I know, I know — you already know the basics about Stuxnet. No matter. So do I, yet this is the most gripping news feature I’ve read this week, to the point where I started mentally storyboarding the inevitable Hollywood spy movie that’s going to be made about it before I was halfway through. Starring Michael Cera and Jesse Eisenberg as leaders of an elite team of pasty beta-male hackers, overseeing the cyberwarfare equivalent of the Manhattan Project. Title: “The Nerds Who Saved the World.”
Kidding aside, take five minutes to read it all. Nothing else that I’ve come across better explains how fantastically ingenious Stuxnet is as a precision weapon aimed at disabling Iran’s nuclear program. For instance, tech-dummy that I am, I thought the worm was originally introduced to Iran’s enrichment facility by smuggling it into the plant via a secret agent and injecting it into the system via a flash drive. Not so: Sounds like it was first injected into computers outside the plant that were being accessed by people who worked inside, e.g., some nuclear technician’s laptop or desktop. If the technician carelessly used his own flash drive on the outside computer, he’d inadvertently transfer Stuxnet to it and then carry it into the building with him, thus avoiding the need for someone to physically infiltrate Natanz. So not only did they devise a plan to virtually bomb the facility from the inside, they likely got one of Iran’s own people to unwittingly deliver the payload.
Very clever, but that’s just the beginning:
–Once allowed entry, the worm contained four “Zero Day” elements in its first target, the Windows 7 operating system that controlled the overall operation of the plant. Zero Day elements are rare and extremely valuable vulnerabilities in a computer system that can be exploited only once. Two of the vulnerabilities were known, but the other two had never been discovered. Experts say no hacker would waste Zero Days in that manner.
–After penetrating the Windows 7 operating system, the code then targeted the “frequency converters” that ran the centrifuges. To do that it used specifications from the manufacturers of the converters. One was Vacon, a Finnish Company, and the other Fararo Paya, an Iranian company. What surprises experts at this step is that the Iranian company was so secret that not even the IAEA knew about it.
-The worm also knew that the complex control system that ran the centrifuges was built by Siemens, the German manufacturer, and — remarkably — how that system worked as well and how to mask its activities from it…
“The worm was designed not to destroy the plants but to make them ineffective. By changing the rotation speeds [of the centrifuges], the bearings quickly wear out and the equipment has to be replaced and repaired. The speed changes also impact the quality of the uranium processed in the centrifuges creating technical problems that make the plant ineffective,” he explained.
Thus, not only did the coders need a mind-boggling degree of knowledge about the vulnerabilities in more than one software platform, they needed intelligence on Iran’s program so deep that not even the UN had all the details. On top of all that, the worm was programmed to disguise what it was doing so that the engineers on the premises would think the problem with the centrifuges was in the hardware, not the software. No wonder that paranoia at Iran’s nuclear facilities is now allegedly such that the regime’s counterintelligence agents are making life a “living hell” for the nuclear scientists who work there.
But whodunnit? Microsoft claims that it would have taken 10,000 days of labor to put Stuxnet together, which means a huge group — so huge, in fact, that Fox’s sources speculate it involved an international collaboration between at least the U.S., Russia(!), and Germany, which would have had detailed knowledge about the coding that runs the Siemens machinery that powers the centrifuges at Natanz. The Guardian’s report on Stuxnet claims that the group could have been much smaller, just five to 10 people working for six months. But they’ve also got a reason to think the Germans are involved:
Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system. It then seeks out a component called Simatic WinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems…
Clulely told that Guardian that Siemens has “astonishingly” advised power plants and manufacturing facilities not to change the default password that allows access to functions, despite it being exploited by Stuxnet and being “public knowledge on the web for years”.
I can’t imagine why they’d do that unless Siemens itself is part of this or is under heavy pressure from the German government to cooperate.
Another thing I can’t figure out is why Stuxnet, in Fox’s words, was “designed to allow the Iranian program to continue but never succeed, and never to know why.” In that regard, despite its success in slowing down Iran’s nuclear program, it’s a spectacular failure: The Iranians obviously do know now why the centrifuges are failing, and even though it’ll allegedly take another year to cleanse Stuxnet from their systems, they’ll get there and start rolling again. Which leaves three possibilities: (a) The programmers weren’t quite as brilliant in disguising the worm as they were in developing other aspects of it; (b) the programmers wanted the worm to be uncovered eventually, either for propaganda reasons or because it’s a necessary step towards unleashing some even murkier, more brilliant plot; or (c) the programmers knew the worm would be discovered in time but also knew that it would do all the damage it was capable of before then. If that’s true, then maybe the centrifuges at Natanz are in much worse shape than anyone (except the programmers) knows.
Exit question: Was it worth it? Watch this clip before answering. Smallpox is an impressive weapon too, but there are good reasons why we don’t use it. And I don’t just mean the moral ones.