Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (46 page)
Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
29
It was even easier to see from the configuration data in this version of Stuxnet than in later versions that Stuxnet was seeking the precise setup at Natanz. The code indicated it was seeking a facility where the systems it was targeting were labeled A21 through A28. Natanz had two cascade halls, Hall A and Hall B. Only Hall A had centrifuges in it when Stuxnet struck. The hall was divided into cascade rooms, or modules, that were each labeled Unit A21, A22, and so on, up to A28.
30
Stuxnet 0.5 had an infection kill date of July 4, 2009. Once this date arrived, it would no longer infect new machines, though it would have remained active on machines it already infected unless it got replaced by another version of Stuxnet. The next version of Stuxnet was released June 22, 2009, just two weeks before Stuxnet 0.5’s kill date.
31
Like later versions of Stuxnet, this one had the ability to update itself on infected machines that weren’t connected to the internet. It did this through peer-to-peer communication. All the attackers had to do was deliver an update from one of the command servers to a machine that was connected to the internet, or deliver it via a USB flash drive, and other machines on the local network would receive the update from that machine.
32
One other note about this version is that it had a driver file that caused a forced reboot of infected Windows machines twenty days after they were infected. It’s interesting to note that Stuxnet was discovered in 2010 after machines in Iran kept crashing and rebooting. Although the version of Stuxnet found on those machines was not 0.5, it raises the possibility that this version of Stuxnet or its driver might have been lurking on those machines and caused them to reboot repeatedly. Although VirusBlokAda never found Stuxnet 0.5 on the machines, they may simply have missed it.
33
After discovering Stuxnet 0.5 in their archive, the Symantec researchers did a search for it and found a number of errant and dormant infections in Iran but also in the United States, Europe, and Brazil.
34
The servers were set up in the United States, Canada, France, and Thailand. The command servers were designed to masquerade as an internet advertising firm called Media Suffix to conceal their true intention if someone were to gain access to them. The domains for the servers—smartclick.org, best-advertising.net, internetadvertising4u.com, and ad-marketing.net—each had the same home page for the fake advertising company, which had a tagline that read “Deliver What the Mind Can Dream.” The home page read: “The internet is widely becoming the hottest advertising and marketing medium in the world. MediaSuffix focuses extremely in the internet segment of advertising. MediaSuffix is ready to show your company how to capitalize on this unbelievable growing market. Don’t be left behind.… We offer clients an unparalleled range of creative answers to the varied needs of our clients.”
35
Stuxnet 0.5 may have been unleashed earlier than November 2007, but this is the first record of its appearance. According to the compilation date found in the Stuxnet component submitted to VirusTotal, it was compiled in 2001, though Chien and O’Murchu believe the date is inaccurate.
36
Author interview conducted with Chien, April 2011.
OLYMPIC GAMES
In 2012, Chien may have been contemplating the dark and complicated future Stuxnet wrought, but four years earlier, the architects of the code were contemplating a different dark future if Iran succeeded in building a nuclear bomb.
In April 2008, President Ahmadinejad took a much-publicized tour of the enrichment facilities at Natanz, to mark the second anniversary of the plant’s operation, and in the process gave arms-control specialists their first meaningful look inside the mysterious plant. Wearing the white lab coat and blue shoe booties of plant technicians, Ahmadinejad was snapped by photographers as he peered at a bank of computer monitors inside a control room, flashed an ironic “peace” sign at the cameras, and led an entourage of stern-looking scientists and bureaucrats down two rows of gleaming, six-foot-tall centrifuges standing erect at attention like military troops in full dress trotted out for inspection.
The president’s office released nearly fifty images of the tour, thrilling nuclear analysts with their first peek at the advanced IR-2 centrifuges they had heard so much about. “This is intel to die for,” one London analyst wrote of the images.
1
But among the retinue accompanying Ahmadinejad on his visit to Natanz was the Iranian defense minister—an odd addition to the party given Iran’s insistence that its uranium enrichment program was peaceful in nature.
Iranian technicians had spent all of 2007 installing 3,000 centrifuges in one of the underground halls at Natanz, and during his visit Ahmadinejad announced plans to begin adding 6,000 more, putting Iran in the company of only a handful of nations capable of enriching uranium at an industrial level. It was a sweet triumph over the many obstacles Iran had faced in the past decade—including technical difficulties, procurement hurdles and sanctions, and all of the political machinations and covert sabotage that had been aimed at stopping its program. The success of the enrichment program now seemed assured.
But Natanz wasn’t out of the woods just yet. Producing enriched uranium at an industrial scale required thousands of centrifuges spinning at supersonic speed for months on end with little or no interruption.
2
And while Ahmadinejad was taking his victory lap among the devices, something buried deep within the bits and bytes of the machines that controlled them was preparing to stir up more trouble.
IT WAS LATE
in 2007 when President Bush reportedly requested and received from Congress $400 million to fund a major escalation in covert operations aimed at undermining Iran’s nuclear ambitions. The money was earmarked for intelligence-gathering operations, political operations to destabilize the government and stimulate regime change, and black-ops efforts to sabotage equipment and facilities used in the nuclear program.
3
The latter included the experimental efforts to manipulate computer control systems at Natanz.
Although Bush’s advisers had reportedly proposed the digital sabotage sometime in 2006, preparations for it had begun long before this, possibly even years before, if timestamps in the attack files are to be believed—the malicious code blocks that Stuxnet injected into the 315 and 417 PLCs had timestamps that indicated they had been compiled in 2000 and 2001, and the rogue Step 7 .DLL that Stuxnet used to hijack the legitimate Siemens Step 7 .DLL had a 2003 timestamp.
4
It’s likely, however, that the clock on the computer used to compile the files was out of date or that the coders manipulated the timestamps to throw forensic investigators off. But if the timestamps were accurate, it would mean the attackers had held the malicious code in reserve for three to six years while the United States waited to see how the diplomacy game with Iran played out, then pulled out the code only in 2006 when it was clear that negotiations and sanctions had failed.
Some of the attack code was generic to a lot of Siemens systems, and not specifically tailored to the ones at Natanz, so it
was
possible that parts of the attack code grew out of a general research project aimed at uncovering vulnerabilities in all Siemens PLCs, not just the ones at Natanz. Siemens control systems were used extensively throughout Iran in various industries—the oil and gas industries, as well as the petrochemical and mineral industries—not just in its nuclear program. They were also used extensively in other regions of the Middle East. With cyberwarfare already on the horizon in the late ’90s, it would have made sense for the United States and Israel to invest in early research to uncover vulnerabilities in the Step 7 system and related Siemens PLCs—which came on the market in
the mid ’90s—in anticipation that the knowledge would come in handy later.
Not all of the code was so generically applicable to Siemens systems, however: the blocks targeting the frequency converters and valves were specific to the configuration at Natanz and would have required foreknowledge of the exact components Iran planned to install at the plant, as well as intelligence about their precise configuration and operation. For the timestamps in these code blocks to be reliable, the programmers would have had to know in 2001 what equipment was going to be installed at a plant that wasn’t even constructed yet.
That part is not as outlandish as it seems: Iran had already tested its uranium enrichment process in small cascades of centrifuges at the Kalaye Electric factory sometime around 1999. Furthermore, in 2000 and 2002, the CIA recruited key suppliers in the Khan network who provided the agency with intelligence about some of the components the network had supplied to Iran and other Khan customers. So by the time ground broke on Natanz in 2000, the intelligence agency may already have known what equipment Iran planned to install at the plant, including the Siemens control systems.
David Albright of ISIS agrees that much of the information about Natanz could have been known in 2001.
“The cascade details, including the 164 centrifuges per cascade, number of stages [in the cascade], most valves, pressure transducers, and piping, could have been known [that early],” he says.
5
But information about the Vacon and Fararo Paya frequency converters may not have been available then. “Frequency converters would be another matter, since Iran was acquiring them abroad back in that period from a variety of companies. So it would be hard to believe that Stuxnet’s designers in 2001 could count on them being from Finland or domestically assembled [by Fararo Paya].
Moreover, the first module [of cascades installed at Natanz in 2007] was built with a range of imported frequency converters.”
6
In 2003, when the timestamp for the Step 7 doppelgänger indicates it was compiled, there was more information available about Natanz.
When IAEA inspectors paid their first visit to Natanz in February 2003, Iran already had a small cascade in place at the pilot plant and was preparing to install up to 1,000 centrifuges there by the end of the year. And as part of the IAEA’s inquiry into Iran’s nuclear program, Iran had to provide lists of equipment procured for Natanz and other nuclear facilities—lists that included machine tools, valves, and vacuum pumps.
7
Intelligence agencies also had been monitoring Iran’s secret procurement activities and knew that a company named Neda Industrial Group—a leading industrial automation firm in Tehran—was involved in procurement for the nuclear program. The company worked with Kalaye Electric, the former watch factory that had been converted into a centrifuge factory, to install equipment at Natanz.
8
Neda was also Siemens’s local partner in Iran, and in 2000 and 2001, according to the company’s website, it had installed Siemens S7 PLCs in other facilities in the country—the same model of PLCs that Stuxnet attacked. It wasn’t a stretch to think that if Neda installed these systems in other facilities, it had installed them at Natanz as well.
Siemens, in fact, did a brisk business selling automation equipment to various non-nuclear industries in Iran, but its machines found their way into nuclear ones as well. A 2003 letter from one Iranian firm to another, which Western sources later obtained, revealed that Siemens S7-300
and S7-400 controllers, along with the SIMATIC software needed to communicate with them, had been procured by a company named Kimia Maadan that was involved in uranium processing in Iran.
9
It was believed the controllers were purchased for Iran’s Gachin mine, where Iran planned to mine natural uranium for processing in centrifuges.
10
All of this information would have been known to the United States and Israel.
Although the initial plot might have been hatched by US Strategic Command under Gen. James Cartwright, it was up to the cyberwarriors of the NSA and US Cyber Command, working in conjunction with coders from Israel’s elite Unit 8200, to execute it.
To pull off the attack required a lot more intelligence than just knowledge of the equipment at Natanz. The attackers needed to know, for example, the exact frequency at which the converters operated and the exact configuration of the equipment. They couldn’t rely only on old blueprints and plans that might be out of date. They also needed extensive knowledge about how the Step 7 system worked and how the computers at Natanz were networked in order to reassure White House legal advisers that the code wouldn’t cause cascading effects on other systems. If they assumed there wasn’t a connection with outside computers and there was, the code would break loose and spread to other machines, possibly damaging them
and exposing the operation. This is where tools like Flame and Duqu would have come in handy to gather data from the computers of systems administrators, who helped install and maintain the networks, and from contractors and others who programmed the PLCs. If Duqu was used, it could have been delivered via a phishing attack—like the one used to infect the Hungarian company. This worked for machines connected to the internet, such as a programmer’s laptop. But buried in the PLCs that weren’t connected to the internet was also configuration data about things like the number of Profibus cards connected to them and the model and number of frequency converters.
To get to that data, if it couldn’t be obtained another way, the attackers needed a flash drive to jump the air gap and get their spy tool onto a machine connected to the PLCs. Since, as previously noted, PLC programmers generally work on laptops not connected to the control network, then connect their laptop physically to a machine on the PLC network or copy their programming files to a flash drive and carry it to a machine on that network, this would have been a simple way to achieve that. The attackers could have retrieved data about the PLCs and control network in reverse—using malware that recorded data from these systems onto the flash drive, which the programmer would have brought back to his internet-connected laptop, where it could be retrieved. It’s also been reported that the intelligence agencies used special implants embedded in non-networked machines in Iran that transmitted data about infected systems via radio waves.
11
