Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

by Kim Zetter

  But if the attack succeeded, the potential payoff was huge. If a cyberstrike could destroy some of Iran’s IR-1 centrifuges or otherwise slow the country’s rapid race to nuclear breakout, it would relieve some of the pressure on diplomatic efforts and give the IAEA and intelligence agencies more time to gather evidence about Iran’s nuclear aspirations. It would also get the Israelis off their backs for a while. Israeli officials had accused the United States of dragging its feet on Iran; a digital attack on the nuclear program would prove that the United States wasn’t just sitting idly by, waiting for sanctions and diplomacy to succeed.

  More important, if centrifuges were destroyed and uranium gas was wasted in the process, it would deplete Iran’s already dwindling supply of precious materials for the nuclear program. Experts estimated that Iran had only enough materials to build 12,000 to 15,000 centrifuges; if an attack could force Iran to waste a few thousand of the devices, it would cut sharply into that supply. If luck was on their side, it could also create a political rift in the Iranian regime. There was already pressure on Ahmadinejad and his supporters to achieve progress in the nuclear program; if a covert attack thwarted their efforts and set the program back a few years, it could very well sow dissension within the regime.

  The advantages of a cyberattack over other forms of attack were many. A digital bomb could achieve some of the same effects as a kinetic weapon without putting the lives of pilots at risk. It could also achieve them covertly in a way a physical bomb could never do, by silently damaging a system over weeks and months without being detected. The Iranians would eventually see the effects of the digital sabotage, but if done well, they would never know its cause, leaving them to wonder if the problem was a material defect, a programming error, or something else. Even if the Iranians discovered the malware, a digital attack done properly left no fingerprints to be traced back to its source. This plausible deniability was key, since the United States was trying to prevent a war, not start one.

  There were other benefits to a digital attack. Air strikes had obvious disadvantages when it came to bombing facilities buried deep underground, as Natanz and other Iranian facilities were.16 But a digital attack could slip past air-defense systems and electrified fences to burrow effortlessly into infrastructure deep underground that was otherwise unreachable by air and other means. It could also take out centrifuges not just in known facilities but in unknown ones. You couldn’t bomb a plant you didn’t know about, but you could possibly cyberbomb it. If Iran had other secret enrichment plants distributed throughout the country that used the same equipment and configuration as Natanz, a digital weapon planted in the computers of the contractors who serviced them all could spread from known facilities to unknown ones.

  Digital sabotage, albeit on a far less sophisticated level, wasn’t without precedent. In the 1980s, the CIA, the DoD, and the FBI had run a joint operation to sabotage software and hardware headed to the Soviet Union. It began after Lt. Col. Vladimir Ippolitovich Vetrov, a forty-eight-year-old official in the Line X division of the KGB’s Technology Directorate, began leaking intelligence to the French about a decade-long Soviet operation to steal technology from the West.

  Vetrov leaked about three thousand documents, dubbed the “Farewell Dossier” by the French, detailing a long list of technologies the Soviets had already pilfered from the West as well as a wish list of items still to be procured. When the wish list made its way to Dr. Gus Weiss, an economics adviser to Reagan’s National Security Council, he proposed a shrewd plan to then-CIA director William Casey. The CIA would let the Soviets continue to obtain the technology they wanted—but with the spy agency slipping modified designs and blueprints into the mix to misdirect their scientific efforts toward money-wasting ventures. He also proposed modifying products and components before they reached the Iron Curtain so that they would pass any quality-assurance tests the Soviets might subject them to, then fail at a later date. The plan was a veritable win-win because even if the Soviets discovered the counterintelligence operation, they would forever be suspicious of any information or technology later acquired from the West, never certain how or if it had been altered or when it might malfunction. It would be a “rarity in the world of espionage,” Weiss later wrote in an internal CIA newsletter describing the scheme: “an operation that would succeed even if compromised.”17

  Under the scheme, “contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory,” Weiss wrote. Additionally, the Soviets were fed misleading information about stealth and tactical aircraft as well as Western space defense programs. The Soviet Space Shuttle was also built on “a rejected NASA design” that had been slipped to the Soviets, Weiss revealed.18

  The Farewell operation was never discovered, according to Weiss, but Vetrov was not so lucky. He was imprisoned in 1982 after stabbing his mistress, a married KGB colleague, and was exposed as a double agent—though the CIA’s sabotage efforts remained a secret.19 In 1986, the CIA shuttered the operation.

  Weiss, who is now dead, never specified the effects of the contrived computer chips and other defective parts that were slipped into the Soviet supply chain, but in 2004, Thomas C. Reed, who worked with Weiss on the National Security Council, wrote a book that briefly mentioned the Farewell Dossier and attributed a 1982 Siberian pipeline explosion to the CIA scheme—the same pipeline explosion that Symantec referenced in its blog post about Stuxnet. According to Reed, one of the items on the Line X shopping list was software for controlling the pumps, valves, and turbines on the Trans-Siberian Pipeline, which was being built to carry natural gas from the Urengoi gas fields in Siberia to countries in Europe. When the CIA learned the Soviets were trying to obtain the software from a company in Canada, the agency, in cooperation with the firm, embedded a logic bomb in the code. The code was designed to reset pump speeds and valve settings on the pipeline to “produce pressures far beyond those acceptable to the pipeline joints and welds,” Reed wrote.20 The software “ran the pipeline beautifully—for a while,” he noted. But then at some predetermined point it caused the pumps and valves to go haywire, creating a gas-pressure buildup so immense it set off a three-kiloton explosion—the “most monumental non-nuclear explosion and fire ever seen from space,” according to Reed.

  There are many who believe the story of the exploding pipeline is apocryphal; a former KGB official has denied the tale and believes Reed and Weiss confused their facts.21 Regardless, the Farewell Dossier operation did exist and served as inspiration for later sabotage schemes focused on Iran’s nuclear program.

  One such operation occurred after the CIA infiltrated A. Q. Khan’s nuclear supply network around 2000 and began inserting doctored parts into components headed to Iran and Libya—where Khan had also begun peddling his illicit nuclear services. A weapons expert at Los Alamos National Laboratory worked with the CIA to alter a series of vacuum pumps so that they would malfunction at random intervals. As with the operation against the Soviets, the plan was to sabotage the parts so subtly that they would work fine for a little while before breaking down in such a way that it would be difficult to spot a pattern or pinpoint the problem.

  Of seven pumps the CIA compromised, six of them went to Libya; but the seventh one ended up in Iran. IAEA inspectors later stumbled across it by chance when they visited Natanz.22 The Iranians apparently didn’t know the pump had been altered.

  They did, however, discover another sabotage operation that occurred in 2006. This one involved UPSes—uninterruptible power supplies—obtained from Turkey. UPSes help regulate the flow of electricity and are important to the operation of centrifuges, which require reliable and consistent energy to spin for long periods of time at uniform speeds. If the electrical current wavers, the centrifuges will speed up and slow down, sabotaging the enrichment process and even throwing the centrifuges themselves off balance.

  The Khan
network evidently purchased the devices from two businessmen in Turkey and secretly shipped them to Iran and Libya.23 But in early 2006, when Iran attempted to enrich its first batch of uranium in a small cascade at the pilot plant at Natanz, things went terribly wrong. The cascade ran fine for about ten days, but then the sabotage kicked in and all of the centrifuges had to be replaced. No one said anything about it at the time. But a year later, during a televised interview, the head of Iran’s Atomic Energy Organization described what had occurred. Technicians had installed 50 centrifuges in the cascade, he explained, but one night “all 50 had exploded.” The UPS controlling the electricity “had not acted properly,” he said, and created a surge. “Later we found out that the UPS we had imported through Turkey had been manipulated.” He also said that after the incident occurred they began checking all imported instruments before using them.24

  There have been other known plans to alter parts and components for Iran’s nuclear program, but at least one was aborted, while others failed to work as planned.25 What Bush’s advisers were proposing in 2006, however, promised to take the black art of sabotage to a whole new level.

  What they proposed was a stand-alone surgical strike involving code that could operate independently once unleashed, that had the intelligence to know when it had found its target and would only release its payload when conditions were right, that also disguised its existence by carefully monitoring attempts to detect it, and that had the ability to destroy physical equipment not through bold, explosive strokes but through subtle, prolonged ones.

  Some officials in the Bush administration were skeptical that such an attack could work, likening it to an untried science experiment.26 But the planners weren’t expecting miracles from the operation. They didn’t expect to destroy Iran’s uranium enrichment program altogether, just to set it back and buy some time. And even if the operation were discovered and the Iranians learned that their computers had been infiltrated, it would still be a win-win situation, as Weiss had pointed with the Farewell Dossier, since it would succeed in sowing doubt and paranoia among the Iranians. Even if technicians wiped their machines clean and reprogrammed them, they could never be certain that the systems wouldn’t be infected again or that their enemies wouldn’t try a different tack. They would always be on guard for any signs of trouble, and if something did go wrong, they would never know for certain if the cause had been a material defect or enemy sabotage. They’d also be much more wary of any equipment procured outside of Iran for fear that it might have already been compromised.

  The daring and sophisticated scheme, which combined both covert and clandestine activities, was reportedly conceived by US Strategic Command—the Defense Department division that operates and oversees the country’s nuclear weapons—with Gen. James Cartwright as one of its architects.27 A former senior U.S. official described General Cartwright as the concept man, while former NSA Director Keith Alexander was responsible for executing the plan. “Cartwright’s role was describing the art of the possible, having a view or a vision,” the official told the Washington Post. But Alexander had the “technical know-how and carried out the actual activity.”28 The code was then developed by an elite team of programmers at the NSA, at least initially. Later versions reportedly combined code from the NSA with code from the Israeli Defense Force’s Unit 8200—Israel’s version of the NSA. Once the code was designed, however, it would have been handed off to the CIA to oversee delivery to its destination, since only the CIA has legal authority to conduct covert operations.

  The technical challenges of the operation were daunting, but there were legal issues to work out as well, since they were proposing to attack another country’s infrastructure outside of a declaration of war. Covert action requires a legal document known as a Presidential Finding to authorize it, as well as notification to Congress. And before Bush signed off on the operation, there would have been extensive review to consider the risks involved.29

  Luckily, sabotaging the centrifuges in a cascade carried no risk of a nuclear accident. Uranium hexafluoride gas was destructive to lungs and kidneys if inhaled in sufficient quantities, but an entire cascade contained only tens of grams of gas, which would dissipate quickly once released into the air.

  But if there was no risk of a nuclear incident to consider, there were still other consequences to weigh, including the risk of bricking the computers at Natanz if the code contained an error or a bug that was incompatible with the systems, thereby tipping off the Iranians to the attack and ruining the operation. There was also the risk of retaliation if Iran discovered that the United States was behind the attack, as well as the risk of blowback if someone altered the code and used it against American critical infrastructure.

  Perhaps the biggest consideration of all was the risk of tipping off Iran and other enemies to US cyber capabilities. The problem with using a cyberweapon, says one former CIA agent, is that “once it’s out there, it’s like using your stealth fighter for the first time—you’ve rung that bell and you can’t pretend that the stealth fighter doesn’t exist anymore. So the question is, which air battle do you really want to use that stealth fighter for?”30

  Was the operation against Iran worth exposing this new capability? And what about losing the moral high ground if it became known that the United States was behind the attack? A digital assault that destroyed another country’s critical infrastructure—and Iran would no doubt claim that the centrifuges were critical infrastructure—was essentially an act of war. It would be very hard for the United States to point an accusing finger at any nation that used digital attacks thereafter.

  It’s unclear how much advance research and work had already been done by the time Bush’s advisers proposed their plan in 2006. But once he gave the go-ahead for the covert operation to advance, it reportedly took just eight months to finalize the scheme.31

  It was an ingenious plot that proceeded exactly as planned.

  Until suddenly it didn’t.

  * * *

  1 Spiegel staff, “Cables Show Arab Leaders Fear a Nuclear Iran,” Der Spiegel, December 1, 2010.

  2 US State Department cable, from CDA Michael Gfoeller, April 20, 2008, available at nytimes.​com/​interactive/​2010/​11/​28/​world/​20101128-​cables-​viewer.​html#report/​iran-​08RIYADH649.

  3 “Cables Show Arab Leaders Fear a Nuclear Iran,” Der Spiegel.

  4 Jeffrey Goldberg, “The Point of No Return,” The Atlantic Monthly, September 2010.

  5 Catherine Collins and Douglas Frantz, Fallout: The True Story of the CIA’s Secret War on Nuclear Trafficking (New York: Free Press, 2011), 212.

  6 In June 1991 when then–Defense Secretary Cheney visited Israel, he reportedly gave Israeli Maj. Gen. David Ivry a satellite image of the Osirak reactor taken after it was obliterated. Cheney annotated the image: “For General Ivry, with thanks and appreciation for the outstanding job he did on the Iraqi Nuclear Program in 1981, which made our job much easier in Desert Storm.” See Douglas Frantz and Catherine Collins, The Nuclear Jihadist: The True Story of the Man Who Sold the World’s Most Dangerous Secrets (New York: Free Press, 2007), 190.

  7 Erich Follath and Holger Stark, “The Story of ‘Operation Orchard’: How Israel Destroyed Syria’s Al Kibar Nuclear Reactor,” Der Spiegel, November 2, 2009. For information about the electronic warfare used to take out the radar station, see David A. Fulghum, “U.S. Watches Israeli Raid, Provides Advice,” Aviation Week, November 21, 2007.

  8 Julian Borger, “Israeli Airstrike Hit Military Site, Syria Confirms,” Guardian, October 1, 2007.

  9 David Albright notes that when fully operational, the reactor could have produced enough plutonium for a nuclear weapon every one to two years. David Albright, Peddling Peril: How the Secret Nuclear Trade Arms America’s Enemies (New York: Free Press, 2010), 3.

  10 Tim Shipman, “U.S. Pentagon Doubts Israeli Intelligence Over Iran’s Nuclear Program,” Telegraph, July 5, 2008.

  11 US State Department c
able, “Israeli NSA Eiland on Iranian Nuclear Threat,” April 26, 2006, published by WikiLeaks at http:/​/​wikileaks.​org/​cable/​2006/​04/​06TELAVIV1643.​html.

  12 Erich Follath and Holger Stark, “The Birth of a Bomb: A History of Iran’s Nuclear Ambitions,” Der Spiegel, June 17, 2010.

  13 David E. Sanger, “U.S. Rejected Aid for Israeli Raid on Iranian Nuclear Site,” New York Times, January 10, 2009.

  14 David E. Sanger, “Iran Moves to Shelter Its Nuclear Fuel Program,” New York Times, September 1, 2011.

  15 See chapter 12 for more on the history of the US government’s cyberwarfare capabilities.

  16 In mid-2007, Western satellites spotted evidence of a possible tunnel being built into a mountain adjacent to Natanz, possibly to sequester materials and equipment from an anticipated attack on the plant. The NCRI reported that Iran was in fact constructing secret tunnels in more than a dozen locations around the country to protect missile and nuclear installations from potential attack. Israel had secured an agreement to obtain a new generation of bunker-busting bombs from the United States—said to be ten times more powerful than the previous generation and capable of breaking through cement and penetrating deep underground. But the new bombs weren’t expected to be ready until 2009 or 2010 and there was no guarantee they would work against Natanz. See David Albright and Paul Brannan, “New Tunnel Construction at Mountain Adjacent to the Natanz Enrichment Complex,” ISIS, July 9, 2007, available at isis-​online.​org/​uploads/​isis-​reports/​documents/​IranNatanzTunnels.​pdf. See also William Broad, “Iran Shielding Its Nuclear Efforts in Maze of Tunnels,” New York Times, January 5, 2010.

  17 The newsletter was later declassified. See Gus Weiss, “The Farewell Dossier: Strategic Deception and Economic Warfare in the Cold War,” in Studies in Intelligence, 1996, available at https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/96unclass/farewell.htm.