Book Read Free

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

Page 25

by Kim Zetter


  18 According to Weiss, the CIA also launched a misinformation campaign around a laser weapons technology to convince the Soviets that the unproven technology was something they should pursue. When the CIA found Soviet documents discussing the technology, the agency arranged for renowned physicists to plant stories about it in Nature and another reputable publication to create buzz about it as if it were a promising discovery. Then they abruptly halted publication of information on the matter, to make the Soviets think the technology had strategic importance and that conversations about it had been stifled. Weiss said the Soviets must have taken the bait because years later, when the Soviet Union collapsed, evidence was found that the Soviets had been pursuing research on the laser technology.

  19 The complete story of Vetrov’s life and the Farewell Dossier is recounted in Sergei Kostin and Eric Raynaud, Farewell: The Greatest Spy Story of the Twentieth Century. The book, published in French in 2009, was translated into English by Catherine Cauvin-Higgins and published in 2011 by Amazon Crossing. The book was made into a French film released in 2009 titled L’affaire Farewell.

  20 Thomas C. Reed, At the Abyss: An Insider’s History of the Cold War (New York: Presidio Press, 2004), 268–69.

  21 Reed’s account of the pipeline explosion, the first to be published, has taken on a life of its own and been re-reported many times as fact, though no reporters have been able to substantiate it. There are reasons to doubt the story. According to Reed, the explosion was captured by US infrared satellites and caused a stir among members of the National Security Council at the time, who were trying to determine whether the Soviets had detonated an atomic device in Siberia when Weiss told them not to worry about it. Weiss never explained why they shouldn’t worry about it, but twenty years later when Reed was writing his book, Weiss told him the cause of the explosion they had been concerned about was CIA sabotage. But Vasily Pchelintsev, the former head of the KGB in the region where Reed said the explosion occurred has said it never happened, and that Weiss may have conflated his memory of the Farewell Dossier incident with an explosion that occurred in April 1982 in a different region. But that explosion, Pchelintsev said, was caused by shifting pipes that moved when snow melted, not by CIA sabotage. See Anatoly Medetsky, “KGB Veteran Denies CIA Caused ’82 Blast,” Moscow Times, March 18, 2004.

  Asked if he believed Weiss’s account of the pipeline, Reed told me in a phone interview in October 2010, “I don’t really know if it happened.… Clearly the whole Dossier episode happened. The agency had a very major campaign to adjust the tech of stuff that was being sent off to the Russians.” He said he does recall that an explosion occurred at the time he was on the NSC. “I remembered there was a great event that puzzled the intelligence community.” But whether that was in fact a pipeline explosion, “that was thirty years ago,” he said, acknowledging that both his and Weiss’s memories may have been altered in the ensuing years. “I have respect for Russian historians who say there was no explosion in connection with Dossier.… So it could be there was an explosion, but it was not a result of a Trojan horse.… Whether it was true or not I do not know.” It may be too much to hope, however, that any future retellings of the pipeline tale will be done with the appropriate caveats.

  22 When IAEA inspectors saw the pump at Natanz, it stood out for them because a sticker was affixed to it identifying it as property of the Los Alamos National Lab, which they thought was odd. When the IAEA investigated, the agency found that the serial number on the pump was consecutive with the serial numbers of pumps they had seen in Libya, indicating the pumps had all come from the same batch. The inspectors traced the order for the pumps to the US lab. No one was ever able to figure out how the Los Alamos sticker got onto the pump at Natanz, or why the Iranians weren’t suspicious of it. See Collins and Frantz, Fallout, 138.

  23 Frantz and Collins, Nuclear Jihadist, 238.

  24 Gholam Reza Aghazadeh interview, January 2007, with Ayande-ye (New Future). The interview itself is not online, but it’s referenced in Sheila MacVicar and Farhan Bokhari, “Assessing Iran’s Nuclear Program,” CBS News, April 4, 2007, available at cbsnews.​com/​news/​assessing-​irans-​nuclear-​program.

  25 One ill-conceived plan conjured by the Mossad and the CIA, as described in James Risen’s State of War, involved using an electromagnetic pulse to fry computers used in Iran’s nuclear facilities. Spies planned to smuggle equipment into Iran that would deliver the electromagnetic pulse to power transmission lines outside the facilities. The CIA dropped the plan, however, after realizing that the equipment was far too big to truck into Iran and position stealthily. Risen, State of War: The Secret History of the CIA and the Bush Administration (New York: Free Press), 208–9.

  26 Sanger, “U.S. Rejected Aid for Israeli Raid.”

  27 Clandestine operations involve secret activity that isn’t meant to be detected or noticed, such as surveillance and intelligence collection activities to uncover information about a target that might be later attacked. Covert activity, however, is meant to be noticed, since it’s intended to influence conditions—political, economic, or military—although the party responsible for the activity is hidden, such as the CIA. The Stuxnet operation involved both clandestine and covert activity. The clandestine activity involved the initial reconnaissance to gather intelligence about the plant. But the planting of malicious code in a control system to send centrifuges spinning off their axis was covert since it was meant to be noticed while hiding the hand behind it.

  28 Ellen Nakashima and Joby Warrick. “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,” Washington Post, June 2, 2012.

  29 Sanger, “U.S. Rejected Aid for Israeli Raid.”

  30 Author interview, 2012.

  31 David E. Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (New York: Crown, 2012), 193.

  CHAPTER 12

  A NEW FIGHTING DOMAIN

  By the time Bush’s advisers floated the idea of a precision digital weapon aimed at sabotaging Iran’s centrifuges to him, plans for developing such capabilities had already been in the works for a decade, born out of the realization that the military’s own networks were vulnerable to enemy attack.

  Academics and military experts had been pondering the concept of cyberwarfare and the potential for digital weaponry even longer than that. As early as 1970, the Defense Science Board had examined the potential military advantages of subverting computer networks to render them unreliable or useless in what was then known as information warfare. Few operations were computerized at the time, however, and the internet didn’t exist, so the theoretical possibilities had to wait for reality to catch up.

  It finally did in the ’90s, around the same time the term “cyberwar” was coined in a seminal 1993 RAND article titled “Cyberwar Is Coming!”: “We anticipate that cyberwar may be to the 21st century what blitzkrieg was to the 20th century,” John Arquilla and his coauthor wrote at the time.1 Arquilla, now a professor at the Naval Postgraduate School in California and a military consultant, recognized the potential for digital attacks during the first Gulf War when the United States used a special radar system to spot moving targets in Iraq and realized it could easily have been thwarted if the Iraqis found a way to disrupt it. It struck Arquilla that the computerized technologies that made a modern army strong also made it potentially very weak. “What made that thought even more chilling was the notion that this power existed in the hands of a few hackers,” he later said, not just in the hands of government armies. And the disruptive power of these peripheral groups was “growing by leaps and bounds.”2

  The military already had its first taste of their capabilities in the 1980s, when a German named Markus Hess, who was reportedly recruited by the KGB, hacked into hundreds of military systems and research facilities, such as Lawrence Berkeley National Laboratory, in search of intelligence about satellites and the Star Wars defense system.3 Other scares followed. In 1990 in the run-up to th
e first Gulf War, Dutch teens broke into nearly three-dozen US military computers seeking information about Patriot missiles, nuclear weapons, and the operation against Iraq. Officials feared the teens planned to sell the intelligence to Iraq. Then in 1994, a sixteen-year-old British hacker, mentored by a twenty-one-year-old in Wales, breached US Air Force systems and used them to hack into a South Korean nuclear research institute, as well as attacking one hundred other victims. With the breach appearing to come from US military computers, it became clear that the potential consequences of such intrusions weren’t limited to intelligence theft. The United States was engaged in delicate nuclear negotiations with North Korea at the time, and the military feared that if the hackers had targeted a facility in North Korea instead, they could have brought the two nations to the brink of battle.4

  But connectivity was a double-edged sword. If US systems were vulnerable to attack, so were the systems of adversaries. Although the United States didn’t have the capabilities to pull off such attacks yet, the wheels were being set in motion.

  The Air Force was the first to take steps in this direction in 1993, when it transformed its Electronic Warfare Center into the Air Force Information Warfare Center and established, two years later, the 609 Information Warfare Squadron—the military’s first cybercombat unit.5 Located at Shaw Air Force Base in South Carolina, its job was to combine offensive and defensive cyber operations in support of combat commands.6 Offensive operations were largely still academic at this point, so the unit focused mostly on defensive tactics. But the military quickly learned that there were advantages to having defensive and offensive operations intertwined, because in defending its own networks against enemy attack it gained the intelligence and skills needed to hack back. In 1996, the squadron organized a red team/blue team exercise to test the unit’s offensive and defensive skills, and within two hours the red team had seized full control of the blue team’s Air Tasking Order System.

  In 1997 the military conducted a more organized exercise to measure its defensive capabilities against enemy network attacks. The exercise, dubbed “Eligible Receiver,” pitted a red team of NSA hackers against the networks of the US Pacific Command in Hawaii. The team was prohibited from using inside knowledge to conduct the attack or anything but off-the-shelf tools that were available to ordinary hackers. When the attack began, they launched their offensive through a commercial dial-up internet account and barreled straight into the military’s networks with little resistance. The system administrators in Hawaii, who had no advance knowledge of the exercise, spotted only two of the multiple intrusions the attackers made over the course of ninety days, but even then they thought nothing of the breaches because they resembled the kind of ordinary traffic that administrators expected to see on the network. It wasn’t unlike the attack on Pearl Harbor in 1941, when an alert operator at the Opana Radar Site on the island of Oahu spotted inbound aircraft heading toward the island but didn’t raise an alarm because his superiors believed they were friendlies.

  The red-team hackers dropped marker files onto the systems to plant a virtual flag, proving they were there, and also created a number of simulated attacks showing how they could have seized control of power and communications networks in Oahu, Los Angeles, Chicago, and Washington, DC. Had they wanted to, they could have seized control of a system used to command hundreds of thousands of troops or set up “rolling blackouts and other activities that would cause social unrest,” according to Lt. Gen. John H. Campbell, a now-retired Air Force general who headed the Pentagon’s information operations at one time. The exercise “scared the hell out of a lot of folks,” Campbell later said, “because the implications of what this team had been able to do were pretty far-reaching.”7

  Afterward, when military leaders were briefed about the exercise, they assumed the red team had used classified tools and techniques for the attack and were surprised to learn that the NSA had used the same techniques any teenage hacker would use.

  The next year, in fact, a group of teenagers broke into military networks using the same kinds of low-level techniques, in a case dubbed Operation Solar Sunrise. The intruders, who pilfered sensitive data across five hundred systems, turned out to be two California teens on a digital joyride, egged on by an Israeli hacker named Ehud Tenenbaum. At the time, the DoD was prosecuting two military campaigns, in Bosnia and Herzegovina and in Iraq. The intrusion, to military leaders, looked a lot like what enemy attackers would do if they were trying to gain a battlefield advantage. Deputy Defense Secretary John Hamre, in fact, thought the attacks “might be the first shots of a genuine cyber war, perhaps by Iraq.”8 It was a real-life War Games moment that underscored the difficulty of distinguishing a nation-state attack from teenagers testing their limits. “Everything we learned in Eligible Receiver, we relearned in Solar Sunrise,” Hamre later said of the intrusion. “There’s nothing like a real-world experience to bring the lessons home.”9

  The real lesson, though, came afterward when Hamre called a meeting to discuss the intrusion and looked around a room filled with two-dozen people to ask, “Who’s in charge? Who’s responsible for protecting us?” and learned that when it came to cyberattacks, no one apparently was in charge. The shock of this realization led to the creation of the Joint Task Force–Computer Network Defense (JTF-CND) in December 1998, the first military group charged with figuring out how to defend the military’s networks.10

  The task force, led by Campbell, was a motley group composed of a couple of Air Force and Navy fighter pilots, a Marine officer, some Airborne Rangers, a submarine pilot, intelligence staff, and a few contractors. One officer described them as “some guys in flight jackets …[and] a bunch of civilians with no ties.”11 Only a few of them were geeks who knew their way around a network. Initially they had no office and no support staff and had to work out of temporary trailers in a parking lot. But eventually the group grew to more than 150 people.

  Their mission was to develop doctrines and methods for defending DoD networks against attack, but before they got started, they had two questions for the military brass: Should they develop a NORAD-type structure to defend civilian critical infrastructure as well? And what about offense? “All of us wanted to get into the attack mode,” recalls Marcus Sachs, an Army engineer and one of the task force’s initial members. “Everyone was thinking about the potential for launching digital bullets.… We wanted to go down that road and kind of flush out what would it mean for us to be offensive.”12

  It was the era of hacker conferences like Def Con and HOPE, two confabs held in Las Vegas and New York that became popular forums for hackers and researchers to talk about security holes and hacking tools.13 The FBI and intelligence agencies were already lurking undercover at Def Con each year, so Sachs decided to attend as well and had his eyes opened to the possibilities of what the military might do. But the task force was told to slow down, that the military wasn’t ready for offensive operations yet. “The legal questions hadn’t been worked out,” Sachs explains.

  There was another reason for caution, however. A cyberweapon was the “type of weapon that you fire and it doesn’t die. Somebody can pick it up and fire it right back at you,” Sachs says. “That was a very strong motivator to not do this.”

  What Sachs didn’t know at the time was that the previous year, the secretary of defense had already given the NSA authority to begin developing computer network attack (CNA) techniques, a task the spy agency embraced as an extension of its existing electronic warfare duties, which included jamming enemy radar systems and taking out communication channels.14 The NSA believed its technical geniuses could play a critical role on the emerging digital battlefield as well.

  The advantages of digital combat over kinetic warfare were clear, the NSA wrote in an internal newsletter in 1997.15 In an age of televised warfare, when images of body bags brought the stark realities of war back to the homefront, cyberwarfare offered an antiseptic alternative that the public could more easily embrace. But there we
re other advantages too, the report noted: the low cost of entry to conduct such campaigns; a “flexible base of deployment,” where being “in range” of a target wasn’t a necessity; and a diverse and ever-expanding set of targets as more and more critical systems became computerized.

  The spy agency, in fact, was already contemplating, a decade before Stuxnet, the offensive opportunities presented by the world’s growing reliance on computerized control systems in critical infrastructure. Another article in the same newsletter proposed building a road map to track the technologies that were already on the shelves, as well as those that were still “a twinkle in some engineer’s eye,” in order to develop attack capabilities against them.16 The newsletter also suggested compiling a list of public hacking tools already available for use—viruses, worms, logic bombs, Trojan horses, and back doors. These powerful tools “if effectively executed,” the author noted, “[could be] extremely destructive to any society’s information infrastructure.”17 That included, however, US infrastructure. “So … before you get too excited about this ‘target-rich environment,’ ” the newsletter cautioned the agency’s would-be cyberwarriors, “remember, General Custer was in a target-rich environment too!”18

  Despite obvious interest in pursuing digital attacks, however, the legal issues continued to confound. In the spring of 1999, as NATO forces were raining bombs onto Yugoslavia, the Air Force Association convened a closed-door symposium in Texas to ponder the capabilities of what was still referred to as “information warfare.” Gen. John Jumper, commander of US Air Forces in Europe, told the gathering that while information warfare conjured images of seizing an enemy’s “sacred infrastructure,” the military was not there yet. Cyberweapons were still largely laboratory fare, and the only information warfare being waged at that point was between the lawyers, policymakers, and military leaders in Washington who were still arguing over the value and legality of network attacks.19 Jumper told the gathering, “I picture myself around that same targeting table where you have the fighter pilot, the bomber pilot, the special operations people and the information warriors. As you go down the target list, each one takes a turn raising his or her hand saying, ‘I can take that target.’ When you get to the info warrior, the info warrior says, ‘I can take the target, but first I have to go back to Washington and get a [presidential] finding.”20

 

‹ Prev