Cyberwar (2016) s01e06 Episode Script

Stuxnet the Digital Weapon

1 BEN: A secret facility in Iran renews fears of a nuclear threat.
The nations of the world must not permit the Iranian regime to gain nuclear weapons.
A computer virus that has never been seen before.
This isn't two kids in a basement in Kansas throwing some code together.
The virus sabotages that secret facility.
It used very advanced capabilities to cover itself or obfuscate itself.
Who built it and why is a mystery.
This was an act of war.
It was an act of war without there being a war.
Stuxnet is the world's first known cyberweapon.
There are conflicts being waged all around us, ones we can't see.
Hackers are poised to dominate the 21st century, reshaping geopolitical landscapes.
Sometimes on behalf of terrorists, but often for governments, or just because they think it's right.
As a reporter, I've been covering national security for VICE, and increasingly my job is to track these digital battles.
There's one computer virus that really showed how far everything had come.
In the early 2000s, the US began to fear that Iran, its sworn enemy since 1979, was secretly developing its own nuclear weapons.
The UN responded with sanctions.
The US and Israel threatened war.
And then a mysterious computer virus dubbed Stuxnet appeared in June 2010.
We're headed to Symantec - yes, the same company that's protecting your desktop from malware - to talk to an engineer and expert who forensically took apart Stuxnet and figured out that it wasn't just some run-of-the-mill Trojan virus.
I got in touch with Symantec security researcher Eric Chien.
He did some of the most in-depth analysis of the virus when it first appeared.
The average threat that we look at can take us 5 to 20 minutes to look at, and we know exactly what it does.
And Stuxnet took us months, more than 3 months to look at.
So just can give you a sense of how difficult, how large and how complicated the threat was.
So why don't you tell me how you discovered Stuxnet.
So basically what happened was another security company that was based in Belarus found this binary, and it had something in it that was called a zero-day.
Why don't you tell me what a zero-day is.
A zero-day basically is when you have what's called a vulnerability, or you have a hole sort of in your computer, a bug of some sort that allows someone to execute code on your machine without you knowing it.
Your computer just has to be on and maybe even connected to the internet, and that's it.
You don't have to be logged in, you don't have to be browsing the web, you don't have to double click on any files, and so that means you have no way to protect yourself.
What about it had you never seen before? An average threat doesn't have any sort of exploit inside of it.
This thing had four zero-days inside of it.
What sets a zero-day apart is that it's a security flaw that there's no fix for.
Zero-days are incredibly rare, and for that reason, incredibly valuable.
What was the specifics of it that set off an alarm? ERIC: There was these SCADA strings inside.
SCADA basically is technology that's controlling robots and automation, or power plants and things like that.
And we had never seen a threat that mentioned anything to do with SCADA.
This thing could actually be attacking some sort of national critical infrastructure.
This isn't like two kids in a basement in Kansas throwing some code together.
This thing had a full-on framework, clearly had quality assurance behind it.
We're talking about something that is just orders of magnitude greater than we've ever seen before.
As their investigation deepened, Eric and his team realized Stuxnet was designed to target computers using Siemens' proprietary software called STEP 7.
What first caught our eye were all these strings like S7, and we began to sort of google those sorts of strings.
We saw "WinCC" and we saw "STEP 7".
And when we looked those up, we determined that this was actually software that would control PLCs.
PLCs are Programmable Logic Controllers, computer systems used for converting digital code into physical commands that automate everything from factory machinery to heating and cooling systems.
Eric now found himself in unknown territory, so he reached out to the international security community.
We were sending out blogs all throughout that summer telling people if you are a PLC expert, if you're an expert in critical national infrastructure, contact us.
Because we didn't even know what a PLC was at that time.
Eric and his team learned that PLCs are extremely vulnerable to cyber attacks, but he still didn't know which machines were the targets.
This sophisticated malware, or malicious code, was detected on industrial control systems around the world.
Cybersecurity analysts were puzzled.
At the same time, Homeland Security was also trying to understand the virus.
Sean McGurk was the director of NCCIC, the cyber branch of the Department of Homeland Security, when Stuxnet was identified.
What did your team see when they took it apart? Well, the first thing we saw was that it was very sophisticated in its communications capability.
So if you think of Stuxnet like a kinetic device, like a missile, you had the delivery vehicle, that which put the payload on target if you will, and then the payload itself.
And there were very unique characteristics to both.
Stuxnet's ability to do digital reconnaissance without control, it was essentially a digital, you know, fire and forget type of approach.
The fact that it used four zero-day vulnerabilities to gain access to the network is something that you had not seen in code before, someone willing to risk that many zero-days in order to get it on place.
And then when we saw the payload part, which was actually specifically targeting an industrial control environment, that really for us became a very significant event.
Because normal malware doesn't go after control systems, and this was specifically focused on control systems.
ERIC: It was non-stop for weeks.
This was all we thought about, all we worked on.
And you can imagine, it was a really big shift from what we had done before.
The average threat we would finish in 5 to 20 minutes.
And here we were, sitting on the same threat, day after day, hour after hour, night after night.
And, you know, we weren't getting bored.
Every single day, every single week, we were discovering new little clues, new little breadcrumbs that kept us going, and kept us digging, and kept us looking until basically November when we finally figured out that this thing was indeed sabotage on Natanz.
In what was basically an accident, Eric and his team found themselves embroiled in a real life international spy thriller.
Complex malicious code had been written specifically to take out Iran's nuclear facilities, while its authors remained in the shadows.
BEN: In 2002, the world discovered that Iran had been building a secret uranium enrichment facility near the town of Natanz.
The Stuxnet computer virus has a direct link to this controversial plant.
The fact that Iran never declared the plant made it suspicious.
That was a breach of Iran's obligations.
James Acton knows nuclear policy inside out.
He also keeps tabs on the work of the IAEA, or the International Atomic Energy Agency, the world's nuclear watchdog.
Can you tell me what the climate was around the discovery of Natanz? You know, Iran's a member of the Non-Proliferation Treaty.
And one of the requirements of that is that you're allowed to do pretty much anything you'd like in the nuclear field short of building a bomb, but you have to declare it.
And not declaring nuclear facilities is a violation of your agreement with the IAEA.
They found activities that looked very much like what you want to do if you build a nuclear weapon.
And why were they so interested in Natanz? Like why was it the straw that broke the camel's back? Natanz was a controversial plant because you know, firstly, any enrichment is inherently sensitive.
It's inherently dual use.
You can use it for fuel production, or you can use it for nuclear weapons production.
The size of the plant was suspicious.
The plant's actually too small for a civilian plant.
Military plants don't need to be as large as civilian plants.
So it was scaled as though it was right for making enriched uranium for weapons, but wasn't the right size for enriched uranium for nuclear reactors.
The discovery of the uranium program did cause a lot of concern.
I mean, there were a lot of countries who were genuinely and are genuinely very fearful that Iran would get the bomb, and fearful of the consequences of it doing so.
Iran aggressively pursues these weapons and exports terror.
States like these and their terrorist allies constitute an axis of evil, arming to threaten the peace of the world.
Iran denied that Natanz was being used to produce nuclear weapons.
Still, its government bowed to pressure in 2003 and temporarily suspended uranium enrichment and processing activities at Natanz.
Then in 2005, newly elected president Mahmoud Ahmadinejad defiantly restarted the program.
Within months, the facility at Natanz was up and running, and enriching uranium all over again.
Concerned, the UN imposed sanctions.
By 2009, Israeli Prime Minister Benjamin Netanyahu challenged the US to stop Iran's nuclear program.
The most urgent challenge facing this body today is to prevent the tyrants of Tehran from acquiring nuclear weapons.
Netanyahu was privately considering air strikes on Natanz.
It's during this high-stakes political stand-off that Stuxnet is detected in June 2010.
In fact, Stuxnet was found in countries around the world, but infection rates in Iran were off the charts.
And at the plant at Natanz, centrifuges were breaking down at unprecedented rates.
Stuxnet's design is complex, but its operation is deceptively simple.
Like a security camera, the virus records 30 days of normal centrifuge operation while it hides in the system.
Then, when Stuxnet attacks the centrifuges, it plays back the pre-recorded data so operators on the outside can't see the infection raging within the centrifuges.
ERIC: And those 30 days were not a coincidence.
That's how long it takes basically for a cascade of centrifuges to basically get fully loaded with uranium gas.
So they wanted to basically have their sabotage effects happen right at the peak moment and causing the most damage.
So the centrifuges at Natanz normally will spin at 1,000 Hz, and what the threat did was spin up the centrifuges to either 1,400 Hz, to be really fast, or slow them down to 2 Hz, to be really slow.
And what would happen is when they spin up really, really fast, the centrifuge will basically vibrate uncontrollably and just shatter.
And you would have literally shards of aluminum flying across the room, maybe a domino effect of centrifuges falling and toppling on each other, and uranium gas leaking everywhere.
Eventually they would hit the big red button to cause shutdown.
Stuxnet was smart enough to also hijack that.
That big red button went through a computer as well.
And they hijacked that code, and basically would ignore it and allow their payload to take effect.
Once it was inside, it was unstoppable.
They were doomed, yeah.
The operators were doomed, the plant was doomed.
Stuxnet was the first digital weapon known to have physically destroyed its targets.
But the computer systems at Natanz weren't connected to the internet.
So how did Stuxnet get inside the system? BEN: By 2010, it became evident that someone had decided that measures more drastic than sanctions and less spectacular than air strikes - were needed to slow down Iran's nuclear program.
Because out of nowhere, a mysterious super virus named Stuxnet was sabotaging an Iranian nuclear facility.
But the computers in the facility weren't online, so the question remained how the virus got inside the system.
I went to find Darknet J, an operational security expert, to understand how Stuxnet could've infected them.
So how did Stuxnet jump the air gap and infect Natanz? It jumped the air gap by traveling on a USB stick that was placed into the computer from someone.
Darknet J replicated the USB exploit to show me how Stuxnet infected the computers at Natanz.
Alright, so what happens is you put in the USB.
You open up the folder.
Windows looks for an icon, which is a malicious payload that can write to system.
I have it opening Calculator.
So once the intended target opens the folder with Stuxnet inside of it, what happens next? Essentially it can have complete control over your computer, meaning that it can write anything to the hard disk, it can grab credentials from the internet if you put them in at the time.
It can also propagate itself inside of your local area network.
Wow.
(Laughing) It's keys to the kingdom.
That meant someone physically walked Stuxnet into the Iranian facility, likely an unwitting engineer with an infected USB.
Inside, the virus wreaked havoc.
Centrifuges were destroyed, and the Iranians were clueless.
But then Eric Chien and his team at Symantec announced the details of Stuxnet to the world in a blog post.
Then Natanz shut down.
Most assumed Iranian authorities finally understood the mess they were in, and were trying to clean it up.
After that, two Iranian nuclear scientists were targeted by motorcycle-riding assailants, who slipped a sticky bomb onto one of their cars.
One was killed, the other seriously injured.
It appeared whoever was behind Stuxnet went to Plan B.
Soon after, the Iranian President admitted a virus caused the shutdown at Natanz.
He blamed Israel, but couldn't back it up with any hard evidence.
The assassination sent a chill through the cybersecurity community.
Did it make you a little bit nervous? We would look in our rearview mirrors all the time.
And you know, I would see a motorcycle and watch them closely.
It definitely wasn't lost on us that we were in the middle of some big geopolitical affair.
Iran openly accused Israel and the US of being the masterminds of Stuxnet.
(Thundering) I went to talk to someone who was trying to stop the crisis from escalating further.
BEN: Beautiful day.
(Chattering) Jamal Abdi is a foreign policy analyst for the National Iranian American Council, and has advised congressional members on relations with Iran.
People like myself who were trying to broker a diplomatic solution, trying to figure out an off-ramp from these escalatory moves, I really thought this is an extremely bad turn.
What was the reception of Stuxnet in Iran? How did people feel about it? I think the Iranians very credibly believed that Israel was behind this.
And then there was also just the fact that there were all these other sabotage efforts that they believed Israel was connected to.
Israel was in many regards the driving force against Iran's nuclear program.
And then you have a hardline government like Ahmadinejad that's essentially enflaming the issue.
It was: How do we slow that down as much as possible? Because we know we can't stop it.
But it wasn't until two years later that The New York Times published an explosive story, revealing the US was behind Stuxnet.
Unnamed officials told the paper the US created the virus with help from Israel.
It was part of a covert operation dubbed Olympic Games.
The allegations set off a political firestorm, so a federal probe was launched to investigate the leak.
But in 2015, the investigation was put on ice over US fears of what might come out in court.
For me, it always comes down to the leak investigation.
You don't launch a leak investigation for a covert operation you didn't do.
Kim Zetter has been covering the Stuxnet story for Wired since the virus was first discovered.
The United States likely did Stuxnet.
I don't think that there's a question that the US is behind it.
I mean, it's not even something that I think that we, you know, have to sort of debate.
Stuxnet was a precision weapon, so it would never destroy anything except what matched this very specific configuration.
And you can see lawyers' fingerprints are all over Stuxnet.
I think that's the first time I've heard someone say that lawyers' fingerprints were all over Stuxnet.
Yeah, you can see that as they were designing this, the lawyers would've had very tight restrictions for controlling this.
They would've told the developers, "This can only affect the systems that are targeted.
You have to write this in such a way.
" It likely blocks out two major nation states that could've done it, China and Russia.
I'm not sure they were scared too much about the legal implications! Exactly, so this was one of the reasons that people were so certain it was the US.
All of the available clues suggested that Stuxnet was a joint US/Israeli operation, but government officials have gone to great lengths not to acknowledge it.
So the evidence is lacking? I think that there is no clear, complete evidence or even complete indication that it was one country or another.
To this day, the US government will not confirm or deny its role in Stuxnet.
Stuxnet's architects might want to stay in the shadows, but around the world other governments took notice of the cyberweapon they'd unleashed.
BEN: When security researchers found Stuxnet and publicized the discovery of the destructive malware, they inadvertently brought a covert operation to a premature end.
By the time we discovered Stuxnet, it's believed that it already had delivered its payload at least once.
So I'm sure the attackers would prefer that it wasn't uncovered, because maybe they could've continued or continued further operations, but it at least accomplished its goal.
At least according to the IEA documents that showed that a few thousand centrifuges were destroyed just before 2010.
But what effect did it have on its nuclear standoff between Iran, Israel and the West? You know, looking back on this, there's no question that it slowed down the program.
Was it a successful attack in that sense? It kind of partially depends what you mean by "success".
I think Stuxnet probably played a role in convincing Israel not to attack Iran and giving diplomacy more of a chance.
Stuxnet may have just slowed down Iran's nuclear weapons program by 6 months to 2 years, buying time for diplomacy, but it didn't exactly stop Iran from pursuing the bomb.
Do you think it was effective? It was, you know, one step forward, two steps back.
It delayed Iran's program certainly, I think, by several months, maybe a year, but it also politically it convinced Iran that they were under siege.
It made an argument, a case for why Iran needed to have capabilities to counter cyberwarfare as well as capabilities to defend the country.
If Iran wants to develop nuclear weapons, they can develop nuclear weapons.
This is not a technical decision, it's a political decision.
And Stuxnet was a technical response that maybe on a technical level slowed the program down, but on a political level actually helped to accelerate the program.
So I think in that regard, if you're looking at actually preventing Iran from developing nuclear weapons or convincing them to not go down that route, Stuxnet was a failure.
Finally, after years of crippling UN sanctions, Iran agreed to limit their nuclear program in 2015 in exchange for a partial lifting of sanctions.
But by deploying Stuxnet, the US and Israel had triggered a different kind of arms race.
This was an act of war, and it was an act of war without without there being a war.
If you drop a bomb on someone, they know that they've been attacked, right? But in digital warfare, you may never know that you're under attack.
The US opened a door that everyone is going to walk through now.
In Iran, was Stuxnet seen as an act of war? In Iran it was, it was seen as an act of war.
And there was sort of a question that was opened up: did the United States just declare war on Iran? It's such a grey area though.
So I think that even now people are still kind of trying to figure out whether this constitutes war or not, but technically technically it was.
And I think inside of Iran it was really viewed that way.
And I think it really opened a lot of eyes inside the establishment of Iran that they needed to get savvy in this field to be able to defend as well as attack.
And so you've got, you know, the formation of the cyber army inside of Iran that was initially really really aimed at activists inside the country.
But then after Stuxnet, it became even more formalized, all kinds of money was poured into it because this was now not just an internal threat but an external threat.
BEN: It spurred Iran to be more offensive? It spurred everyone to be more offensive.
That's the thing, it's not Iran.
There are other people to be worried about than Iran.
All of that together has created this arms race of other countries.
Would you agree that it was the dawn of a new chapter in cyberwarfare? The expected response is that a lot of other countries now are establishing offensive cyber operations.
They don't wanna be left behind.
Stuxnet had launched the race to militarize cyberspace.
And the more the world is connected, the more targets there are for attack.
Countries around the world are racing to design new malware for the next generation of warfare.
Do you think it's going to become another tool in the toolbox of war? Absolutely.
Stuxnet to me was a Trinity moment, and by that I mean the first Trinity explosion, demonstration of a nuclear detonation in New Mexico.
We demonstrated a capability that you could have devastating physical impacts by cyber means.
It was a bit like the bomb.
Once the secret was out, people started getting it for themselves.
We started recognizing that there's no putting this back.
You know, the key was turned, the lid was opened, and everything in Pandora's Box was now out in the open, and there was no way to get it back in.
Stuxnet was the world's first known cyberweapon.
It set the stage for a new kind of war, one that will play out on a digital battlefield.