Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (27 page)

What followed was a technical roadmap detailing the precise steps Stuxnet took to intercept and inject its commands into the Siemens PLC to sabotage it. “This is not some hacker sitting in the basement of his parents’ house,” Langner wrote. These were sophisticated nation-state actors with very specific knowledge of the system they were attacking. He described in broad terms how the malware injected its rogue code into the PLC to hijack some unknown critical process, then laid out his thoughts about Bushehr, carefully labeling them as speculation. There were still a lot of unknowns, but the forensic evidence in the code, he asserted, would ultimately point them not only to the exact system Stuxnet attacked but also possibly to the attackers themselves.

With these few words, the jig was finally up for Stuxnet’s creators. A cyberweapon that had taken years and perhaps millions of dollars to plan and develop had been completely exposed and undone in a matter of weeks by an obscure antivirus firm in Belarus, a handful of researchers in California who knew nothing about centrifuges and PLCs, and a brash-talking German and his band of engineers.

But now that Stuxnet’s secret was out, Langner began to have the same concerns that Chien had had about how the attackers might respond. Stuxnet was near useless to the attackers once its true purpose was exposed. They must have anticipated that their code would eventually be caught and that once it was they would have a narrow window of opportunity to complete their mission. Would they now, in a last-ditch effort to achieve their aim, take one final and drastic step? Langner believed they would. “We can expect that something will blow up soon,” he wrote in his
post. “Something big.” He signed off with a singular warning: “Welcome to cyberwar.”

Accompanying the post was a picture of the three “Stuxnet busters” snapped in front of a whiteboard in their office, Langner dressed in a crisp, white shirt and unbuttoned suit vest, and Rosen and Timm behind him, the latter, in a cheeky nod to the covert nature of Stuxnet, sporting a pair of black shades.

Once he’d written his post Langner sent a press release to several top media outlets and waited for an explosion of headlines to hit. But to his dismay, nothing happened. Like Symantec’s disclosure before, the revelation was met with deafening silence. “Everyone must think I’m nuts,” he remembers thinking.

At least one person didn’t think so, however. Frank Rieger, chief technology officer for a German security firm called GSMK, read Langner’s speculation about Bushehr and agreed that Stuxnet was likely built for sabotaging Iran’s nuclear program. But he suspected Natanz, several hundred miles north of Bushehr, was the more likely target.
⁹
The Natanz plant, unlike Bushehr, was already operational and had been since 2007. Also unlike Bushehr, it was actually filled with thousands of rapidly spinning centrifuges, making it a rich target for anyone wanting to cripple Iran’s nuclear program with a digital attack. Rieger detailed his thoughts in a blog post and in an article for a German newspaper.
¹⁰
In both, he referenced an earlier Reuters piece, published right around the time Stuxnet was unleashed in 2009, describing a “decade-old cyberwarfare project” launched by Israel against Iran’s nuclear program. The article quoted a US
source speculating that “malicious software” could be used to commandeer or crash controls at an enrichment plant.
¹¹

But there was another reason to suspect that Natanz was Stuxnet’s target. On July 16, 2009, three weeks after the 2009 version of Stuxnet was released, WikiLeaks founder Julian Assange posted a cryptic note to his website about a possible accident at Natanz. An anonymous source claiming to be associated with Iran’s nuclear program had told Assange that a “serious” nuclear accident had recently occurred at the plant.
¹²
WikiLeaks usually published only documents on its site, not tips from anonymous sources, but Assange broke protocol, he said, because he had reason to believe the source was credible. He linked to a BBC story published that day, which announced the resignation of Gholam Reza Aghazadeh, the head of Iran’s Atomic Energy Organization, who had relinquished his position twenty days earlier for unknown reasons.
¹³
The time frame seemed to align with when the 2009 version of Stuxnet was released.

Whether or not Aghazadeh’s resignation was related to an accident at Natanz, Rieger’s “Natanz theory” got attention and at last catapulted Stuxnet into the limelight. The mainstream US media, which had largely ignored Stuxnet until this point, picked up on his speculations and began reporting on the story themselves. For nearly a decade, Natanz had been the focus of mounting political tension over repeated efforts to halt the
enrichment program there. Now it seemed a sophisticated digital weapon, the likes of which had never been seen before, had been part of those plans. Suddenly the story of Stuxnet was sexy and full of intrigue. Where previously it was just a dry technical tale of interest only to the technology press, now it had the aura of mystery and underworld spy games, all played out against the backdrop of a high-stakes nuclear showdown.

Shortly after Langner published his first post about Stuxnet, he contacted Joe Weiss in the United States to discuss what he and his team had found. Langner and Weiss shared the same confrontational style that didn’t always endear them to peers in the control-system community. They’d both been on the same side of the battle for years, trying to convince ICS owners that their systems were vulnerable to attack. People in the community tended to sigh at the mention of either man’s name, but no one doubted their commitment. Langner was scheduled to speak at Weiss’s upcoming ICS conference in Maryland on another topic and asked if he could talk about Stuxnet instead. “I don’t know whether to tell you yes or hell yes,” Weiss replied.

Langner was on a flight to the conference the next week. Advance buzz about his talk guaranteed that the conference room would be full. Langner had teased on his blog that he would reveal full details of his team’s research at the gathering, so the audience was primed and eager for what he had to say, especially after two presentations about Stuxnet given by Siemens and someone from DHS, respectively, turned out to be devoid of any substance.

Weiss had allotted forty-five minutes for Langner’s talk, but it took up an hour and a half instead. No one complained, though. More than 100 attendees from the water, chemical, and electric industries hung on Langner’s words. “All of us were sitting with our mouths open while he was talking,” Weiss recalls.
¹⁴
Langner was among that rare breed of tech guys—a skilled and charismatic orator who was adept at delivering dry technical details with humor and flair. But what he said that day was more
than entertaining, it shocked everyone in the room. Slowly, it dawned on the owners of industrial control systems that if another more widely targeted attack were unleashed on PLCs tomorrow, the control-system community would have no way to stop or even detect it. There were ways to tell if a Windows desktop PC or laptop was compromised, but with the stealth techniques that Stuxnet used, there would be no way to tell if a PLC was infected. There was no such thing as antivirus software for PLCs and no easy way to know if a controller had rogue code installed if it used the same kind of subterfuge that Stuxnet had used. The only way to detect an attack was at the Windows stage before it reached the PLC. But Stuxnet had shown the folly of even that defense, since no antivirus scanner had caught it before it reached the PLCs. Operators would never be able to detect a warhead until it was too late.

Langner suspected it would take just six months for the first copycat attacks to appear. They wouldn’t be exact replicas of Stuxnet, or as sophisticated in design, he told attendees, but then they wouldn’t need to be. It wasn’t just high-value targets like Natanz that were at risk of attack; Stuxnet had put every vulnerable facility potentially in the crosshairs. And while Stuxnet’s authors had skillfully designed their attack to avoid collateral damage on machines that weren’t its target, subsequent attacks might not be as carefully crafted or controlled. A criminal group bent on extorting a power plant by seizing control of its PLCs wouldn’t care if their malicious code damaged the plant or spread to other control systems as well.

Following the conference, Langner spent the weekend in Washington, DC, to meet with Melissa Hathaway, the former national cybersecurity coordinator for the White House, to brief her on what his team had found. Hathaway immediately understood the potential for blowback against US critical infrastructure as well as the problem of digital weapons proliferation the world would now face—a problem, she later told the
New York Times
, no country was prepared to deal with. “We have about 90 days to fix this,” she told the paper, “before some [copycat] hacker begins using it.”
¹⁵

That weekend while Langner was still in DC, Iranian officials revealed for the first time that computers at Bushehr had indeed been hit by Stuxnet. They made no mention of Natanz, however, and the details about the attack on Bushehr made it doubtful that Stuxnet’s payload had even deployed there. Mahmoud Jafari, a project manager for the plant, told reporters that only the personal computers of some of the plant’s workers got hit by the attack, not the plant’s production systems. “All computer programs in the plant are working normally and have not crashed due to Stuxnet,” he said.
¹⁶
Reza Taghipour, an official with the Ministry of Communications and Information Technology, also insisted that damage from the worm was minor and that the malware had been “more or less” contained.
¹⁷
The reports of limited damage weren’t surprising, given Stuxnet’s selectiveness in unleashing its destructive payload. It had likely spread to Bushehr’s Windows machines, then simply shut itself down after failing to find the PLCs it was seeking.
¹⁸

Amidst the comments from Iran, however, there was one odd detail that stood out. Mahmoud Jafari said in one of his interviews that
five
versions of Stuxnet had been found in Iran.
¹⁹
Symantec and other antivirus researchers had uncovered only three.

Although it was possible Jafari was mistaken, the revelation raised the intriguing possibility that at least two other versions of Stuxnet had been unleashed in the wild. And if two other versions of the code existed, they might contain additional clues about Stuxnet and its authors. Unfortunately, however, there was little chance that Western researchers would ever see them, since Iranian officials were unlikely to provide copies of the code to anyone outside of Iran.
²⁰

Following his presentation at Weiss’s conference and his meeting with Hathaway, Langner needed downtime to make sense of all that had occurred over the previous weeks. That weekend he walked to the National Mall and sat for hours on the steps of the Lincoln Memorial staring at the reflecting pool while tourists around him snapped photos. He thought about the reports from ICS-CERT and Siemens and their silence about the ladder-logic injections in Stuxnet and the risks to critical infrastructure posed by copycat attacks. Then there was the mind-boggling silence from the public and Congress, who seemed to have little concern about the Pandora’s box Stuxnet had opened in legitimizing the use of cyberweapons to resolve political disputes. Neither did they seem alarmed about the digital arms race Stuxnet had launched that would be impossible to curb. It was as if, Langner thought, no one wanted to discuss these things for fear that it would raise questions about who was behind the attack.

Langner decided that if everyone else was going to be silent, then he
should go public with more information about the code. So once he returned to Germany, he published additional blog posts laying out the technical details that he had previously disclosed only behind the closed doors of Weiss’s conference room. As soon as the posts were up, the blog was besieged with traffic from around the world, including, noticeably, from US government and military domains. Langner hoped that, with Stuxnet’s importance now clearly established, other security firms would pick up the baton where he and his team had left off. Despite everything they had learned so far, there was still a lot more work to be done. They had only discovered that Stuxnet was bent on sabotaging a single facility, a facility that was likely Natanz—but they still didn’t know what it was doing to the plant. That information was still buried in the code.

Over the next three weeks, he and his colleagues worked on a couple of projects from paying clients to make up for the income they had lost while analyzing Stuxnet. But when no new information came out about the code from Symantec or anyone else, Langner decided they should pick up where they had left off.

“Guys,” he said to Rosen and Timm, “I think we need to reopen the case.”

CONTRARY TO LANGNER’S
belief that the US government was ignoring Stuxnet or missing important details about it, there were elements of the government that
were
paying attention—albeit behind a veil of secrecy. In fact, a group of DHS analysts had completed most of their own examination of Stuxnet within a couple of days after it was exposed in July and knew even before Symantec and Langner did that Stuxnet was sabotaging PLCs.

Stuxnet first made its way to the watch floor of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, or NCCIC, in Arlington, Virginia, on the morning of July 15, 2010, at the same time that security researchers around the globe were
getting their first look at the code. The files came in from CERT-Bund, after Siemens had contacted the Computer Emergency Response Team, to report a malicious attack that was targeting its PLCs.

NCCIC, or N-Kick as it’s commonly pronounced, was just nine months old and was part of the government’s new mission control for monitoring and coordinating responses to cyber threats against critical infrastructure and civilian government systems. When the files arrived, Sean McGurk, director of the center, was ironically in the midst of planning for the government’s upcoming Cyber Storm III exercise, a biennial three-day drill that would simulate digital attacks against US critical infrastructure. It was to be the twenty-four-hour watch center’s first real test of its coordinating abilities since the facility had opened. But the real threat of Stuxnet quickly took priority over plans for the faux attack.