Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Page 38
It’s likely, however, that the clock on the computer used to compile the files was out of date or that the coders manipulated the timestamps to throw forensic investigators off. But if the timestamps were accurate, it would mean the attackers had held the malicious code in reserve for three to six years while the United States waited to see how the diplomacy game with Iran played out, then pulled out the code only in 2006 when it was clear that negotiations and sanctions had failed.
Some of the attack code was generic to a lot of Siemens systems, and not specifically tailored to the ones at Natanz, so it was possible that parts of the attack code grew out of a general research project aimed at uncovering vulnerabilities in all Siemens PLCs, not just the ones at Natanz. Siemens control systems were used extensively throughout Iran in various industries—the oil and gas industries, as well as the petrochemical and mineral industries—not just in its nuclear program. They were also used extensively in other regions of the Middle East. With cyberwarfare already on the horizon in the late ’90s, it would have made sense for the United States and Israel to invest in early research to uncover vulnerabilities in the Step 7 system and related Siemens PLCs—which came on the market in the mid ’90s—in anticipation that the knowledge would come in handy later.
Not all of the code was so generically applicable to Siemens systems, however: the blocks targeting the frequency converters and valves were specific to the configuration at Natanz and would have required foreknowledge of the exact components Iran planned to install at the plant, as well as intelligence about their precise configuration and operation. For the timestamps in these code blocks to be reliable, the programmers would have had to know in 2001 what equipment was going to be installed at a plant that wasn’t even constructed yet.
That part is not as outlandish as it seems: Iran had already tested its uranium enrichment process in small cascades of centrifuges at the Kalaye Electric factory sometime around 1999. Furthermore, in 2000 and 2002, the CIA recruited key suppliers in the Khan network who provided the agency with intelligence about some of the components the network had supplied to Iran and other Khan customers. So by the time ground broke on Natanz in 2000, the intelligence agency may already have known what equipment Iran planned to install at the plant, including the Siemens control systems.
David Albright of ISIS agrees that much of the information about Natanz could have been known in 2001.
“The cascade details, including the 164 centrifuges per cascade, number of stages [in the cascade], most valves, pressure transducers, and piping, could have been known [that early],” he says.5 But information about the Vacon and Fararo Paya frequency converters may not have been available then. “Frequency converters would be another matter, since Iran was acquiring them abroad back in that period from a variety of companies. So it would be hard to believe that Stuxnet’s designers in 2001 could count on them being from Finland or domestically assembled [by Fararo Paya]. Moreover, the first module [of cascades installed at Natanz in 2007] was built with a range of imported frequency converters.”6
In 2003, when the timestamp for the Step 7 doppelgänger indicates it was compiled, there was more information available about Natanz.
When IAEA inspectors paid their first visit to Natanz in February 2003, Iran already had a small cascade in place at the pilot plant and was preparing to install up to 1,000 centrifuges there by the end of the year. And as part of the IAEA’s inquiry into Iran’s nuclear program, Iran had to provide lists of equipment procured for Natanz and other nuclear facilities—lists that included machine tools, valves, and vacuum pumps.7 Intelligence agencies also had been monitoring Iran’s secret procurement activities and knew that a company named Neda Industrial Group—a leading industrial automation firm in Tehran—was involved in procurement for the nuclear program. The company worked with Kalaye Electric, the former watch factory that had been converted into a centrifuge factory, to install equipment at Natanz.8 Neda was also Siemens’s local partner in Iran, and in 2000 and 2001, according to the company’s website, it had installed Siemens S7 PLCs in other facilities in the country—the same model of PLCs that Stuxnet attacked. It wasn’t a stretch to think that if Neda installed these systems in other facilities, it had installed them at Natanz as well.
Siemens, in fact, did a brisk business selling automation equipment to various non-nuclear industries in Iran, but its machines found their way into nuclear ones as well. A 2003 letter from one Iranian firm to another, which Western sources later obtained, revealed that Siemens S7-300 and S7-400 controllers, along with the SIMATIC software needed to communicate with them, had been procured by a company named Kimia Maadan that was involved in uranium processing in Iran.9 It was believed the controllers were purchased for Iran’s Gachin mine, where Iran planned to mine natural uranium for processing in centrifuges.10 All of this information would have been known to the United States and Israel.
Although the initial plot might have been hatched by US Strategic Command under Gen. James Cartwright, it was up to the cyberwarriors of the NSA and US Cyber Command, working in conjunction with coders from Israel’s elite Unit 8200, to execute it.
To pull off the attack required a lot more intelligence than just knowledge of the equipment at Natanz. The attackers needed to know, for example, the exact frequency at which the converters operated and the exact configuration of the equipment. They couldn’t rely only on old blueprints and plans that might be out of date. They also needed extensive knowledge about how the Step 7 system worked and how the computers at Natanz were networked in order to reassure White House legal advisers that the code wouldn’t cause cascading effects on other systems. If they assumed there wasn’t a connection with outside computers and there was, the code would break loose and spread to other machines, possibly damaging them and exposing the operation. This is where tools like Flame and Duqu would have come in handy to gather data from the computers of systems administrators, who helped install and maintain the networks, and from contractors and others who programmed the PLCs. If Duqu was used, it could have been delivered via a phishing attack—like the one used to infect the Hungarian company. This worked for machines connected to the internet, such as a programmer’s laptop. But buried in the PLCs that weren’t connected to the internet was also configuration data about things like the number of Profibus cards connected to them and the model and number of frequency converters.
To get to that data, if it couldn’t be obtained another way, the attackers needed a flash drive to jump the air gap and get their spy tool onto a machine connected to the PLCs. Since, as previously noted, PLC programmers generally work on laptops not connected to the control network, then connect their laptop physically to a machine on the PLC network or copy their programming files to a flash drive and carry it to a machine on that network, this would have been a simple way to achieve that. The attackers could have retrieved data about the PLCs and control network in reverse—using malware that recorded data from these systems onto the flash drive, which the programmer would have brought back to his internet-connected laptop, where it could be retrieved. It’s also been reported that the intelligence agencies used special implants embedded in non-networked machines in Iran that transmitted data about infected systems via radio waves.11
It might have taken months to obtain the data the attackers needed. But some of the reconnaissance work could have been done as early as 2005, when the domains for the command-and-control servers used with Stuxnet 0.5 were registered. Although Stuxnet wasn’t released until later, the domains could initially have been used to communicate with spy tools. The reconnaissance also might have been done around May 2006, when researchers found that code for the command-and-control servers used with later versions of Stuxnet was created.
Once information about the systems was gathered, final work on the attack code could have occurred. Symantec estimated that two separate teams created the 315 and 417 attack codes based on the distinct ways they were written. Whether the United Stat
es and Israel worked on both of them together or the Israelis only worked on the missile portion while the Americans handled the payloads is unknown. A third team may have worked on the code that hijacked the Step 7 system to swap out the legitimate .DLL for Stuxnet’s rogue one and inject the malicious commands into the PLCs. Symantec estimated that it took about six months to write this Step 7 portion of the code and a little less time to write the malicious PLC code blocks. The testing, however, would have also taken time.
Whoever was responsible for the actual code, this part of the operation had to be precise. There were so many ways for the attack to go wrong, but there was no room for error, and it would be difficult to gauge the effects of the code in the field or tweak it once it was unleashed. This meant the attackers had to do extensive testing—not only on a Siemens test-bed to make sure their code didn’t brick the Step 7 system or the PLCs, but also, in the case of the variants unleashed in 2009 and 2010, on all versions of the Windows operating system to make sure the malware spread and installed seamlessly without detection.12
Most of all, the attackers needed precise knowledge of how each change of the code would affect the centrifuges, particularly because what they were aiming for was not a brute-force attack but a finessed one. The tiniest mistake and they could destroy the centrifuges too quickly or destroy too many at once and expose the sabotage, blowing the operation.
To pull this off, they would have needed a team of material scientists and centrifuge experts who understood the density and strength of the aluminum rotors and centrifuge casings, and who understood how the bearings at the bottom of each centrifuge, which kept them spinning in balance, would respond to increased vibration. They also needed to calculate the normal wall pressure inside the centrifuges and determine how much it would increase as the gas pressure inside the centrifuges grew.13
To do all of this, they needed actual centrifuges against which to test the attacks. Luckily, as noted previously, the Department of Energy’s Oak Ridge National Laboratory in Tennessee possessed a number of P-1 centrifuges, upon which the IR-1s at Natanz were based.
The story behind Oak Ridge’s acquisition of the centrifuges began in August 2003, three years after the CIA infiltrated A. Q. Khan’s illicit nuclear supply network and six months after the IAEA made its first visit to Natanz. The spy agency intercepted a shipment of black-market uranium enrichment components—including 25,000 centrifuge casings as well as pumps, tubes, and other components—headed from Malaysia to a secret enrichment plant in Libya. The seized crates were used by the West to confront Libyan dictator Muammar Gaddafi with evidence of his secret nuclear program and to pressure him into abandoning it. On December 19, Libya’s foreign minister announced on national television that the country was renouncing its nuclear weapons and chemical weapons programs—programs it hadn’t until then acknowledged possessing.
The IAEA learned there was more enrichment equipment already in Libya that US authorities planned to dismantle and ship back to the Oak Ridge lab. So over the Christmas holiday, Olli Heinonen; his boss, Mohamed ElBaradei; and other IAEA colleagues raced to Tripoli to inventory the equipment before it disappeared. There they found more than one hundred tons of equipment worth about $80 million—including UPS regulators from Turkey (similar to the ones that would later be sabotaged in Iran in 2006), two hundred P-1 centrifuges from Pakistan that the Libyans had already assembled into a small cascade, as well as components for building about four thousand other centrifuges.14 By March 2004, the seized equipment had been packed up and sent to the Y-12 National Security Complex at Oak Ridge, where it was protected by guards armed with assault rifles while put on display for journalists to see.
“By any objective measure,” US Secretary of Energy Spencer Abraham told the assembled reporters at the time, “the United States and the nations of the civilized world are safer as a result of these efforts to secure and remove Libya’s nuclear materials.”15 This may have been so, but what the captured booty really meant was that the United States now had the chance to assemble a secret plant to study the centrifuges and test an attack against them.16
THE OAK RIDGE National Laboratory, established in 1943 and located outside of Knoxville, is managed by UT-Battelle—a nonprofit company founded in 2000 by Battelle Memorial Institute and the University of Tennessee—and touts itself as a science facility focused on advanced materials research, nuclear science, clean energy, and supercomputing. But it’s the lucrative classified national security work the lab does for the Defense Department, Department of Energy, and intelligence agencies—focused on nuclear nonproliferation, intelligence data mining, encryption cracking, and other areas—that really keeps it in business.
The secret centrifuge plant, part of a now decade-long classified program to research the destruction of centrifuges, was constructed sometime after 2005 on a backwoods lot on the 35,000-acre Oak Ridge Reservation, invisible and inaccessible to the majority of lab workers who held security clearances. Dubbed “the Hill” or sometimes “the chicken ranch” according to one person who knew about it, the covert facility was reached via an unmarked road that meandered for ten miles, blanketed on either side by a thick forest of trees, before delivering cars to first one security gate and then another.17
The Hill actually consisted of two facilities—one aboveground, the other beneath. The underground hall, a preexisting structure built long before for another purpose, was requisitioned for the first stage of the centrifuge program, which initially focused just on figuring out how the centrifuges obtained from Libya worked. The lab had obtained both P-1 and P-2 centrifuges from Libya to study, but the devices arrived for the most part as unassembled components without a manual. The researchers had drawers and drawers filled with the parts, but had no prior experience working with the designs and therefore spent a lot of their time initially just trying to figure out how to piece the components together and get them to work.
The researchers at Oak Ridge experienced some of the same problems the Iranians experienced in operating the temperamental and fragile devices. The scoops and ball bearings proved to be particularly problematic for them and delayed their progress for a while.
In the beginning, the program wasn’t about building a virus to attack the centrifuges; it was simply about learning how the centrifuges and cascades worked in order to understand their capabilities and gauge how far along the Iranians were in their enrichment program and to determine how close they might be to having enough enriched uranium to make a nuclear bomb. When the Oak Ridge scientists completed their initial research and testing, they estimated it would take Iran about twelve to eighteen months to produce enough fissile material for a bomb.
The study of centrifuges wasn’t foreign to Oak Ridge. The lab has a long history of centrifuge research and development, having produced some of the first rotor centrifuges in the 1960s. But in 1985, its centrifuge program was terminated after lasers replaced centrifuges as the primary method of enriching uranium in the United States. The closure displaced thousands of skilled workers and researchers whose specialized knowledge was no longer needed.
Then in 2002, around the time the world was learning about Iran’s secret enrichment facility at Natanz, centrifuge enrichment made a comeback, and Oak Ridge resurrected its program to design a new generation of centrifuges for the United States Enrichment Corporation, now a producer of enriched uranium for commercial nuclear power plants in the United States. To staff that operation, the lab pulled many of its former centrifuge experts out of retirement—some of them now in their seventies and eighties—to work alongside younger scientists.
After the cache of valuable centrifuges was seized from Libya, many of these scientists were reassigned to study the devices. According to someone familiar with the program, he believed the work was conducted under the auspices of the National Nuclear Security Administration (NNSA), a division of the Department of Energy that manages the security of the nation’s nuclear weapons but also operates a nuclear no
nproliferation research and development program known as NA-22.18 The latter collects human intelligence about illicit nuclear operations and does remote sensing and environmental testing to collect evidence of covert enrichment activity and nuclear detonations by rogue regimes and actors.19
The NNSA had been trying to get its hands on Iranian centrifuges for a while, so the shipment of P-1s and P-2s obtained from Libya in 2004, on which the Iranian centrifuges were based, was a huge boon.
Eventually, they also obtained parts directly from the Iranian program, via intelligence sources. These parts were highly valuable—North Korea was believed to be using centrifuges of the same general design—and workers were told to be very careful and expeditious in using the components because in some cases intelligence sources had given their lives to obtain them. In other words, there was no easy way to replace them and therefore every test on the equipment had to count.
Research on the devices was already under way in 2006, when Iran announced it would begin enriching uranium at Natanz, but the research was slow-moving, according to someone familiar with the program. But in 2007, the operation came together in earnest as Iran began installing its first centrifuges in the underground hall at Natanz.
In the meantime, the aboveground hall was constructed for the sole purpose of testing—and destroying—centrifuges. It’s believed that some of this research may have initially focused on determining the possible destructive effects from a kinetic attack, such as an aerial bombardment on centrifuges buried deep underground, and that a cyberattack became part of the equation only later. Then when a digital operation was proposed, initially the goal wasn’t to destroy the centrifuges at Natanz with a virus but simply to plant surveillance code in equipment at the plant to collect data that would help scientists determine where Iran was in its enrichment process. But at some point, the centrifuge destruction program and the reconnaissance operation merged to produce a plan for a digital kinetic attack. Likely, most of the scientists testing the centrifuges never knew about the plan for such an attack but were simply focused on assessing the effects of various conditions on the centrifuges—such as increased and decreased speed or increased wall pressure inside the centrifuge—in a manner that was divorced from the causes of those conditions.