by Kim Zetter
16 Reza Aghazadeh, vice president of Iran, in a letter to the IAEA on October 21, 2003, as quoted in IAEA Board of Governors, “Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran” (report, November 10, 2003), 4.
17 Ibid., 8.
18 The NCRI had exposed the site in 2003, but said at the time that it was being used for a biological weapons program. Information obtained by IAEA, ISIS, and others in 2004, however, suggested it was being used for nuclear activity, which led the IAEA to request an inspection.
19 Iran claimed the site had been razed beginning in December 2003 due to a land dispute between the Ministry of Defense and the city of Tehran. The site was razed in order to return the land to the city. See ISIS, “The Physics Research Center and Iran’s Parallel Military Nuclear Program,” February 23, 2012, available at isis-online.org/uploads/isis-reports/documents/PHRC_report_23February2012.pdf.
20 Information about the meeting and the documents comes from an author interview with Heinonen, December 2011. See also Catherine Collins and Douglas Frantz, Fallout: The True Story of the CIA’s Secret War on Nuclear Trafficking (New York: Free Press, 2011), 112; and Erich Follath and Holger Stark, “The Birth of a Bomb: A History of Iran’s Nuclear Ambitions,” Der Spiegel, June 17, 2010.
21 Nuclear weapons are created by shaping uranium metal into two hemispheres and embedding them in an explosives device outfitted with detonators. The detonators are rigged to explode uniformly and simultaneously in order to send the two spheres smashing violently into each other and produce a chain reaction.
22 Iran developed the missile, which had a 900-mile range, in 1998 and conducted successful tests in May 2002. Iran was also developing a missile with a 1,200-mile range.
23 Follath and Stark, “The Birth of a Bomb.”
24 ElBaradei opposed releasing the documents publicly since the IAEA was unable to verify their authenticity, and memories of the United States’ use of discredited documents to support the invasion of Iraq were still fresh in his mind. The IAEA, however, pressed Iran repeatedly over subsequent years to provide information about the programs described in the documents, but no answers were forthcoming in some cases or incomplete information was provided in others. Some of the information in the documents later found its way to ISIS. See David Albright, Jacqueline Shire, and Paul Brannan, “May 26, 2008 IAEA Safeguards Report on Iran: Centrifuge Operation Improving and Cooperation Lacking on Weaponization Issues,” May 29, 2008, available at isis-online.org/uploads/isis-reports/documents/ISIS_Iran_IAEA_Report_29May2008.pdf.
25 Mohamed ElBaradei provides a good behind-the-scenes description of the negotiations in his memoir and explains why Iran felt cheated by them and justified in rejecting them. The Age of Deception: Nuclear Diplomacy in Treacherous Times (New York: Metropolitan Books, 2011), 141–47.
26 Karl Vick, “Iran’s President Calls Holocaust ‘Myth’ in Latest Assault on Jews,” Washington Post, Foreign Service, December 15, 2005.
27 “06Kuwait71, Kuwait’s Country Wide Radiation Monitoring System,” US State Department cable from the US embassy in Kuwait to the State Department in Washington, DC, January 2006. Published by WikiLeaks at wikileaks.org/cable/2006/01/06KUWAIT71.html.
28 The assessment comes from Ariel (Eli) Levite, deputy director general of the Israel Atomic Energy Commission, in a September 2005 US State Department cable from the Tel Aviv embassy, published by WikiLeaks at wikileaks.org/cable/2005/09/05TELAVIV5705.html.
29 “06TelAviv293, Iran: Congressman Ackerman’s January 5 Meeting at,” US State Department cable from the US embassy in Tel Aviv, January 2006. Published by WikiLeaks at wikileaks.org/cable/2006/01/06TELAVIV293.html. See this page in this book for an explanation of the problems.
30 Privately, Israel and Russia both told the United States they believed Iran could actually master its enrichment difficulties within six months. See “06Cairo601, Iran; Centrifuge Briefing to Egyptian MFA,” US State Department cable, February 2006, published by WikiLeaks at wikileaks.org/cable/2006/02/06CAIRO601.html.
31 “06TelAviv688, Iran-IAEA: Israeli Atomic Energy Commission,” US State Department cable, February 2006, published by WikiLeaks at wikileaks.org/cable/2006/02/06TELAVIV688.html.
32 Ibid.
33 “Iran Defiant on Nuclear Deadline,” BBC News, August 1, 2006, available at news.bbc.co.uk/2/hi/5236010.stm.
34 “07Berlins1450, Treasury Under Secretary Levey Discusses Next,” US State Department cable from the embassy in Berlin, July 2007, published by WikiLeaks at wikileaks.org/cable/2007/07/07BERLIN1450.html. The cable mentions that at least thirty Iranian front companies had been established for procurement. Also per author interview with David Albright in January 2012.
35 Albright, Peddling Peril, 200–1.
36 The UN Security Council applied economic sanctions against Iran in December 2006, and in March 2007 it voted unanimously to freeze the financial assets of twenty-eight Iranians linked to its nuclear and military programs.
37 Just when matters with Iran were at their most tense, North Korea tested a nuclear device. The deteriorating nuclear situation on multiple fronts prompted the Bulletin of Atomic Scientists on January 17, 2007, to move the minute hand of its famous Doomsday Clock two minutes closer to midnight. Instead of seven minutes to Doomsday, it was now set to five.
38 Due to export controls and other difficulties producing the rotors from maraging steel, as the centrifuge design required, Iran had abandoned production of the IR-2s in 2002. But Iranian scientists modified the design to substitute a carbon fiber rotor instead and sometime after 2004 resumed production.
39 Collins and Frantz, Fallout, 259.
40 “Prime Minister Ehud Olmert’s Address at the 2007 Herzliya Conference,” January 24, 2007. A translation is available at pmo.gov.il/English/MediaCenter/Speeches/Pages/speechher240107.aspx.
41 “McConnell Fears Iran Nukes by 2015,” Washington Times, February 27, 2007.
42 The New York Times wrote, “Rarely, if ever, has a single intelligence report so completely, so suddenly, and so surprisingly altered a foreign policy debate.” It noted that the report “will certainly weaken international support for tougher sanctions against Iran,… and it will raise questions, again, about the integrity of America’s beleaguered intelligence agencies.” Steven Lee Myers, “An Assessment Jars a Foreign Policy Debate About Iran,” New York Times, December 4, 2007.
43 Germany’s deputy national security adviser Rolf Nikel told US officials in early 2008 that the NIE report complicated efforts to convince the German public and German companies that sanctions against Iran had merit. US State Department cable, February 2008, published by WikiLeaks at wikileaks.org/cable/2008/02/08BERLIN180.html. See also wikileaks.org/cable/2007/12/07BERLIN2157.html. With regard to the Israeli comments, according to a US State Department cable published by WikiLeaks in May 2009, IDF intelligence chief Maj. Gen. Amos Yadlin made the comments to Congressman Robert Wexler. See wikileaks.cabledrum.net/cable/2009/05/09TELAVIV. The NIE had other repercussions. A German-Iranian trader named Mohsen Vanaki was on trial in Germany for smuggling dual-use equipment to Iran. He was charged in June 2008 under the War Weapons Control and Foreign Trade Acts. But he asserted in his defense that he couldn’t have been supplying equipment for a nuclear weapons program in Iran because the NIE had said Iran had no such program. All charges against him were dismissed, in large part because of the 2007 NIE report. Prosecutors appealed, however, and in 2009 the dismissal of charges was overturned and he was later convicted, in large part based on BND intelligence about suspicious procurements made by entities associated with Iran’s military.
44 International Institute for Strategic Studies, Iran’s Strategic Weapons Programmes: A Net Assessment (London: Routle
dge, 2005), 33.
CHAPTER 6
DIGGING FOR ZERO DAYS
It was a Friday evening in late August, and Liam O’Murchu was celebrating his thirty-third birthday at a swanky rooftop lounge in Venice, California. He’d rented out a section of the open-air, U-shaped bar on top of the Hotel Erwin overlooking the Pacific Ocean, and was tipping back beer and cocktails with his girlfriend, his sister and brother-in-law visiting from Ireland, and a dozen good friends. This being Southern California, a reality-TV crew was filming a couple sitting nearby, going through the awkward motions of a “private” date.
O’Murchu’s group had already been at the bar for three hours when Eric Chien showed up around nine p.m. His mind wasn’t on partying, though. He was itching to show his friend and colleague an e-mail that had popped up on a security list earlier that day. But he was reluctant to bring it up because he knew once O’Murchu saw it, he wouldn’t be able to put it out of his mind. “I’ll show you this one thing,” Chien told O’Murchu. “But then we’re not going to talk about it the rest of the night, OK?” O’Murchu agreed.
Chien pulled out his BlackBerry and brought up the e-mail—a note from a researcher at another antivirus firm hinting that there might be additional zero-day exploits hidden in Stuxnet. O’Murchu looked at Chien. They’d been working on Stuxnet for weeks trying to reverse-engineer its components and had seen a few clues that suggested there might be another zero-day embedded in it, but they hadn’t had time to pursue them. The clues were in the missile portion of the code responsible for spreading Stuxnet, but they had been focused on the payload, the part of the code that affected the Siemens software and PLCs.
The e-mail was vague on details, and it wasn’t clear from the message whether the other researcher had actually found more zero-days in Stuxnet or had simply seen the same clues they had seen. Either way, O’Murchu’s competitive spirit was sparked. “That’s it,” he told Chien. “I’m not drinking any more tonight.” The next morning, a Saturday, O’Murchu was back in the office digging through Stuxnet.
The office was deserted, so O’Murchu was left to work without distraction. The Symantec team had already mapped out most of Stuxnet’s missile portion before moving to the payload, so now it was just a matter of combing through the code carefully for signs of an exploit. This wasn’t as simple as it sounded. Zero-day exploits weren’t the sort of thing you found just by opening a malicious file and peering at the code. You had to track each reference the code made to the operating system or to other software applications on the machine to spot any suspicious ways it interacted with them. Was it forcing an application to do something it shouldn’t? Jumping security barriers or bypassing system privileges? The missile portion, when reverse-engineered, consisted of thousands of lines of code, each of which had to be examined for suspicious behavior.
Stuxnet’s structure wasn’t linear, so trying to track what it was doing was doubly difficult. The commands skipped and jumped around, and O’Murchu had to follow their movement at every step.
After about an hour, however, he was pretty sure he’d nailed a second exploit. He searched the archive for any sign that the vulnerability it attacked had been exploited before, but found none. Then he tested the exploit on a machine with the latest Windows software installed, to be certain he wasn’t making a mistake. Sure enough, Stuxnet was using a zero-day vulnerability in a Windows keyboard file to gain escalated privileges on the machine.
Zero-day vulnerabilities were valuable commodities and to use two of them at once in a single attack, and risk having them both discovered, seemed an odd waste of resources, O’Murchu thought. But he didn’t stop to ponder it. He simply documented his findings and turned back to the code.
Hours later, he thought he spotted yet another exploit—signs that Stuxnet was using a vulnerability in the Windows print-spooler function to spread between machines that shared a printer. Once again, he tested it on a machine and searched the archive for any evidence that it had been exploited before, but found none. The feeling that had made his hair stand on end weeks earlier was beginning to return. He documented his findings and turned back to the code to continue foraging.
By midafternoon, when Chien came into the office to check on him, O’Murchu was bleary-eyed and needed a break. He handed his findings off to Chien, who continued working on the code until evening. They worked on it some more on Sunday and by the end of the weekend, they’d uncovered an astonishing three zero-day exploits. These, plus the .LNK exploit already discovered, made four zero-day exploits in a single attack.1
This was crazy, they thought. One zero day was bad enough. Two was overkill. But four? Who did that? And why? You were just burning through valuable zero days at that point. A top-notch zero-day bug and exploit could sell for $50,000 or more on the criminal black market, even twice that amount on the closed-door gray market that sold zero-day exploits to government cyber armies and spies. Either the attackers had an unlimited supply of zero days at their disposal and didn’t care if they lost a handful or more, or they were really desperate and had a really good reason to topload their malware with spreading power to make certain it reached its target. Chien and O’Murchu suspected that both might be true.
Chien contacted Microsoft to report the new zero-day exploits they’d found, but discovered that Kaspersky Lab in Russia had already beat them to it. Right after news of Stuxnet had broken, Kaspersky assembled a team of ten analysts to examine the missile portion of the code and within days they had found a second zero-day exploit, followed a week later by the third and fourth. At the time, they had reported the vulnerabilities to Microsoft, which was now working on patches to fix them, but couldn’t go public with the news, under the rules of responsible disclosure, until Microsoft patched the software holes.2
The four zero-day exploits in Stuxnet were remarkable, but this wasn’t the end of the story. During Chien and O’Murchu’s weekend marathon with the code, they also discovered four additional ways that Stuxnet spread, without the use of zero-day vulnerabilities, for a total of eight different propagation methods. The attack code had a virtual Swiss Army knife of tools to pry its way into a system and propagate.
The most important of these involved infecting the Step 7 project files that programmers used to program PLCs, and hijacking a username (winccconnect) and password (2WSXcder) that Siemens had hard-coded into its Step 7 software.3 The Step 7 system used the name and password to gain automatic access to a backend database where they injected code to infect the machine on which the database was stored. The database is a shared system that all the programmers working on a Step 7 project can use. Stuxnet would then infect the machine of any programmer who accessed the database. Both of these infection methods increased the likelihood that Stuxnet would reach a PLC the next time the programmer connected his laptop or a USB flash drive to one to program it. The attackers used a vulnerability in an obscure feature of the Step 7 system to infect the Step 7 project files, indicating they had deep knowledge of the system that few others possessed—another sign of the extensive skill that went into the attack.4
In addition to these spreading mechanisms, Stuxnet had a peer-to-peer component that let it update old versions of itself when new ones were released. This let them update Stuxnet remotely on machines that weren’t directly connected to the internet but were connected to other machines on a local network. To spread an update, Stuxnet installed a file-sharing server and client on each infected machine, and machines that were on the same local network could then contact one another to compare notes about the version of Stuxnet they carried; if one machine had a newer version, it would update the others. To update all the machines on a local network, the attackers would have only had to introduce an update to one of them, and the others would grab it.
It was clear from all the methods Stuxnet used to propagate that the attackers were ruthlessly intent on getting their malware to spread. Yet unlike most malware that used e-mail or malicious websites to spread to thousa
nds of machines at a time, none of Stuxnet’s exploits leveraged the internet.5 Instead, they relied on someone carrying the infection from one machine to another via a USB flash drive or, once on a machine, via local network connections. Based on this, it appeared the attackers were targeting systems they knew were not connected to the internet and, given the unprecedented number of zero-day exploits they used to do it, they must have been aiming for a high-value, high-security target.
But this roundabout way of reaching their goal was a messy and imprecise method of attack. It was a bit like infecting one of Osama bin Laden’s wives with a deadly virus in the hope that she would have passed it on to the former al-Qaeda leader. The virus was bound to infect others along the way and thereby increase the likelihood of exposing the plot. And, in the end, this is exactly what occurred with Stuxnet. It spread to so many collateral machines that it was only a matter of time before something went wrong and it was caught.
As Chien reviewed the long list of methods and exploits the attackers had used, he realized the collection was far from arbitrary. Each accomplished a different task and overcame different obstacles the attackers needed to achieve their goal. It was as if someone had drafted a shopping list of exploits needed for the attack—something to escalate privileges, something to spread inside a victim’s network, something to get the payload to a PLC—then gave someone the task of buying or building them. It was another indication of how much planning and organization had gone into the attack.
Of all the methods and exploits the hackers used, however, the most crucial to the attack were the .LNK exploit and the infection of the Step 7 project files, because these were the ones that were most likely to get Stuxnet to its final target—the Siemens PLCs. PLC programmers often crafted their commands on workstations that were connected to the internet but not connected to the production network or to PLCs on a plant floor. To transfer commands to a PLC, someone had to transfer them via a laptop connected directly to a PLC with a cable or to carry them on a USB flash drive to a programming machine, called a Field PG—a Windows laptop used in industrial-control settings. The Field PG is not connected to the internet but is connected to the production network and the PLCs. By infecting Step 7 project files and investing Stuxnet with the power to jump the air gap as a USB stowaway, the attackers had essentially turned every engineer into a potential carrier for their weapon.
