Countdown to Zero Day

Years before the Iran nuclear negotiations the U.S. wielded Stuxnet, “the world’s first digital weapon.”

Countdown to Zero Day

April 5, 2015—Earlier this month Iran and the United States, along with five other world powers, announced the framework of an agreement that would limit Iran’s nuclear program over the next decade-and-a-half. “The plan,” according to the New York Times, “would keep Iran’s nuclear facilities open under strict production limits … [and] holds the potential of reordering America’s relationship with a country that has been an avowed adversary for 35 years…. Under the accord, Iran [has] agreed to cut the number of operating centrifuges it has by two-thirds … and to cut its current stockpile of low-enriched uranium from around 10,000 kilograms to 300 for 15 years.”

It wasn’t that long ago that the United States pursued an entirely different approach to keeping Iran from realizing its nuclear goals—namely, unleashing a destructive digital weapon that aimed to sabotage Iran’s uranium enrichment program. Stuxnet, as the malicious program came to be known, reached beyond the computers it targeted and physically destroyed the equipment those computers controlled, causing centrifuges at an Iranian uranium enrichment plant (outside Natanz) to fail, wasting valuable uranium gas in the process.

In the following Failure Interview, Kim Zetter, author of the recent book “Countdown to Zero Day” (Crown), describes how Stuxnet worked, how it was discovered, and what it accomplished, while also addressing the implications of so-called zero-day exploits (Stuxnet utilized several), which are designed to target security holes in software that are unknown to the vendor.

In effect, Stuxnet ushered in an age of cyber warfare, in which every country’s critical infrastructure is vulnerable to digital attack, with potentially devastating results. While the U.S. is arguably the world’s leader in regards to cyberwar capabilities, “there are a lot of countries that are trying to gain parity with us,” begins Zetter, “and in the digital realm, it is a lot easier for countries that don’t necessarily have the resources to launch a conventional attack to obtain the resources for digital warfare.” But this is a story that begins with Stuxnet, which was unleashed in 2009….

Failure: What was Stuxnet and what was it designed to do?
Zetter: Stuxnet was a malicious program—what I would refer to as a digital weapon—that was designed to cause physical destruction. Most viruses and malicious programs are designed to steal data—for instance, a banking Trojan will steal passwords to bank accounts—or they are designed to somehow affect the computer; to make the computer crash or make it operate slowly or even delete information. But Stuxnet went beyond that and was designed not to affect the computers that it was infecting, but to affect other equipment that those computers were controlling; in this case, to affect them to such degree that the equipment would be destroyed. So it reached beyond the digital realm into the physical realm to alter and sabotage equipment that computers would control.

How was Stuxnet discovered?
It was discovered completely by chance. Some computers in Iran that were not the targeted computers started to crash and reboot repeatedly and the owners of the systems couldn’t figure out what was going on. They contacted an antivirus company in Belarus that sold them antivirus software [VirusBlokAda] and researchers at that company remotely examined the infected computers and found files that they thought were suspicious. They started to take them apart and noticed something unusual about the code. And that was sufficient to get other more experienced researchers to take a look. Those researchers—over a period of months—reverse engineered the code and finally figured out what it was doing.

How did Stuxnet spread?
It spread in multiple ways. Stuxnet, like conventional weapons, had two parts—the missile portion [the delivery system] and the payload part. Because the targeted systems were not connected to the Internet, they couldn’t be reached remotely via the usual methods, so the hackers had to jump the “air gap.” And they did this by designing an exploit that would carry the worm on a USB stick to any Windows computer that that USB stick was inserted into—and once it was transferred from the USB stick to an infected computer it had multiple other ways of spreading on the internal network.

How long did it take to ascertain what Stuxnet had done and how it was accomplished?
The researchers at Symantec noticed pretty quickly that it was doing something to Siemens PLCs—programmable logic controllers. Stuxnet was discovered in June 2010, it was made public in July 2010, and within two weeks—after the code had been made available to other researchers—researchers at Symantec ascertained that it was injecting some kind of code into Siemens PLCs. They assumed that if it was sending code, it was probably malicious code. But it took another four months, until November 2010, for them to really ascertain, finally, everything that the code was doing and to a certain degree, what it was targeting.

Why was Stuxnet undetectable—at least for most antivirus programs?
The missile portion had one reason why it went undetected and the payload portion had a different reason. The missile portion used what are called zero-day exploits to spread. A zero-day exploit is malicious code that is designed to target a zero-day vulnerability—a security hole in software that is unknown to the vendor, and therefore, unpatched. And because it is unknown to the vendor it is also unknown to antivirus companies, so they don’t have signatures in their scanners that will detect this code.

The payload portion that affected the PLCs didn’t get detected on the systems because Stuxnet was designed in a very clever way to avoid detection. When the equipment it was sabotaging started to break down, the technicians in Iran would have noticed, except when they tried to examine the code on the PLCs to determine if there was anything malicious, Stuxnet was prepared for that. It would watch for any attempt to [read] the code on the PLCs and would intercept that request and feed back to the requester [fake] code, so that technicians wouldn’t see any malicious code.

How successful was Stuxnet in terms of accomplishing its goal?
That is unclear. Stuxnet had some effect on the uranium enrichment program because we know that the Iranians had to replace somewhere between a thousand and two-thousand centrifuges. And the Iranians had certain expectations about how much uranium they would be able to enrich, and the actual numbers fell fall short of expectations.

But Stuxnet was caught early—prematurely. The facility it was targeting wasn’t up to full speed yet, so it was doing its sabotage in the early stages of the Iranian program. If it had been allowed to continue—or had it been unleashed in later stages—it probably would have had a greater effect. The end result is that it set back the Iranian enrichment program to a certain degree—there are estimates between one and three years—but for the most part the Iranians recovered fairly quickly.

It might be difficult for some people to get their heads around the idea that a computer virus can be used to destroy physical equipment and infrastructure—and you don’t even need remote access.
There have been scenarios like this posited by Hollywood for a while, and there have been small proof-of-concepts done by researchers but nothing at this scale. Theoretically people imagined that this might be possible, but we hadn’t seen it in action. Stuxnet was the proof that it could be done this way.

How vulnerable is our critical infrastructure—like power plants, water plants, gas facilities, emergency phone systems, etc.?
It’s all pretty vulnerable. They are all vulnerable in different ways, though, because they use different equipment and are configured differently and have different software. So it’s not like you can design one attack to hit everything. But the systems used to control [critical infrastructure] were designed years ago and not really designed for security. And in the intervening years they have also been connected to the Internet in a number of cases. So when you combine a vulnerable system and Internet access then you create the ability for hackers to remotely attack them. So, yes, they are vulnerable.

Page 1 of 2 pages 1 2 >