by Kim Zetter
Although the three of them seemed in many ways mismatched, there was probably no better team suited to the task of examining Stuxnet. Timm had worked for Langner as a control-system expert for at least a decade, and Rosen for three years longer than that. During that time, they’d amassed extensive knowledge about industrial control systems in general, and Siemens controllers in particular. Siemens, in fact, was a longtime customer. The company bought software products from Langner’s firm, and he and his engineers sometimes trained Siemens employees on their own systems. There were probably only a handful of Siemens employees who knew the Siemens systems better than they did.
Langner’s path to ICS security had been a circuitous one, however. He was a certified psychologist by training, something seemingly far removed from the world of control systems. But it was his psychology background that actually led to his present career. In the 1970s, while studying psychology and artificial intelligence at the Free University of Berlin, he began writing software to do statistical analysis of data collected from experiments. He also wrote a program that modeled human decision-making patterns to arrive at psychiatric diagnoses.
But it was a driver program he wrote to connect his home computer to the university’s mainframe that ended up launching his ICS career. In college, Langner owned an early-generation PC that lacked the computational power needed to conduct statistical analysis. Whenever he wanted to crunch data collected from one of his experiments, he had to travel to the campus and plug his computer into the college mainframes. Langner hated the commute to campus, so he studied the protocols needed to communicate with the servers remotely and wrote a driver program that let him dial in via modem from home.
It wasn’t much of a stretch when, after graduating college, he launched a software-consulting firm, using his driver program as the basis for the business. It was considered a breakthrough product at the time, and it wasn’t long before control-system engineers began seeking it out to communicate with their sensors and controllers in the field. The methods they had been using at the time often dropped data during transmission, and Langner’s driver proved to be very reliable.
In 1997, Rosen joined the firm to design custom systems for clients who wanted to connect desktop computers to their Siemens PLCs. As he and Langner studied the Siemens protocols and PLCs to make the connections work, they were surprised to find a host of security problems with the systems—the same flaws other researchers would find more than a decade later. They were also surprised to learn that owners and operators of industrial control systems were completely oblivious to these gaps in security and had therefore done nothing to protect their systems from attack. Instead of layered or segmented networks where critical systems were gated off from everyday business computers, they had flat network architectures that provided access to PLCs from any machine on the network. They also had systems that were directly connected to the internet, with no firewalls or passwords in place to keep intruders out, or they used default and hardcoded passwords that never got changed.
Langner and his team launched a consulting business to help clients rebuild their networks more securely. But the concept of control-system security turned out to be a hard sell. For years, the ICS community had been largely immune to the deluge of malware and hacker attacks that had pummeled the general IT community, and as a result, most in the community didn’t think they were at risk. Langner warned customers that eventually they would pay for their complacency and often demonstrated for them how an attacker with little skill could knock their operations offline. But few did anything to address the problem. “Nobody wanted to listen,” Langner says, “except for some very few companies who invested in control-system security.”
Now, a decade later, Stuxnet was the bellwether Langner had warned about. But even he was surprised by the strength and furor of the attack when it finally arrived. He had imagined a number of scenarios over the years for how hackers would attack PLCs once the security vulnerabilities in them became publicly known; but none of them involved rogue ladder logic injected into the PLC. Computer attacks typically evolved over time and developed incrementally. Hackers first pulled off simple attacks that required the least amount of effort and skill to succeed, and security firms and software makers responded with fixes to stop them. The attackers then found alternative paths into systems, until the defenders defeated these as well. Each round of attack got progressively more sophisticated, as defenses to defeat them did too. Similarly, in the case of control systems, Langner had expected hackers would start out with simple denial-of-service attacks—sending a stop command to a PLC to halt whatever process it controlled—then escalate to logic bombs and other simple techniques to alter settings. But Stuxnet bypassed the rudimentary stages of development and jumped straight into one of the most sophisticated attacks someone could devise against a PLC.
Of everything that Langner saw in the code, it was the man-in-the-middle attack against the safety system and operator monitoring stations that really blew his mind. The way Stuxnet smoothly disabled the former and deviously recorded the normal operations of the PLC to play them back to operators during the attack was astounding to him—the digital equivalent of a six-ton circus elephant performing a one-legged handstand. It was a level of grace and finesse he’d never seen or even considered possible.
It was also the most aggressive scenario he could imagine, because once an attacker disabled the logic responsible for feeding important data to a safety system, it was only a matter of time before someone got seriously injured or killed. Disable the safety system and sensors at a chemical plant or gas refinery, and you could release poisonous gas or flammable liquids without anyone knowing until it was too late. Stuxnet’s authors might not have intended to injure or kill anyone with their attack, but copycat hackers who learned from Stuxnet’s techniques might not be so careful.
Langner estimated there were maybe a few dozen people in the world who had the level of Siemens control-system knowledge needed to design this kind of attack, and three of them were sitting in his office. But even they could not have pulled it off with the sophistication the attackers did.
THREE WEEKS INTO their examination of Stuxnet, Langner walked into the conference room where he and his colleagues had been gathering each morning to discuss their progress on the code. Rosen and Timm looked him over, amused. Ordinarily he was crisply dressed and alert. But today he looked scruffy and haggard after a sleepless night bent over a computer doing research online. He’d been following one trail after another, chasing lead after lead down a rabbit hole trying to figure out what Stuxnet was attacking until finally he grasped hold of a tail and pulled. When he retrieved his hand he was surprised at what he’d found. “I know what this is about,” he blurted to his colleagues. “This is about taking down Iran’s nuclear program. This is about taking out Bushehr.”
Bushehr, as noted previously, was the nuclear power plant in southwest Iran that had been under construction on and off for several decades. It had gone through many delays and cancellations over the years and had finally been scheduled to begin operation that month. But shortly before it was about to launch, officials announced another delay. Since the delay coincided with the discovery of Stuxnet, it seemed logical to Langner that a cyberattack might be at play.6
Rosen and Timm stared at him in disbelief. No one was dumb enough to take out a nuclear power plant, Rosen thought. Wouldn’t they risk releasing radioactive material? And why use an unreliable worm to do the job when they could more reliably damage it with a bomb? But as Langner connected the dots, his crazy theory actually began to make sense to them.
For nearly a month now, since they had first observed the malicious code Stuxnet injected into their PLC, Langner and his team had been searching Stuxnet’s blocks of code for clues about the facilities they might be attacking. The configuration of the systems Stuxnet targeted could reveal as much if not more about the code’s intentions than the code itself. If they could learn what kinds of d
evices the PLCs controlled, and whether they were configured in any distinct ways, they could narrow the range of possible targets.
They labored for several weeks to decipher the blocks, working out of the small office suite they occupied on the upper floor of a two-story building. The quiet, residential street where they worked was dense with trees and was a sharp contrast to Symantec’s modern glass complex. Instead of multiple stories lined with cubicles, they had one open room where Timm and Rosen worked, a meeting room for clients, and office space for Langner and his assistant.
Each morning they gathered to review the progress they had made, then worked on the code the rest of the day, hashing out theories during lunch in the conference room and over dinner at nearby restaurants. In between, they responded to customer-support calls. But when clients called to offer them new work, Langner turned them all down, so intent were they on cracking Stuxnet. It’s not as though they could afford to reject the paid work. They didn’t have anything near the corporate resources Symantec had, and no outside client was bankrolling their research. Instead, Langner had to pay for their time and labor out of the company’s profits. But none of them were complaining. They all knew that Stuxnet was the job of a lifetime. “We understood this is the biggest story in malware ever,” Langner recalls. “It was absolutely fantastic work. It was the best work that I have ever done and I’m sure I can’t do any better.”
After weeks of painstaking analysis, they reached a startling conclusion. Stuxnet wasn’t just attacking two specific models of Siemens PLCs, it was attacking a specific facility where the PLCs were used. Stuxnet was a military-grade precision weapon aimed at a single target. It wasn’t searching for just any S7-315 and S7-417 PLC it could find: the PLCs had to be configured in a very precise way. Embedded in the attack code was a detailed dossier describing the precise technical configuration of the PLCs it sought. Every plant that used industrial control systems had custom configurations to varying degrees; even companies within the same industry used configurations that were specific to their needs. But the configuration Stuxnet was looking for was so precise that it was likely to be found in only a single facility in Iran or, if more than one, then facilities configured exactly the same, to control an identical process. Any system that didn’t have this exact configuration would remain unharmed; Stuxnet would simply shut itself down and move on to the next system in search of its target.
The idea that someone had put so much money and effort into a weapon attacking a single target left Langner dumbfounded. It could mean only one thing—the target had to be extraordinarily important. Now they just had to figure out what it was.
Most of the steps involved in analyzing code are systematic and highly technical—isolate the components, decrypt the code, reverse-engineer it. But mapping digital code to a real-world environment is more art than science. The three of them tossed around a number of hypotheses about what they thought the target might be, then sifted through the code for evidence to support them. Meanwhile, Langner reached out to colleagues in various industries to quiz them about the configuration of their PLCs to see if he could find a match. But after a number of days, they still had little success isolating Stuxnet’s target. Finally Langner decided to step back from the technical details and approach the problem from a different angle, searching news articles and other sources for clues. After several late nights spent surfing the web he finally arrived at his theory of Bushehr.
Langner’s suspicions about the plant were first roused when he recalled a photo he had seen online the previous year, purportedly taken during a press tour at Bushehr. The image showed a computer screen with a pop-up message indicating that a license for the Siemens WinCC software on the machine had expired. It seemed proof to Langner that Siemens software was being used at the plant.7 Contacts in the control-system community confirmed for Langner that Siemens S7-417 PLCs were installed at Bushehr. Further research revealed that the Russian firm responsible for installing equipment at the plant also used Siemens PLCs in other facilities it equipped—including a plant in Bulgaria supposedly modeled after Bushehr. The Bulgarian plant had a steam turbine operated by Siemens controllers, Langner learned, which reminded him of the Aurora Generator Test conducted by the Idaho National Lab three years earlier. That test had provided proof that malicious code could destroy a turbine.
As the three of them sat in the conference room with Langner making his case, Rosen and Timm found themselves nodding reluctantly in agreement with his theory. They knew there were very few targets in the world that justified the amount of work that had gone into Stuxnet. But if Langner was right and Bushehr was the target, and physical sabotage was its goal, then Stuxnet was essentially an act of war.
And if Stuxnet was an act of war, then what kind of response would its discovery elicit from Iran once news of this got out? Whoever had launched Stuxnet might have done so to avert an all-out war with Iran—but its exposure now could very well lead to one.
After speaking with Rosen and Timm, Langner was certain he was on the right track, but just to be sure that Iran’s nuclear program was indeed the target, he called up a client who had extensive knowledge of nuclear plants. The client worked for Enrichment Technology Company, a top European maker of uranium enrichment equipment, formerly known as Urenco—the company whose early generation centrifuge designs Pakistan’s A. Q. Khan had stolen and sold to Iran. If it wasn’t a turbine that Stuxnet was targeting, Langner thought, perhaps it was the centrifuges being used to enrich uranium for Bushehr. (Langner believed, mistakenly, that centrifuges for enriching uranium were housed at Bushehr.)
“I have one question for you,” Langner said to his friend over the phone. “Is it possible to destroy a centrifuge just by manipulating the controller code?”
There was a pause on the other end before his friend replied.
“I can’t tell you that, Ralph. It’s classified information,” he said. But then he added, “You know, centrifuges for uranium enrichment are not just used by us in Germany and the Netherlands. They’re also used in other countries.”
“Yes, I know,” Langner replied. “For example, in Iran. That’s exactly why I’ve called you. Because we’re analyzing Stuxnet.”
“I’m sorry,” the man responded firmly. “I can’t tell you anything about centrifuges; it’s all classified.”
That was enough for Langner. He told Rosen and Timm that they had to go public with the news immediately. If Bushehr was the target, then someone should be able to confirm it once they did. Stuxnet and its target were like a key and lock. There was just one lock in the world that the key would open, and once they published details about the key’s design, anyone with a lock should be able to see if their facility matched.
On September 13, 2010, nearly a month after Symantec’s revelation that Stuxnet was sabotaging PLCs, Langner published a brief blog post under the title “Hack of the Century.” In it, he asserted that Stuxnet was a directed attack “against a specific control-system installation,” and left it at that. But three days later he followed up with additional information. “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,” he wrote. “Here is what everybody needs to know right now.”8
What followed was a technical roadmap detailing the precise steps Stuxnet took to intercept and inject its commands into the Siemens PLC to sabotage it. “This is not some hacker sitting in the basement of his parents’ house,” Langner wrote. These were sophisticated nation-state actors with very specific knowledge of the system they were attacking. He described in broad terms how the malware injected its rogue code into the PLC to hijack some unknown critical process, then laid out his thoughts about Bushehr, carefully labeling them as speculation. There were still a lot of unknowns, but the forensic evidence in the code, he asserted, would ultimately point them not only to the exact system Stuxnet attacked but also possibly to the attackers themselves.
With these
few words, the jig was finally up for Stuxnet’s creators. A cyberweapon that had taken years and perhaps millions of dollars to plan and develop had been completely exposed and undone in a matter of weeks by an obscure antivirus firm in Belarus, a handful of researchers in California who knew nothing about centrifuges and PLCs, and a brash-talking German and his band of engineers.
But now that Stuxnet’s secret was out, Langner began to have the same concerns that Chien had had about how the attackers might respond. Stuxnet was near useless to the attackers once its true purpose was exposed. They must have anticipated that their code would eventually be caught and that once it was they would have a narrow window of opportunity to complete their mission. Would they now, in a last-ditch effort to achieve their aim, take one final and drastic step? Langner believed they would. “We can expect that something will blow up soon,” he wrote in his post. “Something big.” He signed off with a singular warning: “Welcome to cyberwar.”
Accompanying the post was a picture of the three “Stuxnet busters” snapped in front of a whiteboard in their office, Langner dressed in a crisp, white shirt and unbuttoned suit vest, and Rosen and Timm behind him, the latter, in a cheeky nod to the covert nature of Stuxnet, sporting a pair of black shades.
Once he’d written his post Langner sent a press release to several top media outlets and waited for an explosion of headlines to hit. But to his dismay, nothing happened. Like Symantec’s disclosure before, the revelation was met with deafening silence. “Everyone must think I’m nuts,” he remembers thinking.