by Kim Zetter
Ralph Langner’s assertion that Stuxnet was a precision weapon aimed at Iran’s nuclear program must have caused a lot of consternation and panic in the halls of the White House and the Pentagon, as a plot that had been meticulously planned and executed over a number of years was slowly unraveling before their eyes.
* * *
1 All quotes from Langner come from interviews conducted with him in 2010, 2011, and 2012.
2 “Ladder logic” is a generic term to describe the structure of commands used to code a control system. The name comes from the ladderlike structure of the programming, which lays out each process in a step-by-step, sequential fashion.
3 In its initial announcement, Siemens said it had assembled a team of experts to evaluate Stuxnet and would begin alerting customers to their potential risk of infection from it. The company later said that less than two dozen of its customers were infected with Stuxnet. The company’s second announcement had to do with the hard-coded database password in the Siemens software that Stuxnet used to spread. Siemens warned customers against changing the password at the risk of disrupting critical functions in their systems. “We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” a spokesman said a week after Stuxnet was exposed. See Robert McMillan, “After Worm, Siemens Says Don’t Change Passwords,” PCWorld.com, July 19, 2010.
4 The vulnerability is partly due to the fact that the Siemens system lacked authentication, which allowed rogue ladder logic to be sent to the PLC. If the system had required the code to be digitally signed, the PLC would not have accepted it.
5 See ICS-CERT Advisory ICSA-10-201-01C, “USB Malware Targeting Siemens Control Software,” August 2, 2010, with subsequent updates available at ics-cert.us-cert/gov/advisories/ICSA-10-201-01C; and ICS-CERT Advisory ICSA-10-238-01B, “Stuxnet Malware Mitigation,” September 15, 2010, available at ics-cert.us-cert/gov/advisories/ICSA-10-238-01B.
6 A couple of weeks later, Iranian officials denied that Stuxnet was the cause and instead attributed the delay to a leak in a pool near the reactor.
7 The screenshot, taken by a UPI photographer, includes a caption identifying it as a computer screen at Bushehr and says the image was snapped in February 2009. Some critics have disputed the accuracy of the caption, saying the image appears to show a water-treatment facility and not Bushehr, but water-treatment facilities are generally part of nuclear plant operations, which would explain how both could be true. The image can be seen at upi.com/News_Photos/Features?The-Nuclear-Issue-in-Iran/1581/2/.
8 “Stuxnet logbook, Sept 16, 2010, 1200 hours MESZ,” available at langner.com/en/2010/09/16/stuxnet-logbook-sep-16-2010-1200-hours-mesz.
9 The article appeared in the German newspaper Frankfurter Allgemeine Zeitung on September 22, 2010. The article is in German, but he describes its content in English in the blog post published on his website, available at frank.geekheim.de/?p=1189.
10 At the time he speculated about Bushehr, Langner wasn’t aware that the nuclear reactor plant didn’t have centrifuges. Once that became clear, he continued to think that Bushehr was the target, but thought the equipment Stuxnet was attacking was a turbine or generator at the plant. It was only later when more information came out about the exact devices Stuxnet was targeting that he concluded that Natanz was in fact a match for Stuxnet, not Bushehr.
11 Dan Williams, “Wary of Naked Force, Israelis Eye Cyberwar on Iran,” July 7, 2009, available at reuters.com/article/2009/07/07/us-israel-iran-cyberwar-analysis-idUSTRES663EC20090707.
12 The WikiLeaks post can be seen at mirror.wikileaks.info/wiki/Serious_nuclear_accident_may_lay_behind_Iranian_nuke_chief%27s_mystery_resignation/.
13 The story was published at: news.bbc.co.uk/2/hi/8153775.dtm. Although it’s possible Aghazadeh’s resignation was related to something that occurred at Natanz in late June 2009, it was just as likely related to politics. In addition to being head of Iran’s Atomic Energy Organization, Aghazadeh was Iran’s vice president. He resigned both positions simultaneously, two weeks after Iran’s hotly contested presidential elections on June 12, 2009. Aghazadeh had aligned himself with President Ahmadinejad’s political challenger, Mir-Hossein Mousavi, and there was speculation that vehement protests over the legitimacy of the election results made it impossible for Aghazadeh to retain his government positions once Ahmadinejad’s victory was sanctioned. There’s also a problem of timing, which doesn’t quite align with the June 2009 version of Stuxnet. According to the BBC report, Aghazadeh resigned sometime around June 26. But the June 2009 version of Stuxnet was unleashed June 22, and once it found itself on the right PLC, it took thirteen days for the sabotage to begin. So unless an earlier version of Stuxnet or something else caused an accident at Natanz, the timing didn’t match Aghazadeh’s resignation.
14 Author interview, September 2010.
15 John Markoff, “A Silent Attack, but Not a Subtle One,” New York Times, September 26, 2010.
16 Laurent Maillard, “Iran Denies Nuclear Plant Computers Hit by Worm,” Agence France-Presse, September 26, 2010, available at iranfocus.com/en/index.php?option=com_content&view=article&id=21820.
17 David E. Sanger, “Iran Fights Malware Attacking Computers,” New York Times, September 25, 2010.
18 Six months later, a report from the Iranian Passive Defense Organization, a military organization chaired by Revolutionary Guard General Gholam-Reza Jalali, which is responsible for defending Iran’s nuclear facilities, contradicted these statements. It stated that Stuxnet had so thoroughly infected computers at Bushehr that work at the plant had to be halted indefinitely. The report claimed that if Bushehr went online, the worm would “bring the generators and electrical power grid of the country to a sudden halt.” There were plenty of reasons to doubt the report’s conclusions, however, since it contained a number of exaggerations about Stuxnet’s known capabilities—such as the claim that the worm could “destroy system hardware step-by-step”—and the fact that the configuration Stuxnet was seeking didn’t match what one would find at the nuclear power plant. All of this suggested that Iran might be using Stuxnet as an excuse to explain delays at Bushehr. But there was also the possibility that a different digital attack—a modified version of Stuxnet—might have been released separately against Bushehr. See Ken Timmerman, “Computer Worm Wreaking Havoc on Iran’s Nuclear Capabilities,” Newsmax, April 27, 2011, available at newsmax.com/KenTimmerman/iran-natanz-nuclear-stuxnet/2011/04/27/id/394327.
19 Maillard, “Iran Denies Nuclear Plant Computers Hit by Worm.”
20 There were other statements made by officials that, if true, suggested that other versions of Stuxnet existed. Mahmoud Liayi, head of the information technology council at the Ministry of Industries, told reporters that when Stuxnet got activated, “the industrial automation systems start[ed] transmitting data about production lines” to an outside destination. Gen. Gholam-Reza Jalali had stated at a press conference in 2011 that the worm was discovered communicating with systems in Israel and Texas. There, data about infected machines was processed by the worm’s architects, who then engineered plots to attack the nuclear program. (See “Iran Military Official: Israel, US Behind Stuxnet Computer Worm,” Associated Press, April 16, 2011, available at haaretz.com/news/world/iran-military-official-israel-u-s-behind-stuxnet-computer-worm-1.356287.) But the three versions of Stuxnet that were discovered communicated with command servers in Denmark and Malaysia. This doesn’t discount that another version was somehow traced to Texas or that a spy tool that preceded Stuxnet might have been traced to Texas. But although the NSA does in fact have an elite hacking team based in the Lone Star state, it seem
s unlikely that they would have made a mistake that allowed the worm or a spy tool to be traced to them.
21 ICS-CERT Advisory ICSA-10-201-01, “USB Malware Targeting Siemens Control Software” and ICS-CERT Advisory ICSA-10-238-01B, “Stuxnet Malware Mitigation.”
22 The ICS-CERT advisories did provide a link to Symantec’s website for additional information about the code, but didn’t specify what readers would find there.
23 All quotes from McGurk from author interview, September 2012.
24 The Siemens Step 7 system, it turned out, made up less than 10 percent of the US control-system market. Analysts at NCCIC determined this by consulting a database used by research firms that provides statistics on the market penetration of various products—including the number of industrial control systems made by specific vendors that had been sold in the United States. They determined that most of the US Step 7 systems were being used in manufacturing facilities, though there were also some Step 7 systems used in agriculture and water treatment and power plants.
CHAPTER 11
A DIGITAL PLOT IS HATCHED
The halls of the White House may have been troubled over Stuxnet in 2010 after it was discovered, but in May 2008, optimism reigned among those who knew about the covert program, as the plot behind the digital weapon was unfolding exactly as planned.
At the time, the US presidential campaign was in full swing as candidates Barack Obama and John McCain were battling it out for the lead in the polls. President Bush was just beginning the final lap of his presidency when, during a visit to Israel to mark that country’s sixtieth anniversary, he was confronted with a bold request. The Israelis wanted US support and endorsement for an air strike to take out the uranium enrichment plant at Natanz.
The Israelis had been gunning for an air strike since at least 2003, when IAEA inspectors got their first look at Natanz and found highly enriched uranium particles in environmental samples taken from the plant. Talk of an air strike died down for a while after Iranian officials agreed to suspend their enrichment activities in 2003 and 2004, but returned in 2006 when Iran withdrew from the suspension agreement and proceeded to install the first centrifuges in one of the underground halls at the plant. Now, with 3,000 centrifuges already in place and spinning, and the number expected to double soon, talk of a strike was growing louder than ever before.
Israel wasn’t the only one urging an attack. Behind closed doors, its Arab neighbors were just as adamant about halting Iran’s nuclear program, according to secret government cables released by WikiLeaks. “We are all terrified,” Egyptian President Hosni Mubarak told US diplomats at one point.1 Saudi Arabia’s King Abdullah privately urged the United States to do them all a favor where Iran and Ahmadinejad were concerned and “cut off the head of the snake.”2 A nuclear-armed Iran threatened the peace of the entire region, not just Israel, Mohammad bin Zayed, crown prince of Abu Dhabi said. If Iran got the bomb, “all hell will break loose,” he said, warning that Egypt, Saudi Arabia, Syria, and Turkey would all seek nuclear weapons to maintain parity.3 There were hawks within the Bush administration who supported an air strike as well—the “bomber boys,” as Bush called them. Vice President Dick Cheney, who had supported Israel’s attack on Syria the previous year, was among them.4
But Bush opposed an air strike. “I think it’s absolutely absurd that people suspect I am trying to find a pretext to attack Iran,” he said in 2007.5 Even if he did support a strike, he would have had difficulty drumming up widespread backing for one. A November 2007 Gallup poll showed that 73 percent of Americans preferred sanctions and diplomacy to an air strike against Iran, and the National Intelligence Estimate, released that year, asserted that Iran was not actively developing nuclear weapons, which also undermined support for an air strike.
Israel had, of course, been in this position before, seeking US support for a strike—in 1981 when it took out Iraq’s Osirak reactor, and again in 2007 when it bombed the suspected nuclear reactor in Syria.6 Israeli intelligence agents had obtained crucial information about the latter facility in 2006 when they tailed a senior Syrian official to London and installed a Trojan horse on his laptop after he unwisely left it behind in his hotel room one day. The malware siphoned dozens of documents from the computer, including blueprints and photos showing construction of the Al Kibar complex, which the Israelis believed was a nuclear reactor the Syrians were building to develop weapons. They won US support to attack the site after providing evidence that North Korea was helping Syria build it.7
Late in the evening on September 5, 2007, Operation Orchard commenced when Israeli military jets departed from a base in Northern Israel and headed west toward the sea before suddenly banking east. They flew low as they crossed the border into Syria and took out a radar station near the Turkish border using electronic attacks and precision bombs. About twenty minutes later, they unloaded their cargo onto the Al Kibar complex before safely returning home without incident. Syrian president Bashar al-Assad downplayed the strike, saying the Israelis hit nothing but an empty military building. “There’s no people in it, there’s no army, there’s nothing in it,” he said.8 But US intelligence determined that the reactor had been just weeks away from being operational before the Israelis took it out.9
Now the Israelis wanted to do the same in Iran. They believed an air strike would set Iran’s nuclear program back at least three years. But an attack on Iran carried many more complications and risks than the attacks on Syria and Iraq. In both of those cases, the Israelis had targeted a single, aboveground facility that was not heavily fortified, and in the case of Syria, the target was close enough to home that pilots could make their strike quickly and return before the Syrians had time to respond. A strike against Iran, however, would require refueling and a flight through large swaths of Arab airspace. And, instead of a single target, the planes would have to strike at least half a dozen sites dispersed throughout the country—the enrichment plant at Natanz and the uranium conversion plant at Esfahan being just two of them—some of which were underground. Iran had learned from the Israeli attack on Iraq decades earlier that the key to preserving its nuclear program was to disperse facilities around the country, and US officials had “little confidence” that Israel even knew the location of all the facilities it needed to strike to cripple the program.10 Israel’s national security adviser Giora Eiland even admitted as much when he told a US congressional delegation in 2006, “We don’t know all the sites and we don’t know what we don’t know.”11
In his State of the Union address in January 2002, President Bush had identified Iran as part of the “axis of evil,” along with Iraq and North Korea, that threatened the peace of the world. The United States, he said, would not permit “the world’s most dangerous regimes” to “threaten us with the world’s most destructive weapons.”12 They were strong words. But in the intervening years—years filled with the difficulties of prosecuting a war in Iraq—Bush had softened his stance. US Defense Secretary Robert M. Gates was convinced an attack on Iran would not only fail but would have wide-ranging repercussions on US troops in Iraq and Afghanistan. It might also trigger terrorist retaliation against Israel from pro-Iran groups in Lebanon and the Gaza Strip and disrupt oil prices, sending economic shockwaves around the world. Most important, instead of curbing Iran’s nuclear ambitions, it could set Iran on an even more determined course to nuclear weapons and cause officials to kick IAEA inspectors out of the country, taking their nuclear activities even further underground and out of sight.
For all of these reasons and more, Bush rejected Israel’s push for an air strike, but not without an alternative strategy to take its place.13
Two years earlier, Bush’s advisers had offered him what seemed like an even better solution to the problem with Iran, possibly even a brilliant one. And in the spring of 2008, while he was touring Israel for the last time as president, it looked like they might actually pull it off.
IT’S NOT CLEAR exactly when the first planning and
development on Stuxnet began, but sometime in 2006, after Iran withdrew from its suspension agreement, US military and intelligence officials reportedly brought the proposal for the cyber operation, later dubbed “Olympic Games,” to the president. Bush had been weighing his options for a while. With two protracted and complex wars already being fought in Iraq and Afghanistan, he had already decided he wanted no part in a third battle in the Middle East. On-the-ground covert attacks that physically sabotaged Iran’s nuclear sites also were ruled out, since they, too, would likely spark a war.14
So his advisers proffered a third option—a digital bunker buster that, if designed and executed carefully, could achieve some of the same results as its kinetic counterparts, without all of the risks and consequences of those other attacks.
The military and intelligence communities had been preparing for an attack like this for nearly a decade and had engaged in smaller cyber operations before, but nothing at the scale they were proposing now. Most previous operations were simply spy missions carried out with digital tools or digital operations conducted as adjuncts to conventional warfare—cyber activities meant to simply assist troops on the battlefield, not take their place.15
This innovative new plan, however, called for a digital attack against the centrifuges and computer systems at Natanz to physically sabotage Iran’s uranium enrichment efforts. The requirements and restrictions for such an operation were extensive. It had to be a surgical strike capable of homing in on the specific machines the United States wanted to attack while leaving other systems unharmed. The code had to bypass internal security systems so that it could do its dirty deed undetected for months. And it had to cause enough damage for the results to have meaningful effects, without drawing attention to itself.
