Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Page 22
At least one person didn’t think so, however. Frank Rieger, chief technology officer for a German security firm called GSMK, read Langner’s speculation about Bushehr and agreed that Stuxnet was likely built for sabotaging Iran’s nuclear program. But he suspected Natanz, several hundred miles north of Bushehr, was the more likely target.9 The Natanz plant, unlike Bushehr, was already operational and had been since 2007. Also unlike Bushehr, it was actually filled with thousands of rapidly spinning centrifuges, making it a rich target for anyone wanting to cripple Iran’s nuclear program with a digital attack. Rieger detailed his thoughts in a blog post and in an article for a German newspaper.10 In both, he referenced an earlier Reuters piece, published right around the time Stuxnet was unleashed in 2009, describing a “decade-old cyberwarfare project” launched by Israel against Iran’s nuclear program. The article quoted a US source speculating that “malicious software” could be used to commandeer or crash controls at an enrichment plant.11
But there was another reason to suspect that Natanz was Stuxnet’s target. On July 16, 2009, three weeks after the 2009 version of Stuxnet was released, WikiLeaks founder Julian Assange posted a cryptic note to his website about a possible accident at Natanz. An anonymous source claiming to be associated with Iran’s nuclear program had told Assange that a “serious” nuclear accident had recently occurred at the plant.12 WikiLeaks usually published only documents on its site, not tips from anonymous sources, but Assange broke protocol, he said, because he had reason to believe the source was credible. He linked to a BBC story published that day, which announced the resignation of Gholam Reza Aghazadeh, the head of Iran’s Atomic Energy Organization, who had relinquished his position twenty days earlier for unknown reasons.13 The time frame seemed to align with when the 2009 version of Stuxnet was released.
Whether or not Aghazadeh’s resignation was related to an accident at Natanz, Rieger’s “Natanz theory” got attention and at last catapulted Stuxnet into the limelight. The mainstream US media, which had largely ignored Stuxnet until this point, picked up on his speculations and began reporting on the story themselves. For nearly a decade, Natanz had been the focus of mounting political tension over repeated efforts to halt the enrichment program there. Now it seemed a sophisticated digital weapon, the likes of which had never been seen before, had been part of those plans. Suddenly the story of Stuxnet was sexy and full of intrigue. Where previously it was just a dry technical tale of interest only to the technology press, now it had the aura of mystery and underworld spy games, all played out against the backdrop of a high-stakes nuclear showdown.
Shortly after Langner published his first post about Stuxnet, he contacted Joe Weiss in the United States to discuss what he and his team had found. Langner and Weiss shared the same confrontational style that didn’t always endear them to peers in the control-system community. They’d both been on the same side of the battle for years, trying to convince ICS owners that their systems were vulnerable to attack. People in the community tended to sigh at the mention of either man’s name, but no one doubted their commitment. Langner was scheduled to speak at Weiss’s upcoming ICS conference in Maryland on another topic and asked if he could talk about Stuxnet instead. “I don’t know whether to tell you yes or hell yes,” Weiss replied.
Langner was on a flight to the conference the next week. Advance buzz about his talk guaranteed that the conference room would be full. Langner had teased on his blog that he would reveal full details of his team’s research at the gathering, so the audience was primed and eager for what he had to say, especially after two presentations about Stuxnet given by Siemens and someone from DHS, respectively, turned out to be devoid of any substance.
Weiss had allotted forty-five minutes for Langner’s talk, but it took up an hour and a half instead. No one complained, though. More than 100 attendees from the water, chemical, and electric industries hung on Langner’s words. “All of us were sitting with our mouths open while he was talking,” Weiss recalls.14 Langner was among that rare breed of tech guys—a skilled and charismatic orator who was adept at delivering dry technical details with humor and flair. But what he said that day was more than entertaining, it shocked everyone in the room. Slowly, it dawned on the owners of industrial control systems that if another more widely targeted attack were unleashed on PLCs tomorrow, the control-system community would have no way to stop or even detect it. There were ways to tell if a Windows desktop PC or laptop was compromised, but with the stealth techniques that Stuxnet used, there would be no way to tell if a PLC was infected. There was no such thing as antivirus software for PLCs and no easy way to know if a controller had rogue code installed if it used the same kind of subterfuge that Stuxnet had used. The only way to detect an attack was at the Windows stage before it reached the PLC. But Stuxnet had shown the folly of even that defense, since no antivirus scanner had caught it before it reached the PLCs. Operators would never be able to detect a warhead until it was too late.
Langner suspected it would take just six months for the first copycat attacks to appear. They wouldn’t be exact replicas of Stuxnet, or as sophisticated in design, he told attendees, but then they wouldn’t need to be. It wasn’t just high-value targets like Natanz that were at risk of attack; Stuxnet had put every vulnerable facility potentially in the crosshairs. And while Stuxnet’s authors had skillfully designed their attack to avoid collateral damage on machines that weren’t its target, subsequent attacks might not be as carefully crafted or controlled. A criminal group bent on extorting a power plant by seizing control of its PLCs wouldn’t care if their malicious code damaged the plant or spread to other control systems as well.
Following the conference, Langner spent the weekend in Washington, DC, to meet with Melissa Hathaway, the former national cybersecurity coordinator for the White House, to brief her on what his team had found. Hathaway immediately understood the potential for blowback against US critical infrastructure as well as the problem of digital weapons proliferation the world would now face—a problem, she later told the New York Times, no country was prepared to deal with. “We have about 90 days to fix this,” she told the paper, “before some [copycat] hacker begins using it.”15
That weekend while Langner was still in DC, Iranian officials revealed for the first time that computers at Bushehr had indeed been hit by Stuxnet. They made no mention of Natanz, however, and the details about the attack on Bushehr made it doubtful that Stuxnet’s payload had even deployed there. Mahmoud Jafari, a project manager for the plant, told reporters that only the personal computers of some of the plant’s workers got hit by the attack, not the plant’s production systems. “All computer programs in the plant are working normally and have not crashed due to Stuxnet,” he said.16 Reza Taghipour, an official with the Ministry of Communications and Information Technology, also insisted that damage from the worm was minor and that the malware had been “more or less” contained.17 The reports of limited damage weren’t surprising, given Stuxnet’s selectiveness in unleashing its destructive payload. It had likely spread to Bushehr’s Windows machines, then simply shut itself down after failing to find the PLCs it was seeking.18
Amidst the comments from Iran, however, there was one odd detail that stood out. Mahmoud Jafari said in one of his interviews that five versions of Stuxnet had been found in Iran.19 Symantec and other antivirus researchers had uncovered only three.
Although it was possible Jafari was mistaken, the revelation raised the intriguing possibility that at least two other versions of Stuxnet had been unleashed in the wild. And if two other versions of the code existed, they might contain additional clues about Stuxnet and its authors. Unfortunately, however, there was little chance that Western researchers would ever see them, since Iranian officials were unlikely to provide copies of the code to anyone outside of Iran.20
Following his presentation at Weiss’s conference and his meeting with Hathaway, Langner needed downtime to make sense of all that had occurred over the previous
weeks. That weekend he walked to the National Mall and sat for hours on the steps of the Lincoln Memorial staring at the reflecting pool while tourists around him snapped photos. He thought about the reports from ICS-CERT and Siemens and their silence about the ladder-logic injections in Stuxnet and the risks to critical infrastructure posed by copycat attacks. Then there was the mind-boggling silence from the public and Congress, who seemed to have little concern about the Pandora’s box Stuxnet had opened in legitimizing the use of cyberweapons to resolve political disputes. Neither did they seem alarmed about the digital arms race Stuxnet had launched that would be impossible to curb. It was as if, Langner thought, no one wanted to discuss these things for fear that it would raise questions about who was behind the attack.
Langner decided that if everyone else was going to be silent, then he should go public with more information about the code. So once he returned to Germany, he published additional blog posts laying out the technical details that he had previously disclosed only behind the closed doors of Weiss’s conference room. As soon as the posts were up, the blog was besieged with traffic from around the world, including, noticeably, from US government and military domains. Langner hoped that, with Stuxnet’s importance now clearly established, other security firms would pick up the baton where he and his team had left off. Despite everything they had learned so far, there was still a lot more work to be done. They had only discovered that Stuxnet was bent on sabotaging a single facility, a facility that was likely Natanz—but they still didn’t know what it was doing to the plant. That information was still buried in the code.
Over the next three weeks, he and his colleagues worked on a couple of projects from paying clients to make up for the income they had lost while analyzing Stuxnet. But when no new information came out about the code from Symantec or anyone else, Langner decided they should pick up where they had left off.
“Guys,” he said to Rosen and Timm, “I think we need to reopen the case.”
CONTRARY TO LANGNER’S belief that the US government was ignoring Stuxnet or missing important details about it, there were elements of the government that were paying attention—albeit behind a veil of secrecy. In fact, a group of DHS analysts had completed most of their own examination of Stuxnet within a couple of days after it was exposed in July and knew even before Symantec and Langner did that Stuxnet was sabotaging PLCs.
Stuxnet first made its way to the watch floor of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, or NCCIC, in Arlington, Virginia, on the morning of July 15, 2010, at the same time that security researchers around the globe were getting their first look at the code. The files came in from CERT-Bund, after Siemens had contacted the Computer Emergency Response Team, to report a malicious attack that was targeting its PLCs.
NCCIC, or N-Kick as it’s commonly pronounced, was just nine months old and was part of the government’s new mission control for monitoring and coordinating responses to cyber threats against critical infrastructure and civilian government systems. When the files arrived, Sean McGurk, director of the center, was ironically in the midst of planning for the government’s upcoming Cyber Storm III exercise, a biennial three-day drill that would simulate digital attacks against US critical infrastructure. It was to be the twenty-four-hour watch center’s first real test of its coordinating abilities since the facility had opened. But the real threat of Stuxnet quickly took priority over plans for the faux attack.
The windowless watch floor was an alphabet soup of three-letter agencies, with intelligence analysts from the CIA and NSA sitting next to law enforcement agents from the FBI and Secret Service and computer security experts from US-CERT and ICS-CERT. Liaisons from all the top telecoms and other critical-infrastructure industries were there as well.
McGurk sent a copy of Stuxnet to ICS-CERT’s lab in Idaho Falls, where analysts determined that the attack code unleashed its payload only on specific models of Siemens PLCs. Two years earlier, the lab’s test-bed program had conducted a vulnerability assessment of the same Step 7 software that Stuxnet was attacking, but the PLC they had used for the tests had been returned to Siemens. Now they had to request that Siemens send another one before they could watch Stuxnet deliver its payload. It took about three weeks for the PLC to arrive, and when it did, a group of Siemens engineers accompanied it.
In the meantime, the researchers in Idaho reverse-engineered the payload code while analysts on the watch floor back in Virginia pored over the missile portion, documenting each of its functions in an extensive flow chart. Within two days, McGurk says, they had catalogued some 4,000 functions in the code—more than most commercial software packages contained—and had also uncovered the four zero-day exploits that Symantec and Kaspersky would later find.
ICS-CERT released an advisory on July 20 announcing to control-system owners that malware targeting the Siemens Step 7 system had been found. But the advisory provided very few details about its operation, saying only that the “full capabilities of the malware and intent … are not yet known.” A subsequent advisory provided a few more details about the zero-day exploits Stuxnet used, plus information about how to detect and remove the malicious code, but said little about what the attack was designed to do and made no mention at all of sabotage.21 McGurk says it was the government’s job to help critical-infrastructure owners detect and remove Stuxnet, not to provide extensive analysis of the malware.22
A few days after the group’s analysis was complete, McGurk had a conference call with several government agencies and private-industry representatives to review what they had found. In most discussions about malware and vulnerabilities, there were always a few critics in the group who downplayed the vulnerability’s importance or claimed that a piece of malicious code was nothing new. Sometimes other federal agencies were the naysayers; sometimes it was the owners and operators of critical infrastructure or the vendor that made the control system that was being discussed. But as McGurk laid out the details of Stuxnet there was only silence on the phone. “Everyone had that ‘oh shit’ moment all at the same time,” he says.23
Oddly, the source of Stuxnet never came up, either during the call or on the NCCIC watch floor. McGurk says that when the code first arrived, intelligence analysts from various agencies on the floor searched their classified data sources for any information or reports related to the worm, but came up with nothing. He also says no one on the watch floor wondered out loud if the worm had been spawned by the United States. An outsider might question why no one on the watch floor turned to the CIA or NSA analysts sitting in the room to ask with a wink, “Is this one of yours?” But McGurk insists this never occurred to them because attribution wasn’t the watch floor’s concern. Their mission was to uncover an attack code’s capabilities and determine the best way for US networks to defend against it.
“At first when you look at [malware]… your assumption is that it’s not friendly fire. You don’t think the sniper on the roof is one of your guys shooting at you,” he says. “It could turn out to be … But in the heat of it, at the very beginning, you’re not overly concerned, nor do you naturally default to [that.]”
But very quickly, Stuxnet became “an item of high interest” in Washington. Over the next few weeks and months, McGurk gave briefings to a number of high-level groups—to DHS secretary Janet Napolitano, to John Brennan and other members of the White House National Security staff, to the Senate and House intelligence committees, the DoD, and the Defense Intelligence Agency. He even went to Fort Meade to brief Gen. Keith Alexander, director of US Cyber Command and the NSA—the very entities that many in the security community suspected were behind the attack.
At Fort Meade, a dozen senior military, government, and intelligence leaders sat listening to McGurk as he described what his team had found, but the question of whether the United States was behind the attack never came up. They asked McGurk if Stuxnet was directed against US control systems and how many US systems
were vulnerable to the malicious code.24 They were also curious to know if McGurk’s team could tell who the intended target was. And finally they asked if there was anything in the code that gave away its source. McGurk told them no, there were no clues revealing who was behind the attack. There weren’t even any familiar “footprints” in the code that matched the modus operandi of known hacker groups or nation-state spies.
McGurk maintains that never, either in classified briefings or in open testimony with lawmakers, did anyone ask him the question that was on everyone else’s mind. “I don’t think, even jokingly, did someone say in a formal briefing, ‘Hey did we do this?’ Because that’s just not the way those interactions occur. I’m sure there was speculation elsewhere, but it wasn’t done at our level.”
McGurk says he also never got the impression from anyone he briefed that Stuxnet was a homemade job. “When I was in a room, regardless of who the audience was, whether it was senior intelligence folks—and I mean senior intelligence folks—I never got the impression that this was all smoke-and-mirrors for them,” he says. “The same thing inside the Department of Homeland Security, when I was briefing up to the secretariat level. Never did I get the impression that, you know, they already knew this … and they were just hoping that I would go away.”
Nor did anyone suggest to McGurk that he should pull his team off of Stuxnet either. “No one said hey, cease and desist, leave it alone, don’t go there,” he says. “We were actually getting a lot of cooperation from all of those organizations … assisting with the analysis and assisting with the understanding of what type of threat this actually posed.”
But even if officials in Washington weren’t openly asking the obvious question, there was little doubt among experts and observers that the United States was behind the attack—either alone or with Israel—and it seemed only a matter of time before the details behind the attack got out.