Countdown to Zero Day

Years before the Iran nuclear negotiations the U.S. wielded Stuxnet, “the world’s first digital weapon.”

Countdown To Zero Day

Earlier this month Iran and the United States, along with five other world powers, announced the framework of an agreement that would limit Iran’s nuclear program over the next decade-and-a-half. “The plan,” according to the New York Times, “would keep Iran’s nuclear facilities open under strict production limits … [and] holds the potential of reordering America’s relationship with a country that has been an avowed adversary for 35 years…. Under the accord, Iran [has] agreed to cut the number of operating centrifuges it has by two-thirds … and to cut its current stockpile of low-enriched uranium from around 10,000 kilograms to 300 for 15 years.”

It wasn’t that long ago that the United States pursued an entirely different approach to keeping Iran from realizing its nuclear goals—namely, unleashing a destructive digital weapon that aimed to sabotage Iran’s uranium enrichment program. Stuxnet, as the malicious program came to be known, reached beyond the computers it targeted and physically destroyed the equipment those computers controlled, causing centrifuges at an Iranian uranium enrichment plant (outside Natanz) to fail, wasting valuable uranium gas in the process.

In the following Failure Interview, Kim Zetter, author of the recent book “Countdown to Zero Day” (Crown), describes how Stuxnet worked, how it was discovered, and what it accomplished, while also addressing the implications of so-called zero-day exploits (Stuxnet utilized several), which are designed to target security holes in software that are unknown to the vendor.

In effect, Stuxnet ushered in an age of cyber warfare, in which every country’s critical infrastructure is vulnerable to digital attack, with potentially devastating results. While the U.S. is arguably the world’s leader in regards to cyberwar capabilities, “there are a lot of countries that are trying to gain parity with us,” begins Zetter, “and in the digital realm, it is a lot easier for countries that don’t necessarily have the resources to launch a conventional attack to obtain the resources for digital warfare.” But this is a story that begins with Stuxnet, which was unleashed in 2009….

Failure: What was Stuxnet and what was it designed to do?

Zetter: Stuxnet was a malicious program—what I would refer to as a digital weapon—that was designed to cause physical destruction. Most viruses and malicious programs are designed to steal data—for instance, a banking Trojan will steal passwords to bank accounts—or they are designed to somehow affect the computer; to make the computer crash or make it operate slowly or even delete information. But Stuxnet went beyond that and was designed not to affect the computers that it was infecting, but to affect other equipment that those computers were controlling; in this case, to affect them to such degree that the equipment would be destroyed. So it reached beyond the digital realm into the physical realm to alter and sabotage equipment that computers would control.

How was Stuxnet discovered?

It was discovered completely by chance. Some computers in Iran that were not the targeted computers started to crash and reboot repeatedly and the owners of the systems couldn’t figure out what was going on. They contacted an antivirus company in Belarus that sold them antivirus software [VirusBlokAda] and researchers at that company remotely examined the infected computers and found files that they thought were suspicious. They started to take them apart and noticed something unusual about the code. And that was sufficient to get other more experienced researchers to take a look. Those researchers—over a period of months—reverse engineered the code and finally figured out what it was doing.

How did Stuxnet spread?

It spread in multiple ways. Stuxnet, like conventional weapons, had two parts—the missile portion [the delivery system] and the payload part. Because the targeted systems were not connected to the Internet, they couldn’t be reached remotely via the usual methods, so the hackers had to jump the “air gap.” And they did this by designing an exploit that would carry the worm on a USB stick to any Windows computer that that USB stick was inserted into—and once it was transferred from the USB stick to an infected computer it had multiple other ways of spreading on the internal network.

How long did it take to ascertain what Stuxnet had done and how it was accomplished?

The researchers at Symantec noticed pretty quickly that it was doing something to Siemens PLCs—programmable logic controllers. Stuxnet was discovered in June 2010, it was made public in July 2010, and within two weeks—after the code had been made available to other researchers—researchers at Symantec ascertained that it was injecting some kind of code into Siemens PLCs. They assumed that if it was sending code, it was probably malicious code. But it took another four months, until November 2010, for them to really ascertain, finally, everything that the code was doing and to a certain degree, what it was targeting.

Why was Stuxnet undetectable—at least for most antivirus programs?

The missile portion had one reason why it went undetected and the payload portion had a different reason. The missile portion used what are called zero-day exploits to spread. A zero-day exploit is malicious code that is designed to target a zero-day vulnerability—a security hole in software that is unknown to the vendor, and therefore, unpatched. And because it is unknown to the vendor it is also unknown to antivirus companies, so they don’t have signatures in their scanners that will detect this code.

The payload portion that affected the PLCs didn’t get detected on the systems because Stuxnet was designed in a very clever way to avoid detection. When the equipment it was sabotaging started to break down, the technicians in Iran would have noticed, except when they tried to examine the code on the PLCs to determine if there was anything malicious, Stuxnet was prepared for that. It would watch for any attempt to [read] the code on the PLCs and would intercept that request and feed back to the requester [fake] code, so that technicians wouldn’t see any malicious code.

How successful was Stuxnet in terms of accomplishing its goal?

That is unclear. Stuxnet had some effect on the uranium enrichment program because we know that the Iranians had to replace somewhere between a thousand and two-thousand centrifuges. And the Iranians had certain expectations about how much uranium they would be able to enrich, and the actual numbers fell fall short of expectations.

But Stuxnet was caught early—prematurely. The facility it was targeting wasn’t up to full speed yet, so it was doing its sabotage in the early stages of the Iranian program. If it had been allowed to continue—or had it been unleashed in later stages—it probably would have had a greater effect. The end result is that it set back the Iranian enrichment program to a certain degree—there are estimates between one and three years—but for the most part the Iranians recovered fairly quickly.

It might be difficult for some people to get their heads around the idea that a computer virus can be used to destroy physical equipment and infrastructure—and you don’t even need remote access.

There have been scenarios like this posited by Hollywood for a while, and there have been small proof-of-concepts done by researchers but nothing at this scale. Theoretically people imagined that this might be possible, but we hadn’t seen it in action. Stuxnet was the proof that it could be done this way.

How vulnerable is our critical infrastructure—like power plants, water plants, gas facilities, emergency phone systems, etc.?

It’s all pretty vulnerable. They are all vulnerable in different ways, though, because they use different equipment and are configured differently and have different software. So it’s not like you can design one attack to hit everything. But the systems used to control [critical infrastructure] were designed years ago and not really designed for security. And in the intervening years they have also been connected to the Internet in a number of cases. So when you combine a vulnerable system and Internet access then you create the ability for hackers to remotely attack them. So, yes, they are vulnerable.

Who is buying zero-day exploits, and what are the implications?

Zero-day exploits are bought for both good reasons and malicious reasons. Vendors will buy zero-day exploits that are discovered in their software. Researchers will uncover these vulnerabilities and then sell the information to vendors, with the aim that the vendor will then patch it and make it more secure. But there are criminals that trade in zero-day exploits; you can find them on the underground market. And hackers will sell valuable zero-days. But the primary market for zero-days—and it’s a fairly recent development, in the past few years—are government, law enforcement, and intelligence agencies. They use these exploits to spy on people and to do surveillance.

Are we now in an age of cyberwar?

We are, but I think we have to be very careful about the use of that term because it can be used for a lot of scenarios where it doesn’t apply. An act of war under international law is very carefully defined. 

Are we going to need rules of war for cyberwar?

We do have rules of war. There was a group of legal experts who came out with a report called the Tallinn Manual. These experts looked at the precise question: Do we need new rules of war to govern cyber warfare? Or do the existing rules of war govern cyber activity. Their conclusion was mixed. They concluded that, for the most part the current rules of war do apply for cyber, and can be successfully applied under the same circumstances. But there were scenarios that they encountered in digital warfare that don’t exist in the physical realm, and therefore the legal questions around them are unresolved. So we either need new rules of war for cyber warfare or we need new interpretations to understand how these existing laws and rules would apply in the digital realm.

I’ll give you one example: In the physical realm we have a clear distinction between espionage and acts of force. Espionage is not considered an act of war. It’s something that all nation-states do against one another and it’s not something that you go to war over. In the digital realm, espionage activities and acts of force are a little harder to distinguish. The same tools that are used for digital espionage are also used for digital sabotage. When someone is physically breaking into an office to steal secrets it’s pretty clear what that is. When someone is breaking into a computer system and planting malware on the system it may be to steal secrets, but it may also be to implant tools that can cause sabotage. So it’s difficult to interpret the intentions and motives in digital attacks. You can’t do it the same way as you can in the physical realm.

So there are a lot of questions left unanswered. Other questions, for instance, in terms of the intent for an attack that doesn’t succeed. I’ll give you an example. When someone launches a missile against an enemy, a Patriot missile can intercept that missile and prevent destruction. But most people would say that is still an intended attack. Whether or not it succeeded, the intent was to cause physical destruction. In a cyberattack, however, you can spot an attack coming (if you have the tools in place) and divert it, and then it never reaches its intended target and never causes any destruction. Is that then going to be interpreted in the same way? Is that considered an attack? It never reached its targeted computers and you don’t really know what it might have done once it reached them. So there are a lot of questions left unanswered and I think that Stuxnet was launched prematurely in some regards, without all the questions worked out.

In your opinion, do you believe our adversaries are preparing offensive weapons to use against us and waiting for the right time to use them?

They have been. For as long as the U.S. has been developing them, some of our adversaries have been developing them. I point out in the book that U.S. offensive capabilities in the digital realm started in the 1990s. China began developing offensive capabilities then as well. Russia has pretty advanced capabilities. I think the U.S. would probably be considered the leader, but there are a lot of countries that are trying to gain parity with us, and in the digital realm, it is a lot easier for countries that don’t necessarily have the resources to launch a conventional attack to obtain the resources for digital warfare. So we have to be aware that the enemies we have in the physical realm might not be the same enemies that we’ll have in the digital realm. The list of possible, capable enemies grows.