that that's okay, you know,
get the little pat on the head,
and... and scooted
out the door.
I never received
a stand-down order.
I never... no one ever asked,
"stop looking at this."
Do we think that this
was a nation-state actor
and that there are a limited
number of nation-states
that have such
advanced capacity?
Gibney: Sen mcgurk,
the director of cyber
for the department
of homeland security,
testified before the senate
about how he thought
stuxnet was a terrifying threat
to the United States.
Is that not a problem?
I don't... and... and how...
How do you mean?
That stuxnet was a bad idea?
Gibney: No, no, no, just that
before he knew what it was
- and what it attacks...
- Oh, I... I get it.
- Gibney: Yeah...
- Yeah,
he was responding
to something that we...
to critical infrastructure
in the United States.
The worm is loose!
Gibney: The worm is loose.
I understand.
But there's...
There's a further theory
having to do with
whether or not,
following upon David sanger...
I got the subplot,
and who did that?
Was it the Israelis?
And, yeah, I...
I truly don't know,
and even though I don't know,
I still can't talk about it,
all right?
Stuxnet was somebody's
covert action, all right?
And the definition
of covert action
is an activity in which you want
to have the hand
of the actor forever hidden.
So by definition,
it's gonna end up in this
"we don't talk about
these things" box.
Sanger: To this day,
the United States government
has never acknowledged
conducting any offensive cyber
attack anywhere in the world.
But thanks to Mr. snowden,
we know that in 2012
president Obama issued
an executive order
that laid out
some of the conditions
under which cyber weapons
can be used.
And interestingly,
every use of a cyber weapon
requires presidential
That is only true
in the physical world
for nuclear weapons.
Clarke: Nuclear war and nuclear
weapons are vastly different
from cyber war
and cyber weapons.
Having said that,
there are some similarities.
And in the early 1960s,
the United States government
suddenly realized
it had thousands
of nuclear weapons,
big ones and little ones,
weapons on jeeps,
weapons on submarines,
and it really didn't have
a doctrine.
It really didn't have
a strategy.
It really didn't have
an understanding
at the policy level about
how he was going to use
all of these things.
And so academics
started publishing
unclassified documents
about nuclear war
and nuclear weapons.
Sanger: And the result was
more than 20 years,
in the United States,
of very vigorous
national debates
about how we want to go use
nuclear weapons.
And not only did that cause
the congress
and people in the executive
branch in Washington
to think about these things,
it caused the Russians
to think about these things.
And out of that
grew nuclear doctrine,
mutual assured destruction,
all of that complicated set
of nuclear dynamics.
Today, on this vital issue
at least,
we have seen what can be
when we pull together.
We can't have that discussion
in a sensible way right now
about cyber war
and cyber weapons
because everything is secret.
And when you get
into a discussion
with people in the government,
people still in the government,
people who have
security clearances,
you run into a brick wall.
Trying to stop Iran
is really the... my number
one job, and I think...
Host: And let me ask you,
in that context,
about the stuxnet
computer virus potentially...
You can ask,
but I won't comment.
Host: Can you tell us anything?
What do you think
has had the most impact
on their nuclear
the stuxnet virus?
I can't talk about stuxnet.
I can't even talk about the
operation of Iran centrifuges.
Was the U.S. involved
in any way
in the development
of stuxnet?
It's hard to get into any kind
of comment on that
till we've finished any...
Our examination.
But, sir,
I'm not asking you
if you think another
country was involved.
I'm asking you if
the U.S. was involved.
And we're...
This is not something
that we're gonna be able
to answer at this point.
Look, for the longest time,
i was in fear that
I couldn't actually say
the phrase
"computer network attack."
This stuff is hideously
and it gets into the way
of a...
Of a mature
public discussion
as to what it is
we as a democracy
want our nation to be doing
up here in the cyber domain.
Now, this is a former director
of NSA and CIA
saying this stuff is
One of the reasons this
is highly classified as it is
this is a peculiar
weapons system.
This is a weapons system
that's come out of
the espionage community,
and... and so those people
have a habit of secrecy.
Secrecy is still justifiable
in certain cases
to protect sources or to protect
national security
but when we deal with secrecy,
don't hide behind it
to use as an excuse to not
disclose something properly
that you know should be
or that the American people
need ultimately to see.
Gibney: While most government
officials refused
to acknowledge the operation,
at least one key insider did
leak parts of the story
to the press.
In 2012, David sanger wrote
a detailed account
of olympic games that unmasked
the extensive joint operation
between the U.S. and Israel
to launch cyber attacks
on natanz.
The publication of this story
coming at a time that turned out
that there were
a number of other unrelated
national security stories
being published,
lead to the announcement
of investigations
by the Attorney General.
Gibney: In... into the press
and into the leaks?
Into the press
and into the leaks.
Soon after the article,
the Obama administration
general James Cartwright
in a criminal investigation
for allegedly leaking
classified details
about stuxnet.
Journalist: There are reports
of cyber attacks
on the iranian nuclear program
that you ordered.
What's your reaction to this
information getting out?
Well, first of all, I'm not
gonna comment on the...
The details of... what are...
Supposed to be
classified items.
Since I've been in office,
my attitude has been
zero tolerance for
these kinds of leaks.
We have mechanisms
in place
where, if we can root out folks
who have leaked,
they will suffer
It became
a significant issue
and a very wide-ranging
in which I think most of
the people who were cleared
for olympic games
at some point
had been, you know, interviewed
and so forth.
When stuxnet hit the media,
they polygraphed everyone
in our office,
including people
who didn't know shit.
You know, they polyed
the interns, for god's sake.
These are criminal acts
when they release
information like this,
and we will conduct
thorough investigations
as we have in the past.
Gibney: The administration
never filed charges,
possibly afraid that
a prosecution
would reveal classified details
about stuxnet.
To this day, no one in the U.S.
or Israeli governments
has officially acknowledged
the existence
of the joint operation.
I would never compromise
ongoing operations
in the field,
but we should be able to talk
about capability.
We can talk about our...
Bunker busters,
why not our cyber weapons?
I mean, the secrecy
of the operation
has been blown.
Our friends in Israel
took a weapon
that we jointly developed,
in part to keep Israel
from doing something crazy,
and then used it
on their own in a way
that blew the cover
of the operation
and could have led to war.
And we can't talk about that?
Mowatt-larssen: There's a way
to talk about stuxnet.
It happened.
That... to deny that it happened
is... is foolish.
So the fact it happened
is really what we're talking
about here.
What does...
What are the implications
of the fact that we now are in
a post-stuxnet world?
What I said
to David sanger was,
"i understand the difference
in destruction is dramatic,
but this has the whiff
of August 1945."
Somebody just used
a new weapon,
and this weapon will not
be put back into the box.
I... I know
no operational details
and don't know what anyone did
or didn't do
before someone decided to use
the weapon, all right.
I do know this.
If we go out and do something,
most of the rest of the world
now thinks
and it's something that they now
feel legitimated to do as well.
But the rules of engagement,
international norms,
treaty standards,
they don't exist right now.
Brown: The law of war, because
it began to develop so long ago
is really dependent on thinking
of things kinetically
and the physical realm.
So for example,
we think in terms of attacks.
You know an attack when it
happens in the kinetic world.
It's not really
much of a mystery.
But in cyberspace it is
sort of confusing to think,
how far do we have to go
before something
is considered an attack?
So we have to take
all the vocabulary
and the terms that we use
in strategy
and military operations
and adapt them
into the cyber realm.
For nuclear we have these
extensive inspection regimes.
The Russians come
and look at our silos.
We go and look at their silos.
Bad as things get between
the two countries,
those inspection regimes
have held up.
But working that our for...
For cyber
would be virtually impossible.
Where do you
send your inspector?
Inside the laptop of,
you know...
How many laptops are there
in the United States and Russia?
It's much more difficult
in the cyber area
to construct
an international regime
based on treaty commitments
and rules of the road
and so forth.
Although, we've tried to have
discussions with the Chinese
and Russians
and so forth about that,
but it's very difficult.
Brown: Right now,
the norm in cyberspace is
do whatever you can
get away with.
That's not a good norm,
but it's the norm that we have.
That's the norm
that's preferred by states
that are engaging in lots of
different kinds of activities
that they feel are benefitting
their national security.
Yadlin: Those who excel in cyber
are trying to slow down
the process
of creating regulation.
Those who are victims
we like the regulation
to be in the open as...
As soon as possible.
Brown: International law in this
area is written by custom,
and customary law
requires a nation to say,
this is what we did
and this is why we did it.
And the U.S. doesn't want to
push the law in that direction
and so it chooses not
to disclose its involvement.
And one of the reasons
that I thought it was important
to tell the story
of olympic games
was not simply because
it's a cool spy story,
it is, but it's because
as a nation...
We need to have a debate about
how we want to use cyber weapons
because we are the most
vulnerable nation on earth
to cyber-attack ourselves.
Mcgurk: If you get up in the
morning and turn off your alarm
and make coffee and pump gas
and use the atm,
you've touched
industrial control systems.
It's what powers our lives.
And unfortunately,
these systems are connected
and interconnected in some ways
that make them vulnerable.
Critical infrastructure
systems generally were built
years and years and years ago
without security in mind
and they didn't realize
how things were gonna change,
maybe they weren't even meant to
be connected to the Internet.
And we've seen,
through a lot of experimentation
and through also,
unfortunately, a lot of attacks
that most of these systems
are relatively easy
for a sophisticated hacker
to get into.
Let's say you took over
the control system
of a railway.
You could switch tracks.
You could cause
derailments of trains
carrying explosive materials.
What if you were in the control
system of gas pipelines
and when a valve was
supposed to be open,
it was closed
and the pressure built up
and the pipeline exploded?
There are companies that run
electric power generation
or electric power distribution
that we know have been hacked
by foreign entities
that have the ability
to shut down the power grid.
Sanger: Imagine for a moment
that not only all the power
went off on the east coast,
but the entire Internet
came down.
Imagine what the economic
impact of that is
even if it only lasted
for 24 hours.
According to the officials,
Iran is the first country ever
in the middle east
to actually be engaged
in a cyber war
with the United States
and Israel.
If anything they said
the recent cyber attacks
were what encouraged
them to plan to set up
the cyber army, which will
gather computer scientists,
software engineers...
Kiyaei: If you are a youth
and you see assassination
of a nuclear scientist,
your nuclear facilities
are getting attacked,
wouldn't you join
your national cyber army?
Well, many did.
And that's why today,
Iran has one of the largest...
Cyber armies in the world.
So whoever initiated this
and was very proud of themselves
to see that little dip
in Iran's centrifuge numbers,
should look back now
and acknowledge
that it was a major mistake.
Very quickly,
Iran sent a message
to the United States,
very sophisticated message,
and they did that
with two attacks.
First, they attacked
Saudi aramco,
the biggest oil company
in the world,
and wiped out every piece
of software,
every line of code,
on 30,000 computer devices.
Then Iran did a surge attack
on the American banks.
The most extensive attack on
American banks ever
launched from the middle east,
happening right now.
trying to bank online this week
blocked, among the targets,
bank of America,
pnc, and Wells Fargo.
The U.S. suspects hackers
in Iran may be involved.
NSA source:
When Iran hit our banks,
we could have shut down
their botnet,
but the state department
got nervous,
because the servers weren't
actually in Iran.
So until there was
a diplomatic solution,
Obama let the private sector
deal with the problem.
I imagine that in
the white house situation room
people sat around and said...
Let me be clear,
i don't imagine, I know.
People sat around in
the white house situation room
and said, "the iranians have
sent us a message
which is essentially,
'stop attacking us in cyberspace
the way you did at natanz
with stuxnet.
We can do it, too.'"
Melman: There are unintended
of the stuxnet attack.
You wanted to cause confusion
and damage to the other side,
but then the other side
can do the same to you.
The monster turned against
its creators,
and now everyone is
in this game.
They did a good job
in showing the world,
including the bad guys,
what you would need to do
in order to cause
serious trouble
that could lead
to injuries and death.
It's inevitable that more
countries will acquire
the capacity to use cyber,
both for espionage
and for destructive activities.
And we've seen this in some of
the recent conflicts
that Russia's been involved in.
If there's a war, then somebody
will try to knock out
our communication system
or the radar.
Mcgurk: State-sponsored
cyber sleeper cells,
they're out there
everywhere today.
It could be for
communications purposes.
It could be for
data exfiltration.
It could be to, you know,
Shepherd in the next stuxnet.
I mean, you've been focusing
on stuxnet,
but that was just a small part
of a much larger
iranian mission.
Gibney: There was a larger
iranian mission?
Nitro Zeus. Nz.
We spent hundreds of millions,
maybe billions on it.
In the event the Israelis
did attack Iran,
we assumed we would be drawn
into the conflict.
We built in attacks on Iran's
command-and-control system
so the iranians couldn't
talk to each other in a fight.
We infiltrated their iads,
military air defense systems,
so they couldn't shoot down
our planes if we flew over.
We also went after
their civilian support systems,
power grids, transportation,
financial systems.
We were inside waiting,
ready to disrupt, degrade,
and destroy those systems
with cyber-attacks.
And in comparison,
stuxnet was a back alley
Nz was the plan
for a full-scale cyber war
with no attribution.
The question is,
is that the kind of world
And if we don't, as citizens,
how do we go about a process
where we have
a more sane discussion?
We need an entirely new way
of thinking about
how we're gonna solve
this problem.
You're not going to get
an entirely new way
of solving this problem
until you begin to have
an open acknowledgement
that we have cyber weapons
as well,
and that we may have to agree
to some limits on their use
if we're going to get other
nations to limit their use.
It's not gonna be
a one-way street.
I'm old enough to have worked
on nuclear arms control
and biological weapons
arms control
and chemical weapons
arms control.
And I was told in each of those
types of arms control,
when we were beginning,
"it's too hard.
There are all these problems.
It's technical.
There's engineering.
There's science involved.
There are real verification
You'll never get there."
Well, it took 20,
30 years in some cases,
but we have
a biological weapons treaty
that's pretty damn good.
We have
a chemical weapons treaty
that's pretty damn good.
We've got three or four
nuclear weapons treaties.
Yes, it may be hard,
and it may take
20 or 30 years,
but it'll never happen
unless you get serious about it,
and it'll never happen
unless you start it.
Today, after two years
of negotiations,
the United States, together with
our international partners,
has achieved something that
decades of animosity has not,
a comprehensive,
long-term deal
with Iran that will prevent it
from obtaining a nuclear weapon.
It was reached in
lausanne, Switzerland,
by Iran, the U.S.,
britain, France,
Germany, Russia,
and China.
It is a deal in which Iran
will cut
its installed centrifuges
by more than two thirds.
Iran will not enrich uranium
with its advanced centrifuges
for at least
the next ten years.
It will make our country,
our allies,
and our world safer.
Netanyahu: Seventy years after
the murder of 6 million Jews
Iran's rulers promised
to destroy my country,
and the response from nearly
every one of the governments
represented here
has been utter silence.
Deafening silence.
Perhaps you can
now understand
why Israel is not joining you
in celebrating this deal.
History shows
that America must lead,
not just with our might,
but with our principles.
It shows were are stronger,
not when we are alone,
but when we bring
the world together.
Today's announcement marks
one more chapter
in this pursuit
of a safer and more helpful,
more hopeful world.
Thank you.
God bless you, and god bless
the United States of America.
NSA source:
Everyone I know is basically
thrilled with the Iran deal.
Sanctions and diplomacy worked.
But behind that deal
was a lot of confidence
in our cyber capability.
We were everywhere inside Iran.
Still are.
I'm not gonna tell you
the operational details
of what we can do going forward
or where...
But the science fiction
cyber war scenario is here.
That's nitro Zeus.
But my concern
and the reason I'm talking...
Is because when you shut down
a country's power grid...
It doesn't just
pop back up, you know?
It's more like humpty-dumpty...
And if all the king's men
can't turn the lights back on
or filter the water
for weeks,
then lots of people die.
And something
we can do to others,
they can do to us too.
Is that something
that we should keep quiet?
Or should we talk about it?
Gibney: I've gone to many people
in this film,
even friends of mine,
who won't talk to me
about the NSA or stuxnet
even off the record
for fear of going to jail.
Is that fear protecting us?
No, but it protects me.
Or should I say we?
I'm an actor playing a role
written from the testimony
of a small number of people
from NSA and CIA,
all of whom are angry about
the secrecy
but too scared
to come forward.
Now, we're forward.
Well, forward-leaning.