Darknet Diaries - Ep 29: Stuxnet
Episode Date: January 8, 2019Stuxnet was the most sophisticated virus ever discovered. It's target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did... it and why.Special thanks to Kim Zetter for joining us this episode. You can find more about Stuxnet from her book Count Down to Zero Day.
Transcript
Discussion (0)
In the 18th century, the U.S. had the Army and Navy to defend and attack with.
In the 20th century, the U.S. developed an air force to carry out strikes with a new level of speed, precision, and agility.
And in the 21st century, the U.S. created and launched cyber weapons
with the goal of destroying physical equipment in another country.
An attack that can be done from the other side of the planet
without any ground troops or air support needed.
An attack done entirely electronically.
There are now five domains of warfare that the U.S. military recognizes
and is responsible for.
That is land, air, sea, space, and now information.
It's amazing to see this shift of power happen right in front of our eyes.
We were here at the birth of this new military weapon.
And it will forever change the way diplomacy is conducted,
wars are fought, and battles are waged.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me. I'll see you next time. addresses, family members, where you work, what kind of car you drive. It's endless, and it's not a fair fight. But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it, and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your DeleteMe plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slashnetDiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this.
The whole thing is pay what you can. Black Hills
believes that great intro security classes do not need to be expensive, and they are trying to break
down barriers to get more people into the security field. And if you decide to pay over $195, you get
six months access to the MetaCTF Cyber Range, which is great for practicing your skills and
showing them off to potential employers. Head on over to blackhillsinfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's blackhillsinfosec.com.
Blackhillsinfosec.com.
This episode is about Stuxnet, the most sophisticated piece of malware to ever be discovered.
But we only know about Stuxnet because it was discovered.
I assume there's even more sophisticated malware out there that hasn't been found yet,
and it's being used more covertly and secretly, and maybe even has bigger objectives.
Stuxnet burrowed its way deep into a nuclear facility in Iran
and destroyed its centrifuges,
which caused a massive amount of damage to this nuclear enrichment facility.
And nobody ever confessed or took credit for this attack against Iran.
But here's the thing.
Besides Stuxnet being the most sophisticated malware ever discovered,
it's probably also the most well-researched malware too.
And now that
researchers have spent years putting all the pieces of the puzzle together, it gives us an
amazing view into this virus. Yeah, this story is old news. This incident happened back in 2009,
but sometimes it takes five or more years to fully put the pieces together.
One thing that fascinates me the most about Stuxnet is who was behind it. Usually attribution is impossible and pointless.
You never really can tell who did an attack unless they admit to it.
And even if you know, there's usually nothing you can do about it.
I mean, imagine if you found out some Russian group hacked you.
But you can't really call the police there to report it.
And there's really nothing you can do.
So with Stuxnet, do we know who built it and used it to attack Iran?
Oh, we know. It was the U.S. and Israel.
This is Kim Zetter.
I'm a journalist who's been covering cybersecurity and national security for more than a decade.
I've written for Wired as a staff writer and freelance for The New York Times, Washington Post, Politico, and other publications.
And I'm the author of Countdown to Zero Day, Stuxnet, and the Launch of the World's First Digital Weapon.
Countdown to Zero Day is an incredibly detailed book about Stuxnet.
It's the result of Kim spending years researching this story and putting all the pieces together.
When I make an episode for this podcast, I spend weeks researching it.
She spent two years on this story, interviewing dozens of people, reading hundreds
of articles and documents, and asking a lot of questions to a lot of people. Security researchers,
nuclear scientists, government officials, journalists, and so many more. The result is
an amazing book, which has so much more detail than what we'll be able to cover here. But what
I'm trying to say is that this makes Kim one of the most qualified and knowledgeable people to talk Stuxnet with.
So, let's get started.
In 1998, Pakistan detonated the bomb.
This was the big one.
A nuclear atomic bomb was created and tested out in the hills of Pakistan.
A lot of countries took note of this, especially the U.S.
So the CIA began infiltrating Pakistan to learn more of what's going on there.
They found their chief physicist was a guy named A.Q. Khan.
And so they had been working for a while to infiltrate the A.Q. Khan network,
primarily to study, you know, what Pakistan was doing.
And so they were able to, in infiltrating the supply network, that is, you know, flipping
people who were actually involved in supplying AQ Khan with equipment and flipping those people,
they were able to determine where else he was selling designs and materials. And in infiltrating
that network, they discovered that once he had built the illicit program in Pakistan,
he was interested in spreading that knowledge throughout the world.
AQ Khan had made trade deals with North Korea, Libya, and Iran,
and was selling them equipment and supplies to conduct nuclear enrichment.
So we know that Iran launched its illicit nuclear program probably sometime around late 1998, 1999.
That's when it first started purchasing blueprints for building a centrifuge factory and purchasing materials.
The CIA became aware of what equipment AQ Khan was selling to these countries.
And intelligence agencies, CIA and UK intelligence,
had infiltrated the supply network going to Libya, between AQ Khan and Libya,
and intercepted a shipment in the United Arab Emirates that was going to Libya.
And they then were able to publicly expose the Libya program and pressure Libya into coming clean about the program and giving it up.
When Libya gave them up, the U.S. seized these centrifuges and the materials to build them with.
And so the United Nations International Atomic Energy Agency, which oversees nuclear programs
around the world, immediately traveled to Libya, this was around 2004, to catalog all the materials that Libya had.
And then shortly after that, the CIA shipped those materials to a secret lab in Tennessee.
This secret lab was the Oak Ridge National Laboratory. And these centrifuges taken from
Libya look like big stove pipes, about 10 inches wide, 8 feet tall, made of hard metal. And they're shipped in
big wooden crates, almost like how you'd see rockets shipped on the black market. And the
purpose of these centrifuges is to separate the isotopes in uranium, thus enriching the uranium
to be used for nuclear capabilities. And these centrifuges were the exact same model as the ones
AQ Khan had sold to Iran. The models were IR-1 and IR-2, mostly IR-1s.
So since the CIA knew Iran had the exact same model centrifuges,
the physicists in Tennessee began studying them.
The initial study was primarily aimed at determining
how efficient these centrifuges were at enriching uranium
so that inspectors could determine how far along the
illicit nuclear program in Iran might be. So they were simply just trying to study the centrifuges
to see how they worked, how much gas they could enrich, and how long it might take Iran to have
enough enriched uranium material to create a bomb. The nuclear physicists who already understand
nuclear materials and how uranium enrichment works, studied these centrifuges extensively.
And there have been reports that part of the research was also done actually in Israel.
Israel has an illicit nuclear facility that also has been publicly exposed in Dimona in the southern part of the country in the desert.
And all the while, Iran had continued to work on their nuclear enrichment program.
So the ELISA program was known by the CIA, by intelligence agencies.
They knew that blueprints had been sold to Iran.
They knew that meetings had occurred and exchange of money had occurred.
And they knew that there was activity going on, but they didn't actually know where the
facilities were initially.
And then they knew that ground had been broken on a facility outside of a village called Natanz in around 2000.
The CIA and intelligence officials had been monitoring the location and found evidence that a nuclear facility was being built there.
But this wasn't public information.
It's unclear exactly who leaked the information, but in August 2002,
the Iranian illicit nuclear program went public. Although intelligence agencies had known about
this, this was the first public exposure of it. And once that information was public,
the International Atomic Energy Agency, which is the arm of the United Nations that
monitors nuclear programs, demanded access to that facility at Natanz from Iran. They obtained
that access for the first time in February 2003, and they started cataloging what was going on in
the program. They saw that it was much further advanced than they expected from the satellite
images, that Iran was actually quite prepared to start enriching uranium hexachloride gas, and then
pressure was placed on Iran by Western countries in the United Nations to halt
the program until they could obtain more information about how far advanced the
program was. Iran did agree to halt the program for a while. But in 2005, when Mahmoud Ahmadinejad was elected president of Iran,
Iran decided to stop cooperating.
And they decided to move forward with beginning to enrich the first batch of uranium hexafluoride gas.
President George W. Bush was in office at the time,
and diplomacy between Iran and the U.S. wasn't going very well.
Iranian President Ahmadinejad was very adamant about progressing with the nuclear enrichment,
and Bush had already invaded Iraq and Afghanistan, so invading another country in that region was
not going to play favorably for him. And Iran kind of knew this and used this to their advantage by
choosing this time to progress with their nuclear capabilities, by doing things like inviting the
press to tour the facility with the president of Iran
to show it off to the world.
All the while, Iran was saying this was a civilian nuclear program
and was not going to be used to create any weapons with.
But this angered President Bush and Vice President Dick Cheney,
so another plan had to be made,
one more covert and undercover,
one that could slow down and impede their progress
and potentially look like faulty equipment or an accident.
And that's when this solution was proposed
to conduct some kind of secret sabotage
that would hold the Iranians back
without tipping them off to exactly what was happening.
The idea was just to slow down Iran's nuclear developments
until diplomatic negotiations could be reached.
They just needed to buy some time.
So Oak Ridge National Lab has a secret nuclear intelligence division there.
And so they already are engaged in this kind of activity, this kind of investigatory work to monitor nuclear programs along with the United Nations and the U.S. government.
And so they already had the capabilities there and the know-how there.
So they are working, and they're part of the intelligence community,
and so they are working to quickly build these centrifuges, these cascades,
to study them, to do an analysis of them.
By the way, this laboratory is ran by the Department of Energy,
and it's where most of the work for the Manhattan Project took place. And at some point, simultaneously, there's
a lab in Idaho called the Idaho National Lab, which is also ran by the Department of Energy,
that does investigations into industrial control systems. So there's expertise there for the technical capabilities.
And so at some point, this program that began as an investigation just to determine the efficiency of the Iranian centrifuges, just to determine, to gain intelligence about how
far along Iran's program might be, at some point, someone got the idea to see if they could actually
sabotage it physically. And that's when this solution was proposed to conduct some kind of
secret sabotage that would hold the Iranians back without tipping them off to exactly what was
happening. So scientists at the Oak Ridge lab began working to try to come up with ways to
cause damage to these centrifuges in a subtle but catastrophic way.
They may have received help from scientists at the Idaho lab, too, since they had previously done research on electrical components within industrial control systems.
September 2005, Iran announces that it's moving forward with the enrichment of the uranium hexafluoride gas.
In January, February 2006, they announced that they are beginning to enrich their first batch of uranium hexafluoride gas. Stuxnet wasn't ready yet, but another attack
was ready and was launched. And that's when we know that when the first sabotage occurred,
they had installed about 150 centrifuges in a pilot plant testing facility at Natanz,
and the centrifuges were spinning fine for about 10 days. And then
suddenly they started spinning out of control. And it took the Iranians some time to figure out
what was happening. But they ultimately traced it to some sabotage in the uninterruptible power
supply, UPSs that they had purchased from Turkey. Someone had sabotaged them.
This caused significant damage to the centrifuges and ultimately stopped Iran from
moving forward with the enrichment process for the rest of 2006. The CIA were likely the ones
introducing this faulty equipment into the facility by infiltrating the supply chain going
in and slightly sabotaging the equipment. Around the same time, the U.S. was trying to get a
detailed map of what was in the Natanz nuclear facility. They used conventional spying techniques
and also infiltrated computers in Iran to figure out what was going on in Natanz.
They gathered information from contractors, engineers, scientists, and the Iranian government,
and they may have gotten a virus in the Natanz facility just to take inventory of what's on the
network in there. Using all these techniques, they developed a pretty good understanding of exactly what's in the facility, which would be crucial for building a weapon to
target only those systems. By this point, the facility was recovering from their faulty power
supplies. Once they had resolved that issue, in January 2007, they announced they were beginning
to enrich their first batch of uranium hexafluoride gas, not in the pilot plant, but in the actual enrichment plant.
And that's when things started to move into full force.
Israel got very nervous and was asking the U.S. for permission to bomb the plant and to halt it.
Keep in mind, Israel and Iran have a long history of not liking each other.
The supreme leader of Iran once called Israel a cancerous tumor that should be removed.
Iran has also called Israel an illegal state and a parasite,
mostly angry with the way Israel has treated Palestine.
So Israel gets extremely nervous whenever Iran starts enriching uranium.
And this wouldn't be the first time an Israeli airstrike would be done on a nuclear facility. Operation Opera was when Israeli fighter jets bombed a nuclear reactor in Iraq.
And Operation Orchard was another airstrike that Israel did on a nuclear facility in Syria.
So Israel was ready to deploy fighter jets to take out Natanz. And there are also stories of
the U.S. bombing nuclear facilities in Cuba. So an airstrike was definitely an option.
But Israel was growing increasingly nervous and looked to the U.S. for help.
But the U.S. calmed Israel down and told them about another plan.
So that's when the alternative plan of Stuxnet kicked into full gear.
Israel wasn't entirely sure this secret plan was going to work.
So to help convince them, the U.S. shared the plan with Israel to let them in on it,
sharing the virus, the strategies, the intelligence gathered, and the method of attack.
There may have even been some demonstrations done in the nuclear facility in Dimona,
where Israel could see its effectiveness. And this convinced Israel it was a good idea,
and even started to help develop it. By this point, out at Oak Ridge National Laboratory, they built a replica of the Natanz facility
and work was well underway on how to cause damage to their centrifuges.
This work was spread out among many different teams and even some of the most trusted scientists weren't aware of the full picture.
And they figured out a way to send a command to a controller to cause the centrifuge to behave abnormally.
The 2007 version was designed to close valves, exit valves, on the centrifuges.
So the way that it works is that gas pumps into the centrifuges, the centrifuge spins and enriches the uranium,
and that enriched uranium then goes out through a pipe that has a valve in it. So what Stuxnet did was it closed the valves on the exit pipes
so that the gas would go into the centrifuges, but it couldn't get out.
And the result then was that the pressure inside the centrifuge increased
until it damaged the centrifuges.
The damage was catastrophic to the centrifuge, but it just looked like a basic malfunction.
During one test, the gas built up so much pressure that it caused the centrifuge to wobble chaotically and break apart
into pieces, leaving a pile of rubble on the floor in the lab. A person working on this project
collected the rubble, put it in a box, flew to Washington, D.C., and dumped the pieces on the
conference room table in the Situation Room in front of President Bush. And when Bush saw that it could be successful, he gave the go
ahead to do that. So that was 2006. And then Stuxnet was actually unleashed sometime in 2007.
So they would have had that time between 2006 and 2007 when it was unleashed to perfect Stuxnet,
to make sure that it wouldn't be caught, to make sure that it was stealth enough,
and that it would do what it was designed to do.
It was important to keep this as a top secret mission. Very covert. Hush hush. And the project
kicked into gear at this point, fine-tuning it and figuring out ways to distribute it.
One tricky problem though was that the computers and Natanz were not reachable from the internet.
They were air-gapped.
So the only way to use those computers was to be physically present in front of the terminal.
So the attackers came up with the idea of putting the virus on a USB stick
and to try to get someone to walk into the facility and plug it in.
Maybe a worker or a contractor or something.
USB sticks with the Stuxnet virus were spread,
trying to get them into the hands of the people who went inside Natanz.
We're unsure how far these went and how they tried to get them into the facility.
Perhaps they knew which scientists were there and gave them USB sticks at a conference or tried to get a contractor to use them on the systems.
It's not like you can just leave them all over the parking lot because the Natanz facility is extremely well guarded.
Imagine a typical military base with high fences, guards, and artillery weapons spread all over the place.
You're not going to get anywhere near the parking lot of this place.
But the sticks were launched into the wild to try to get them into this nuclear facility in Iran.
And once the attackers pumped a bunch of USB sticks into the region,
they had to wait and see if it worked.
But it's really hard to tell if it worked. The NSA had no visibility into the facility and no access to computers, even if they got Stuxnet onto one. So they were at the mercy of the local news
or inspection reports. The IAEA is a group of nuclear inspectors appointed by the UN.
They started visiting the Tons a couple of times a month.
And they would write reports that they would send back to their headquarters in Vienna, Austria.
And in those reports, they describe the progress of Iran's nuclear program.
And so beginning around 2007, they are describing that the Iranians are having problems with the centrifuges.
They are wasting gas. So they're not progressing as fast as they're intending.
What is happening in that version is, as I said, that the exit valves are closing.
So the gas pours into the centrifuges and it can't get out of the centrifuges.
And the pressure inside the centrifuges increases.
When the pressure of the gas would increase by five times, the gas would start to
solidify. And if a spinning centrifuge has gas that's solidified in it, that solidified gas is
going to catch on that rotor that's spinning inside. And it's going to cause the centrifuge
to spin out of control. It's going to become unbalanced. And so what can happen is that the
centrifuges, they're spinning at supersonic speed. And so if a centrifuge becomes unmoored,
it's going to crash into centrifuges that are next to it. You're going to ruin the centrifuges
themselves, but you're also going to waste that gas. And that was the design of the program.
Iran had only a limited supply of uranium hexafluoride gas and a limited supply of
materials to build new centrifuges. So for every centrifuge that you could destroy
and every batch of gas that you could destroy and every batch
of gas that you could ruin, it was setting the program back. But the reports show that progress
was only slowed by about 30 percent. This still meant that Iran could develop nuclear capabilities
in the next few years. So this wasn't slowing the progress enough for Israel to feel comfortable.
But at this point, Stuxnet was so covert and stealthy
that nobody in the world knew about it except the attackers who created it. And this caused a lot of
confusion and frustration with the scientists. But the attackers went back to the drawing board at
Oak Ridge Lab. Scientists and security researchers went back to working on this virus to improve it.
But around this time, something changed in the U.S.
We had a change of presidents in that period.
And the new president comes in in 2009.
This was a covert operation, and a covert operation has to be authorized by the sitting president.
And because the sitting president was leaving, Stuxnet had to be reauthorized.
So essentially, it would have come to a halt at that point if Obama hadn't reauthorized it, and he did.
With the reauthorization of the virus worked kicked into high gear once again,
the team at Oak Ridge discovered a new way to damage the centrifuges.
They wanted to continue to use different types of sabotage
because if the same attack was used every time, it would look more suspicious.
They found that if you changed the revolutions per second significantly,
it would cause a
harmonic resonance, making the centrifuge wobble chaotically and become too damaged
to continue.
Not only was a new method of destruction discovered, but security researchers found new ways to
infect the systems.
The first version only had one zero-day.
A zero-day is a bug that the software vendor isn't aware of.
But this new code contained four 0days.
This number of 0days is unprecedented. No malware in history has ever been discovered to have this
many 0days in it. The malware would first have to infect a Windows machine to plant itself on it,
which exploited an unknown Windows bug. To do this, the virus used an authentic,
digitally signed certificate to appear legitimate. This is another layer of a complexity to this
virus, because it's believed the private keys needed to sign these certificates were stolen
from two different hardware manufacturers in Taiwan. Then, once the computer is infected,
the virus could seek out the SCADA software that's on that computer, and this is the software that
controls the centrifuges, and it would alter the files there, again exploiting an unknown bug in
that SCADA software. If the monitoring software would detect a centrifuge spinning too fast, it would shut down
the system. So the virus also tricked the monitoring software to make it look like nothing was wrong,
and made it look like it was spinning at normal speed. And finally, the centrifuge itself would
be infected to alter the actual spinning speeds. This virus is a masterpiece. The level of sophistication,
precision, stealthiness, and effectiveness have never been rivaled in any malware ever discovered.
It's truly an unbelievable, amazing piece of malware. The new year is a great time to ask yourself, what if? When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale. Get your store online easily with thousands of customizable drag and
drop templates. And Shopify helps you manage your growing business. Shipping, taxes, and payments
are all visible from one dashboard, allowing you to focus on the important stuff. So what happens
if you don't act now and someone beats you to the idea? The best time to start your new business is
now with Shopify. Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com.
Go to shopify.com.
And start selling with Shopify today.
Shopify.com.
Darknet.
The virus was built, and it was ready to infect the systems.
But the problem was still getting over that air gap.
They tried to get the virus onto the systems within Natanz, but it just wasn't working.
And we think it was probably the NSA who crafted this virus, but then the CIA or Israel's Mossad likely tried to get it on the computers of the people working at the Natanz facility. But for whatever reason,
the virus wasn't getting onto the right systems or infecting enough of the machines in the facility.
By this time, the intelligence units in Israel had been collaborating with the U.S. on this attack.
Both Israel and the U.S. were modifying and programming Stuxnet and then sharing code
between each other. And since it wasn't quite infecting the facility well enough,
a more aggressive spreading mechanism was added to the virus.
They used a worm.
And because of that, they would infect any window system
that Stuxnet encountered.
It would deposit the payload,
but again, the payload wouldn't affect those systems
unless it had the configuration that Stuxnet was seeking.
U.S. and Israel worked together to very precisely target Natanz with this virus.
The virus was introduced to the network of some contractors that were known to go into Natanz.
Either through a USB or shared drive, the worm had spread onto their computers.
The virus then sat on their computers and waited to be taken into the Natanz facility.
And when the contractor with the infected computer went into the facility, the virus spread all through the network,
infecting the exact systems it was programmed to attack. This was pay dirt for the virus.
From within the network, it spread to many more systems, infecting the computers that
controlled the centrifuges. But there was a mistake in the virus.
A bug in the bug.
The spreading mechanism was too aggressive.
The worm that was added to it spread beyond the target network of Natanz.
Computers that were connected to the same shared drives as the virus were also getting infected.
And then those computers were taken to other networks and infecting other systems there.
Soon the virus became out of control and was infecting systems all over Iran and the rest of the world. The worm was on the loose. When the U.S. military found the Stuxnet worm was spreading
rapidly, it was horrible news. This wasn't supposed to happen. This was a big mistake.
This may blow their cover and reveal their secret weapon. A meeting was held in the Situation Room
to inform President Obama and Vice President Biden that this worm had gotten out of hand and may soon be discovered. The president and vice president were deeply
troubled by this, but they allowed the attacks to continue. Stuxnet was present on the Windows
computers that controlled the centrifuges, and the centrifuges in the Natanz facility were infected
too. After the computers were infected, the virus would sit and wait for weeks. It would listen and record what normal
behavior looked like, so it could replay this back during the attack. After a couple weeks,
the virus instructed the centrifuge to significantly increase in revolutions per second,
but only for 15 minutes. This would be an attempt to knock it off its axis or cause a wobble,
and then the spinning would return to normal again for a few more weeks.
This temporary change in spinning speed could be enough to damage the centrifuge
that normal spin speeds would damage it more.
Because if centrifuges were breaking during normal operations,
this would certainly hide that sabotage and covert operations were at hand.
And if the centrifuge continued to operate,
after another 26 days it would slow down to just barely spinning,
and then back up again to normal spin speed.
By changing the speed could cause the centrifuge to wobble off balance just enough that it could damage it.
But also by slowing down the speed, it would drastically reduce their enrichment process, also slowing the program.
The subtlety of this attack was very precise.
Centrifuges began randomly producing less enriched gas
and some were getting damaged.
The change in the spinning was enough to damage them
to the point where they would waste gas inside them
or they just wouldn't work anymore.
This baffled scientists and engineers
because the monitoring system all showed everything was working fine,
yet some centrifuges were changing their speeds randomly.
Because an attack like this had never been seen before,
the scientists didn't suspect that a virus would do this,
but they couldn't figure out what was.
We don't know the exact destruction caused within the facility,
but cameras installed by the nuclear inspectors
saw the Iranians were disassembling centrifuges
and removing large amounts of equipment.
And upon the next inspection report,
it was noted that there were around 1,000 less working centrifuges compared to the last report.
So because of this, we believe the Stuxnet virus had successfully damaged around 1,000 centrifuges.
The loss of 1,000 centrifuges and a bunch of the gas being used in them was a huge setback for Iran's nuclear facility.
Catastrophic damage was done to this facility, but nobody was harmed during it. They had a very limited supply of both centrifuges and gas and couldn't simply go buy
more. Iran had more materials, but this event destroyed a significant percentage of it.
The head of Iran's atomic energy organization resigned at the same time. We can only speculate
that his resignation occurred because of how damaging this attack was to the atomic program.
While this sabotage did cause significant damage at the facility, it only slowed Iran's nuclear program momentarily.
Very quickly, they tried to replace all the centrifuges with new ones and get back to enriching.
And around this time, because of the nature of how aggressive the virus had spread around the world,
security researchers from Symantec began noticing this virus and analyzing it
and reporting about it.
The team at Symantec studied the malware
and eventually realized the complexity
and sophistication of this worm
was unlike anything they'd ever seen.
Surely it was created by a nation-state actor,
somebody with an enormous amount of resources
and a strong understanding of the technology
had to make this,
which made the Symantec team very nervous to study it further. They knew if they published their findings, it
would expose this entire operation, and they thought whatever nation-state actor created it
probably didn't want them blowing the cover. But the team at Symantec had a duty, and that was to
publish malware when they find it, so they published their findings. And while the Iranians were struggling and scrambling to try to stabilize their enrichment facility,
the semantic report tipped them off that these centrifuges had been sabotaged by this virus.
Immediately, they shut down the facility and wiped the viruses off all systems in there.
The Iranian president told the press, When trying to figure out who conducted this cyberattack, you map out a few things.
First, who would have the motive to sabotage Iran's nuclear program?
And second, who has the capabilities of creating a virus with four zero days in it?
Just those two questions alone narrows down the potential attackers to less than five suspects.
You could imagine the local Iranian news was desperate to speculate who was behind this
and provided many scenarios that may have happened.
And they speculated that the U.S. and Israel were behind this attack. At this point, it seemed like another plan went into effect. Nuclear enrichment is hard,
and you need very smart scientists to bring it along. So once Iran continued to enrich the
uranium again, assassinations started happening. Two separate car bombs exploded at nearly the
same time in Iran, one killing a quantum physicist that had been working at Natanz,
and the other seriously injured a high-ranking official in Iran's Ministry of Defense.
A few months later, a car bomb killed another nuclear scientist.
And two years after that, the director of the Natanz nuclear facility was also killed in a similar explosion.
Because of how aggressive the spreading mechanism was within Stuxnet, it's how the world discovered this virus.
If those spreading mechanisms hadn't been added to Stuxnet, we might still not know about this.
You know, Stuxnet could have continued for years to conduct its sabotage. But, you know, it was that sloppiness, that recklessness
that exposed it and really endangered the program. That doesn't mean that there isn't
current activity going on, but it definitely put the Iranians on notice what was happening
and made them more suspicious and careful. Reports say that the U.S. president and vice president were particularly upset about Stuxnet
being discovered. This was supposed to be a covert operation that nobody would ever find out about.
They were angry about the spreading mechanisms because until then,
Stuxnet had been very controlled and precise. And when the Israelis added these spreading mechanisms, that's what
launched Stuxnet outside of Natanz and it started spreading wildly out of control.
And that's what got it exposed. And so they were angry because apparently they didn't know
that the Israelis were going to be adding these spreading mechanisms.
But what group in the Israeli government helped develop this virus and launch it? Some of my keen listeners may be jumping out
of their seats right now saying it was Unit 8200. And in fact, dozens of news agencies did point
fingers at 8200 for doing this. But it may not be that simple. I wouldn't point fingers at the
at 8200. They seem logical because they have the technical abilities. But again, this was very, very specific knowledge of industrial control systems that was needed for this attack. And that's why I'm saying that it's a little foggy
who the exact people were appointed to.
In the U.S. here, you can have people who are working at Idaho National Lab,
which is under the Energy Department, but they can be –
there's a special word for it.
It's not lent, but they can be lent out, for instance word for it, it's not lent, but they can
be lent out, for instance, right, to the FBI, they can be lent out to the NSA. And so when you say
that the NSA does it, it can actually be people from the energy department, really, energy labs,
Department of Energy labs, who are borrowed out, let's say, to the NSA for their expertise and for
specific projects and things
like that. Clearly, this was a joint effort between the Department of Energy, which is still
surprising to me, the NSA, the CIA, and Israel. And this was a very covert operation, extremely
hush-hush, that people who were working on it probably didn't even understand the full purpose
of what they were doing. And still today, the United States has never admitted to conducting
this attack or conducting any cyber attack ever.
So how do we know so strongly who was behind this?
Well, like I was saying before, Kim did her research.
The Symantec team who first studied this virus released a 67-page report about everything Stuxnet was capable of.
And this gained the interest of many more security researchers and journalists who also publish papers. And we also see from documents that Snowden leaked that the president did in fact sign executive orders to use
cyber weapons. But there was another leak somewhere in the government. Someone had told David Sanger,
a reporter for the New York Times, some classified information about Stuxnet, which resulted in an
eye-opening article about how Israel, Bush, and Obama had authorized this cyber attack.
The press questioned President Obama about this.
David Jackson.
Thank you, sir.
There are a couple of interesting details about national security issues.
There are reports of cyber attacks on the Iranian nuclear programs that you ordered.
What's your reaction to this information getting out in public? THE PRESIDENT. Well, first of all, I'm not going to comment on the details of what are
supposed to be classified items, which is why, since I've been in office, my attitude has been zero tolerance for these kinds of leaks
and speculation.
Now, we have mechanisms in place where if we can root out folks
who have leaked, they will suffer consequences.
In some cases, it's criminal. These are criminal acts when they
release information like this. And we will conduct thorough investigations as we have in the past.
After that thorough investigation, U.S. Marine General James Cartwright was found guilty for
lying to the FBI about whether he had talked to a reporter about this. But two weeks before his
sentence hearing, President Obama pardoned General Cartwright from any wrongdoing, which allowed this
case to be dropped. And there are a million more articles, interviews, and pieces of information
about Stuxnet that came out which help us put all these pieces together. And that's why we can give
you a timeline today of how this got started, where it got started, why it got started, who did it,
and all the different versions involved. From that point, the U.S. and other nations worked with Iran to try to come up
with an agreement, and in 2015, they did. Today, after two years of negotiations,
the United States, together with our international partners, has achieved something that decades of
animosity has not, a comprehensive long-term deal with Iran that will
prevent it from obtaining a nuclear weapon. Israel wasn't entirely happy with this deal,
as it still allowed Iran to develop nuclear power, just not nuclear weapons. In fact,
Iran never did say they were developing nuclear weapons. They claimed it was always a civilian
nuclear program. But one thing hangs in my head still. Was this an act of
war? Was this a strike during peacetime with Iran? Here's Kim. It's naive to think that governments
don't engage in activities that are just below the threshold of all-out war and attack. They do
it all the time. When diplomacy doesn't work, when diplomacy is being engaged in place of diplomacy.
It happens all the time.
We don't know what wars are averted because governments have engaged in other things
to achieve ends that otherwise might be achieved by war.
The fact that it was done during a time of peace and it was done to avoid an all-out war.
And I think that there are people that would condemn the U.S. for doing this. But I think that ultimately, if Iran's program was indeed an illicit weapons production program, the viewpoint of the U.S. was that they actually saved lives by doing this, by not engaging in all-out warfare, they were able to do this in a
peaceful way that didn't harm anyone, and then ultimately prevented Iran from obtaining weapons
that would have caused, of course, more bloodshed. So from that point of view,
when you talk about the outrage of this being an act of force being done during a time of peace,
from the U.S. perspective,
it was done to actually keep peace. But Iran didn't see it that way,
especially because Iran claimed this was only a civilian nuclear program. And the truth is,
there wasn't much evidence that say this was a weapons program. So if this wasn't intended to
make weapons, imagine how Iran must see Israel and the U.S. now. They were already really angry
with Israel, but now here's evidence of Israel attacking their innovation. But if this cyber
attack didn't work, a bombing run might have been next. So while this looks ugly, dropping bombs
looks a lot uglier. It would almost certainly result in bigger clashes. The discovery of Stuxnet
was such a major revelation in the history of cyberattacks.
We could almost divide the timeline up of a pre-Stuxnet and post-Stuxnet world.
Before, we weren't exactly sure what the U.S. government was capable of doing,
but now we see that not only is the U.S. government using hacking to destroy and sabotage physical equipment within other nations,
but they're doing it with an extreme sophistication and precision.
The amount of zero days found in this means the U.S. government hoards zero days,
and they keep it to use as a weapon to make us safer,
instead of telling the vendor to patch it, which would make us all safer too.
This was a military-grade weapon, which had the input of extremely knowledgeable scientists, engineers, and hackers.
After this sabotage caused major setbacks to the Iranian nuclear program,
Iran reinforced their efforts in building a cyber army of their own, and they weren't going to take
this laying down. A hackback plan was in the works. And in the next episode, we'll see what
Iran's response was. And that hack caused even more damage than what Stuxnet did.
You've been listening to Darknet Diaries. a very special thanks to kim zetter for sharing the story
with us and there's so much more to stuxnet than what we just covered if this interests you at all
you should definitely check out her book countdown to zero day you can even get it an audiobook it's
so much more detailed and wonderfully written i read it twice and each time i learned so much
more than i previously knew and went down all kinds of rabbit holes. It's eye-opening and fascinating. So check out Countdown to Zero Day.
Hey, if you liked this episode, do me a huge favor and tell someone else to try the show.
Word of mouth is my best method for spreading. Maybe you could text someone you know right now
and tell them, hey, I think you'd like the podcast Darknet Diaries. Okay, thanks. This episode is
made by me, the root-seeking missile, Jack Recider. The theme music was created by the piano tickler Okay, thanks.