The Why Files: Operation Podcast - 19: Stuxnet | The Computer Virus that prevented and started the next world war
Episode Date: June 26, 2022STUXNET. The virus that prevented; then started the next world war. Cyberwar is being waged right now in your name. No matter what country you call home, your government is engaged in highly dangero...us combat on the Internet. Infrastructure around the world is under siege and everyone is at risk. Even you. In 2010, the Stuxnet virus was discovered in Natanz, Iran and thousands of control systems that operate factories, power plants and nuclear reactors around the world. It was 20 times more sophisticated than any malware ever recorded. It could halt oil pipelines, destroy water treatment plants and bring down entire power grids. Stuxnet is back, stronger than ever. And we should *all* be concerned. Cyber-security experts knew Stuxnet wasn't ordinary malware thrown together by some basement hacker. This was something different. Let's find out why. --- Support this podcast: https://podcasters.spotify.com/pod/show/thewhyfiles/support
Transcript
Discussion (0)
You searched for your informant, who disappeared without a trace.
You knew there were witnesses, but lips were sealed.
You swept the city, driving closer to the truth.
While curled up on the couch with your cat.
There's more to imagine when you listen.
Discover heart-pounding
thrillers on Audible. In 2010, a computer virus was discovered in thousands of the control systems
that operate factories, power plants, and nuclear reactors around the world. This virus was 20 times more sophisticated than any malware ever recorded.
It could halt oil pipelines, destroy water treatment plants,
and bring down entire power grids.
This virus was called Stuxnet, and we should all be concerned.
Let's find out why.
In January 2010, inspectors from the International Atomic Energy Agency
were visiting the Natanz uranium enrichment plant in Iran.
They noticed that the centrifuges, which are used to enrich uranium gas,
were tearing themselves apart, one after another.
Hundreds of them.
Nobody could figure out why.
Not the inspectors, not the Iranian technicians who worked on site, not even the engineers who built the system.
Meanwhile, a computer security firm in Belarus got a strange request from a client in Iran.
Their machines were rebooting over and over again.
Even completely wiping the hard drives and reinstalling the operating systems didn't help.
Again, the problem was a mystery.
But when the technicians pulled apart the operating systems,
they found a new and very unusual virus.
They called it Stuxnet.
And Stuxnet was infecting computers all over the world
and spreading fast.
Now, these events seemed unrelated at the time,
but they were very much connected.
Cybersecurity experts knew Stuxnet was an ordinary malware
thrown together by some
basement hacker. The first clue was the size of the code base. Most viruses are 10, maybe 20
kilobytes. Stuxnet was 500 kilobytes. And uncompressed, it was 1.2 megabytes. That's a
pretty large piece of code to go undetected. Then analysts transferred Stuxnet to a new computer
just to see what would happen.
Now, the test computer was not your grandma's old compact laptop from 1997.
The machine was a state-of-the-art, highly protected workstation designed for cybersecurity threat detection.
All the bells and whistles.
But as soon as the Stuxnet files were copied over, the new computer was immediately infected without anybody doing anything.
And without triggering a single alert.
And that's very unusual.
When you install software in your computer, it needs to be digitally signed with a trusted
certificate and the developer supplies a certificate that your computer checks against trusted
manufacturers Apple, Logitech, whatever.
A lot of viruses tamper with the signature of the certificate to try to trick your operating
system into
allowing it to install.
Now, luckily, virus protection usually catches this.
And you've probably seen that warning when you're trying to install software that's not
from a trusted source.
This catches a lot of nasties.
But Stuxnet didn't have altered certificates.
It had valid certificates stolen from two trusted sources, Jmicron and Realtek.
Now, these companies make all kinds of drivers for hard drives, USB sticks, sound cards, tons of stuff.
You probably have their software on your computer right now.
I definitely do.
And when the creators of the Stuxnet worm signed their files with a stolen cert, they wanted to make sure that Windows would install it very quietly without any warning.
And if anyone bothered to look at the cert, they wouldn't care because it was valid. Now,
stealing a valid digital signature is like trying to rob a bank vault that's locked inside another
bank vault. The security around them is sci-fi, spy movie level stuff. They had to physically
steal the certificate from inside these companies.
That really doesn't happen, but it happened. So more digging around, the code showed that
as soon as Stuxnet infected a computer, it started probing the system, looking for flash drives,
USB sticks, and other storage devices. And because of the signing certificates,
Windows happily allowed it to do so. What security experts had discovered is one of the rarest and most dangerous kinds of software vulnerabilities.
And it was at this time that they went from curious and amazed to fearing for their lives.
Look, I'm not suicidal.
If I show up dead on Monday, you know, it wasn't me.
What security experts had discovered is called a zero-day exploit.
And it's called this because when a vulnerability is unknown to the software developer
and Microsoft and the antivirus community and the rest of the world,
that means there are zero days of protection against it.
Nobody knows about a zero-day vulnerability except the attacker exploiting it.
A zero-day is so rare and valuable
that you can actually sell it on the dark net for hundreds of thousands of dollars.
Not a good idea.
It's not. Think about this. Cybersecurity companies research over 12 million viruses a year,
and in that time they might find maybe 10 or 12 zero-day exploits. It's a once in a million occurrence. But Stuxnet contained
four zero-day exploits. This is unheard of. It never happened before, and it hasn't happened
since. Eventually, it was discovered that Stuxnet wasn't trying to steal passwords or data. It was
actually targeting the software on Siemens programmable logic controllers called PLCs.
Now, PLCs are small computers used in factories and industry that
control pretty much everything. Assembly lines, water pumps, power plants, and nuclear refining.
Critical infrastructure runs on PLCs. If you can hack a PLC, you can take down an entire country
without firing a single shot. Now, this had people very nervous because industries all over the world were
reporting their PLCs were infected with Stuxnet, but it was just sitting there. Nobody knew what
it was going to do or when. Was the power grid just going to turn off? Was water or gas going
to stop flowing? Nobody knew. It felt like a ticking time bomb because it was. Even though
the virus was spreading all over the world to thousands of computers per day, it was primarily targeting one country, Iran.
More specifically, it was targeting the Iranian nuclear facility in Natanz.
That doesn't sound like an accident.
It wasn't. A virus this complex and this dangerous requires millions of dollars to create.
It takes time, the best programming talent in the
world, and absolute secrecy. Experts at first suspected, and then they were positive, that
Stuxnet could only have been designed by a country looking to cripple or wage war against another
country. This was a state-sponsored attack. To design and deploy a cyber weapon like Stuxnet,
you need immense financial resources, a military intelligence infrastructure, and a motive to wreak havoc on an enemy nation.
Do we know what country created it?
We do, but they won't admit it.
So who made this thing?
You're not going to like it.
Oh, sh...
An intelligence agency, probably.
Probably. Who has an interest in setting back the Iranian nuclear program.
Yes.
Stuxnet was aggressive, but very quiet.
If Stuxnet is on your computer and you plug in a USB thumb drive, boom.
The USB drive is immediately and quietly infected.
You don't have to run a program, open a web page, or click anything.
You then plug that USB drive into a different computer on a different network. Boom. Every
machine on that network is infected. And this is exactly what happened in Iran. The nuclear
centrifuges at Natanz were air-gapped, meaning they weren't connected to any outside network.
And this is usually a good way to keep a network secure. The only way to infect a clean air gap network is...
User error.
Yep. User error.
Outside contractors who were brought in to work on the Iranian nuclear facility in the Tans
had also brought Stuxnet in through infected USB drives.
And once Stuxnet was in, it deliberately targeted the Siemens PLCs,
which operated uranium enrichment equipment.
So these PLCs controlled the rate of spin in a nuclear centrifuge.
Spin too fast or too slow, the entire thing tears itself apart.
So Stuxnet got into the centrifuges, and then...
Yeah, and then what?
And then it did nothing.
It just looked around and kept logs of everything happening in the equipment.
But after 13 days, Stuxnet started changing the
speed of the centrifuges every 15 minutes, sometimes faster, sometimes slower. Normally,
this is something a technician would spot immediately, but Stuxnet was using the data
it collected earlier to report back that everything was fine. But everything wasn't fine, was it?
It was not. Because Stuxnet changes the rate of spin every 15 minutes,
the equipment weakens and eventually tears itself apart.
Stuxnet was also disrupting power feeds, causing centrifuges to explode.
And once the equipment started to fail, there was no way to stop it.
Even those big red buttons you see on machines that you hit in case of emergency,
those were disabled too.
Somehow Stuxnet thought of everything.
Not only was this virus created by highly talented programmers,
there was obviously input from experts in nuclear enrichment technology, reactor operations, safety protocols.
That is a dangerous virus.
Over a thousand uranium centrifuges were destroyed by Stuxnet.
This set Iran's nuclear enrichment program back months, maybe years.
Why?
Well.
Iran's nuclear ambitions must be stopped.
They have to be stopped.
We all have to stop it.
Now, that's the one message I have for you today.
Thank you.
In the early 2000s, Iran was ramping up its nuclear energy and enrichment program.
This was in violation of international agreements, so a lot of the work was done in secret.
Also a violation.
Now, Iran argued that it had a right to pursue nuclear energy.
But U.S. and Israeli intelligence agencies suspected Iran of using its civilian nuclear program as cover for weapons development. So the U.S. imposed sanctions and all sorts of other
things to try to pressure Iran to slow down its nuclear program and deal. But even with Stuxnet
and other setbacks, Iran kept enriching uranium. They said that they needed nuclear power to
provide energy to the population. Energy? Don't they make oil over there? Look, I'm just telling
you what happened. I'm not taking sides. This isn't a political channel.
Fine, fine, fine.
Go ahead.
So every time Iran agreed to suspend its enrichment program,
diplomatic talks would break down and they would go back to work.
Then they would stop again and start again.
And it went on like this for a while.
But then the CIA received thousands of pages of documents
indicating that Iran was modifying the nose cone of a missile to carry a nuclear warhead.
Oh no.
Oh yes. Then it was discovered that Iran had acquired and hidden from inspectors
blueprints for more advanced centrifuge tech. Iran claimed that these documents
were forged but later admitted that they had secretly imported equipment from a
foreign source.
Now, by this time, Israel was getting fed up and threatening military action.
Now, bombing Iranian nuclear facilities might have been a short-term solution,
but almost certainly would have led to war in the region and perhaps globally.
Oy vey, not another war.
Yep, another war.
So the U.S.'s intelligence community, including NSA, CIA, and the newly formed U.S. Cyber Command,
got to work on what they called Operation Olympic Games.
Olympic Games was a campaign of cyber intrusion, disruption, and sabotage of Iranian...
Wait, wait, wait, wait. The U.S. government created Stuxnet?
What, I haven't given you enough clues?
Well, I was just so enthralled with the stories.
I appreciate that.
Now, officially, no country has acknowledged developing Stuxnet.
But through leaks at NSA and CIA and using common sense,
it's generally believed that Stuxnet was developed by the United States with help from Israel, the U.K., and their allies.
Dumb question.
Go ahead.
When you destroy something with a bomb or with a virus,
isn't it the same thing?
Well, funny you should ask that.
It's an act of war.
Please, let's be frank here.
Okay.
Countries are constantly hacking each other
and spying on each other looking for
information. And most countries have agencies and protocols to protect against this. It's a game of
intelligence, cat and mouse. It's been going on forever. But Stuxnet was the first time a nation
state developed proactive offensive weaponized code that could do actual physical damage to
another country. If a nuclear reactor could be destroyed from the inside, what other real world
damage could Stuxnet or other malicious code do?
If you attack a power grid or water supply, lots of people are going to die.
So Iran felt like this was not a simple covert act of espionage, but a blatant act
of war committed by the US and its allies.
What did they do about it?
Well, what would you do?
Fight back.
That's exactly what they did.
Iran sent out a virtual call to arms and quickly built one of the largest state-sponsored hacker
groups in the world. They got to work. They attacked Saudi Aramco, the largest oil company
in the world, and destroyed every computer they had. 30,000 machines' hard drives were wiped clean.
Phone lines were down.
Email offline.
It was a nightmare.
No, no.
Then they went for America's financial infrastructure
and levied attacks against Wells Fargo, PNC, and Bank of America,
taking down banking systems all over the world.
And there were other attacks.
Now, Iran didn't officially take credit for these attacks,
but then again, they didn't really have to.
The message was clear.
Come for us, we'll come for you.
Now, PLC attacks did happen before Stuxnet.
Viruses have destroyed power generators,
dumped raw sewage on cities, disrupted railways.
There was even an attack in the 90s
against Worcester Airport in Massachusetts
that grounded flights for a day. But those attacks were done by single hackers railways. There was even an attack in the 90s against Worcester Airport in Massachusetts that
grounded flights for a day. But those attacks were done by single hackers and disgruntled employees.
When you have the resources of an entire country deployed for state-sponsored attacks,
the world becomes a much more dangerous place.
But now that we know about it, we're safe from Stuxnet, right? Oh, no. You searched
for your informant
who disappeared without a trace.
You knew there were witnesses,
but lips were sealed.
You swept the city,
driving closer to the truth
while curled up
on the couch with your cat.
There's more to imagine when you listen.
Discover heart-pounding thrillers on Audible.
For years, cyber attacks on our nation
have been met with indecision and inaction.
The internet has been a great equalizer.
Any information available online is available to
everyone, everywhere, forever. Now, you can't buy a tank or a bomb online. Hello, dark net. Okay,
the dark net is different, and we have an episode coming up on that. So while you're waiting for it,
hit the like and subscribe, all the buttons, but don't try to buy a tank on the dark net.
What you can find online are plans and blueprints to make all
kinds of scary things. Still, if you try to put together some doomsday device in your garage,
you're going to raise some eyebrows. I mean, my wife can't spray paint a flower pot in the
driveway without our nosy neighbor coming over. I can only imagine what he'd do if I started
welding together pieces for an EMP device. That would make a good DIY video. I'd watch that. But Stuxnet isn't a thing.
It's lines of code.
But it's lines of code that can damage actual property and hurt actual people.
And the Stuxnet code is just out there now.
If you know what you're doing, you can take the code apart, make a few changes, and now you've got a really sophisticated weapon.
You can even do this if you don't know what you're doing, which is probably more dangerous.
Now, as we speak, thousands of people around the world
have this Duxnet code, and they're tinkering with it,
seeing what different pieces can be used in their own attacks.
There have already been a few viruses inspired by its engineering.
The Dooku virus attacked industrial facilities in 2011.
Flame in 2012 also attacked facilities in Iran.
And Flame could record audio, Skype calls, take screenshots,
log keystrokes, all kinds of stuff.
Indestroyer attacked power facilities in Ukraine in 2016.
And there's tons of others.
Stuxnet is the best cyber weapon the United States
has ever developed, and it gave it to the world for free.
Now for perspective, Natanz in Iran was a brand new nuclear facility with an air-gapped
network and a team of security professionals working around the clock, and it was taken
down easily.
But a lot of industrial control systems are not as sophisticated.
Some are connected to the internet without default passwords, and many systems crucial
to a country's infrastructure are running software that's 30, even 40 years old.
Not just at Iran, here in the US, in the UK, everywhere.
How vulnerable are those systems to attack?
Iran has already said that cyber attacks
will be answered with cyber attacks.
And I think we can assume that every country in the world
has this policy.
I mean, it's national defense.
Well, remember how I said the Internet is a great equalizer?
Well, think about this for a second.
Throughout world history, global powers maintain their status through wealth and military might.
But today, you don't need a trillion dollar defense budget in order to impose your political
will on the world.
Now, all you need is a dozen smart programmers and lots of Mountain Dew.
Now that the world's richest and poorest nations all employ skilled hackers,
is cyber warfare like the nuclear arms race,
where mutually assured destruction means that no country would dare attack another?
I mean, surely no country would risk retaliation by unleashing further chaos on the world, right?
Your sarcasm is palpable.
The link between the outage in Mumbai in October last year and the suspected role of Chinese hackers.
Chinese hackers, backed by the Chinese state,
targeted two Indian vaccine makers.
Tonight, as researchers race to develop a vaccine for the coronavirus,
hackers from China and other countries are working just as furiously
to steal that research to create their own.
Operation Olympic Games gave us Stuxnet,
the most advanced and destructive cyber weapon ever used.
When it was unleashed on Iran, it was an Hiroshima moment.
And like Hiroshima, Stuxnet was only the beginning,
a test case for more advanced, more devastating cyber weapons. And one of those weapons has
already been deployed. That weapon is Nitro Zeus. Yeah, that sounds like the name of a Greek energy
drink. You're really throwing ice water on my drama here, pal. I'm sorry. I make jokes when I'm nervous.
Okay, back to Iran.
After coming pretty close to war, cooler heads prevailed,
and Iran, along with several world powers, signed a nuclear peace agreement.
That was the ideal outcome, but that outcome wasn't always certain.
So in case diplomacy failed and war broke out,
the United States had, and has has a cyber contingency plan.
The plan, codenamed Nitro Zeus, is a virus far more complex than Stuxnet and was developed by thousands of people at a cost of hundreds of millions of dollars.
Nitro Zeus, or NZ, was designed to infect Iranian infrastructure and await orders.
In case of war, NZ would disable Iran's air defenses,
disrupt military command and control,
take down parts of the power grid.
It would attack domestic communications,
transportation, banks, financial systems.
Now, I don't have to point out
that these aren't just military targets.
Millions of civilians would be harmed
if Nitro Zeus or a virus like that
was used on anyone. Now, according to former intelligence operatives, Nitro Zeus or a virus like that was used on anyone.
Now, according to former intelligence operatives,
Nitro Zeus has already been deployed and is living in Iranian infrastructure right now,
just awaiting instructions.
Now, that's pretty scary.
But what scares me more about Nitro Zeus is what happens when that code gets out.
It's inevitable that more countries will acquire the capacity
to use cyber
both for espionage and for destructive
activities.
You'll hear people say that the next world war
will be fought in cyberspace.
They're wrong about that.
The United States, Iran, China,
the UK, Russia, North Korea,
they're not preparing for cyber
war. They're already fighting it.
And I'm being completely honest now.
Off script.
Researching this episode was stressful.
And I'm left with more questions than answers.
Like, how can citizens who are threatened by cyber attacks have an honest conversation about these dangers when our own governments don't acknowledge they participate?
How can one country ask another to disarm when it don't acknowledge they participate? How can one country
ask another to disarm when it won't disarm itself? But the biggest question of all, how can the global
community ensure that destructive cyber weapons like Stuxnet and Nitro Zeus don't fall into the
wrong hands? Don't create them in the first place. That would be a good start. Until there's a global
effort to address this threat, all we can
hope for is that our governments can keep us safe and hope our leaders can avoid another international
crisis. That's a lot to hope for. The cyber war is here. And now I find myself longing for the days
of the Cold War, when a concrete wall ran through Berlin, when proxy wars were fought on every
continent, when global super were fought on every continent,
when global superpowers had thousands of nuclear weapons aimed at each other,
just one decision away from Armageddon.
I long for those days because back then, the world was a much safer place.
Thanks for hanging out with us today. My name is AJ. That's Hecklefish.
This has been the Y-Files. If you had fun or learned anything today, do me a favor. Comment, like, subscribe, share,
do all that stuff. The algorithm is a she-wolf with sharp claws and teeth, but with your help,
we can defeat her. Defeat the she-wolf. Until next time, be safe, be kind, and know that you
are appreciated. You searched for your informant
who disappeared without a trace.
You knew there were witnesses, but lips were sealed.
You swept the city,
driving closer to the truth
while curled up on the couch with your cat.
There's more to imagine when you listen.
Discover heart-pounding thrillers on Audible.