This week’s True Lies contribution draws from Vanity Fair, the NYT, Wikipedia, and Foreign Policy. These articles in turn mostly reference the same primary sources (see the Kaspersky Labs and F-Secure Weblog press release URLs in the Sources section at the end). Much of what I’ve written below is either a complete or partial copy of these primary and secondary sources. It’s not original research; just reassembled by topic, and put in chronological order to make it more easily understood.
In summary, the computer worm Stuxnet gained a foothold in fourteen different Iranian industrial sites and probably reduced the amount of uranium enriched by 30% over two years (2009-2010), thereby setting back Iran’s nuclear aspirations by about three years. As a consequence, 2015 is now the most recent estimate as to when Iran will have enough enriched uranium to make an atom bomb. With negotiations between the US, Germany, allies and Iran ongoing it’s topical to refresh everyone’s memory. In Sea of Lies, anti-hero Bob Nolan’s was the gray eminence behind the CIA’s and NSA’s commitment to the Stuxnet program. Bob won a medal, a promotion and a relocation to Singapore in the fictitious aftermath of Stuxnet’s wreaking havoc on Iran’s nuclear weapons program. So that’s a second reason Stuxnet is a topic close to my heart.
Stuxnet broke new ground by being the first large-scale state-sponsored cyber weapon. Stuxnet was much more complicated than its predecessors. It also was much more focused in its target. The implications are frightening. The world now has a template for creating other highly targeted worms. In addition, the Stuxnet attacks signal new acceptable limits for cyber espionage and undeclared cyber warfare. Some observers believe that these two developments are more troubling than the actual damage caused by Stuxnet. Pandora’s Box is open, and we will all be seeing what the law of unintended consequences holds in store.
I’m still in North Woods mode, so once again there aren’t any photographs or footnotes. There is, however, a short bibliography at the end of the piece.
Bradley West, British Columbia, 12 July 2015
Iran’s Nuclear Weapons Program: Too Dangerous to be Allowed to Succeed
Iran has been trying since the 1980s to build a nuclear weapon, both for reasons of defense (against Israel first and foremost), and as a matter of national pride and regional prestige. Israel is determined that Iran shall not obtain or build nukes, viewing this as an existential threat.
One of the major stumbling blocks in making a nuclear bomb lies in obtaining weapons grade uranium. States that have it don’t sell it. To make it you need to enrich (concentrate) lower purity uranium via a Uranium Enrichment Program (“UEP”) to produce U-235. So Iran started a nuclear electricity industry in order to cloak its UEP. Their peaceful power generation facility is at Bushehr, but the main facility that produces Weapon-Grade Uranium (“WGU”) is at Natanz.
Iran purchased centrifuge designs (the six-foot high “P-1” machine) sold on the black market by Pakistani nuclear scientist A. Q. Khan. Others describe the P-1s as “balky, badly designed” machines. Inside the P-1, an aluminum rotor spins uranium hexafluoride gas at 68,000 RPMs, slowly concentrating WGU.
Iran manufactured over 9000 of their own version of the P-1, calling them “IR-1s”. 4000 eventually ended up in Natanz while 5000 more were spares. The IR-1s were all-metal designs and, if the parts were manufactured with precision, the centrifuges would work reliably. But Iran couldn’t achieve the milling tolerances required, and thus had a hard time keeping its IR-1s functioning. One stopgap measure was to lower the operating pressure to put less mechanical stress on the delicate rotors. But less pressure means less WGU. The average IR-1 was operating at only half the efficiency of the original Dutch design that A. Q. Khan stole.
Iran’s centrifuges often broke down. As there were plenty of spares on hand, when machines died they were replaced and the new IR-1s swiftly went in line. The Iranians built a cascade protection system that allowed the enrichment process to keep going even when centrifuges in the same network were failing and going off line.
It so happened that Siemens software ran the Programmable Logic Controllers, “PLCs”, (computers contained in gray plastic boxes the size of a pack of crayons) which managed the uranium enrichment cascades conducted by these networked centrifuges. Variable-frequency (frequency converter) drives comprise a key ancillary piece of equipment that work in conjunction with the Siemens S7-300 software system and the IR-1 centrifuges. Iran sourced frequency converter drives from Vacon (Finland) and Fararo Paya (Iran).
The enrichment process operates painfully slowly. Despite hundreds of IR-1s running round the clock, Iran was going to need 2-3 years to amass enough U-235 of sufficiently high (>25%) purity to produce a fissionable core for a bomb.
Israel had publicly stated that it wasn’t going to let Iran have the atom bomb. Israel’s options were to bomb various aspects of Iran’s nuclear program (as had been done in Iraq and Syria in the past), assassinate key members of the development team, or pursue another course of action.
The US feared an Israel strike against Iran’s nuclear infrastructure would unite the normally divided Muslim nations in the region into attacking Israel as one. This in turn could spark a regional war in the Middle East that could blossom into WWIII. The second concern was that Iran’s nuclear weapons labs and factories were so deeply dug into hardened shelters and scattered around the country that any strike using even bunker- busting bombs wouldn’t necessarily work.
The leader of Iran’s weapons development program Mohsen Fakrizadeh is in hiding as he sits atop a targeted assassination list that has seen at least four victims in the last four years. The Mossad is suspected.
Tracing Stuxnet v.1.0’s and v.2.0’s origins
Stuxnet’s two versions shared a key trait, namely that they were designed with a single target in mind, the IR-1 centrifuge. Stuxnet sits idle and is harmless within a network unless it finds a specific combination of software connected to particular hardware. This was the genius conceptual breakthrough of Stuxnet, and with hackers and nations alike appreciating the infinite possible variations, the lid is off Pandora’s Box in the cyber warfare arena.
Stuxnet acts only on industrial Programmable Logic Controllers (“PLCs”) manufactured by Siemens. Furthermore, Stuxnet targeted only the IR-1 centrifuges used by Iran’s UEP to create WGU. (Iran bought its Siemens PLCs on the black market: these were an embargoed item.)
One insight of Stuxnet’s developers was that it was going to be easier to insert Stuxnet into computer maintenance contractors’ laptops and thumb drives, than it was to launch a direct assault on the many firewalls and intrusion detection systems protecting Iran’s nuclear weapons program.
The two Stuxnet worms were released in sequence with great effort made in each version to disguise the origins, function and specialist software bundled within:
Version 1.0 (Summer 2009 release): The original incarnation was a large worm for the time at 500k, and was written mostly in C and C++ languages. To the eye of the casual IT security expert, Stuxnet 1.0 looked like legit software for Siemens PLCs, missing only a copyright notice and (false) license terms. It even came with a digital authentication, something akin to the Good Housekeeping Seal of Approval and thought to be very hard to either fake or steal. Stuxnet version 1.0 needed to be manually installed on a victim’s machine, most likely via USB drive or infected maintenance contractor laptop.
Version 1.0 of Stuxnet over-pressurized centrifuges by sabotaging the system meant to keep the cascades of centrifuges safe. The ultimate target was Siemens S7-417 controllers that acted on centrifuge isolation and exhaust valves. Stuxnet’s program attacked each controller about once a month. Stuxnet hid the attack by taping an ordinary operating sequence for 21 seconds, then replaying that sequence in a loop during the attack. In the control room, all appeared normal.
Then Stuxnet closed the isolation valves for the first and last two enrichment stages, blocking the outflow of gas from each array (“cascade”) of IR-1s, and thereby raising the internal pressure. Too much pressure can cause gaseous uranium hexafluoride to solidify, thereby destroying the IR-1. The attackers were getting feedback in real time on the effects of their attacks. They pulled back their attacks before there were large enough failures that the Iranians would realize something was amiss, shut everything down and then start over with uninfected hardware and software.
Version 2.0 (Spring 2010 release): The second Stuxnet payload started in 2009 but came to full fruition in March 2010. It was much easier to detect than its predecessor. Version 2.0 self-propagated within networks once downloaded via USB memory stick. The newer version incorporated four zero-day flaws in Microsoft Windows software (see below). The device drivers were digitally authenticated by stolen private keys sourced first from Taiwan’s Realtek and then JMicron of the Netherlands (but with an office in the same Hsinchu Science Park in Taiwan that Realtek operated out of). One expert believes that only the NSA could have engineered Stuxnet v.2.0. The downside was that anyone who saw it would immediately know that this was an elaborate worm that warranted a close look.
Version 2.0 worked in a three-step process:
- Targeted only Windows networks and machines, copying itself. Neither the machines nor the network had to be connected to the internet for this module to work.
- It only sought out Siemens Step7 software
- It corrupted Siemens PLCs which in turn caused the IR-1 centrifuges to underperform.
Stuxnet’s masters set up websites in Denmark and Malaysia configured as command and control servers for the intelligence gathering aspect of the project. These sites allowed the programmers to update the software (“like repairing a drone while in-flight”), as well as upload information from the infected computers and networks. Stuxnet reported all IP addresses and hostnames of infected systems back to home base via these two sites (subsequently shut down without a trace).
Stuxnet exploited four zero-day (i.e., never used before) flaws to do its work. Stuxnet started with Windows, it then sought out the Siemens Step7 software, and then finally Siemens S7 PLCs. The four zero-day flaws included:
- LNK vulnerability was used to spread the worm via USB drives
- The shared print-spooler flaw was used to spread in networks with shared printers
- The 3rd and 4th flaws had to do with privilege escalation, allowing the worm to gain system-level privileges even when computers were locked down
Once Stuxnet was discovered (or revealed to the world) in June 2010, the press then erroneously reported two extreme versions of the story:
- Stuxnet caused the centrifuges to spin out of control and self-destruct or
- The Iranians found and disabled Stuxnet before much damage occurred.
In truth, Stuxnet was far more subtle (and long-term effective) than either scenario above envisaged. Stuxnet periodically changed the connected motors’ speeds, increasing them to 1410 Hz and dropping them down to 2 Hz before allowing them to revert to their designed 1064 Hz. While these speed changes can lead to centrifuge destruction, more often they result in greatly slowing down the IR-1s’ operating efficiencies.
The Iranians incurred much expense and frustration in trying to get their IR-1s running properly. The political overseers of the UEP thought that their engineers and managers were incompetent given how long the WGU purification step was taking. The head of the program lost his job in July, 2009 when an “accident” occurred at Natanz.
But eventually the Natanz managers figured out something was terribly wrong and took 984 linked centrifuges off line simultaneously. Note that there was one line of Stuxnet code aimed at sending commands to exactly 984 machines linked together: this was a laser-guided worm.
The centrifuge count reported by the Federation of American Scientists show that the number of enrichment centrifuges operational in Iran dropped from 4700 to 3900 in early 2010.
Stuxnet v.2.0 had three modules:
- A worm that executed all routines related to uploading the two “warheads” (attack modules)
- A link file that automatically ran the propagated copies of the worm
- A rootkit component responsible for hiding all malicious files and processes, preventing detection of Stuxnet using a “man in the middle” attack that faked control sensor signals (via that 21 second loop) so that the infected system did not shut down.
New versions of Stuxnet apparently were embedded in seemingly authentic updates of Windows programs. Anyone running a Windows Update routine on the second Tuesday of the month could well be injecting Stuxnet into their computer.
The propagators gave (or infected) flash drives to contractors (perhaps from Russia) performing computer maintenance on Iran’s nuclear weapons program’s computers. The worm spread through the network looking for Siemens Step7 software on computers controlling a PLC. When Stuxnet found what it was looking for, it went to work while shielding its activities from the human and software monitors active in the network.
Stuxnet was unique in the number of self-inhibitors built into it. Not only was it supposed to self-erase on 24 Jun 2012, but also it prevented a single USB drive from infecting more than three devices. Richard Clarke, former head of counter-terrorism under Clinton and Bush, took this to be proof of US involvement, saying he could see the lawyers’ fingerprints all over the code.
Iran and cyber warfare
If nothing else, Stuxnet and its predecessors Flame and Duqu forced Iran to create its own cyber capability to defend its interests and start hitting back. Over the last five years, Iran has played catch-up and as of 2013 claimed to have the world’s fourth largest cyber army. Their budget could be US$1bn p.a. Russia, Hezbollah and China assist Iran in cyber espionage activities. Notable events:
- Revolutionary Guard sets up own unit in March, 2011
- Theft of 100’s of digital certificates in June, 2011 from DigiNotar of the Netherlands. Iranian hacker “Comodohacker” takes responsibility but most see it as state-sponsored.
- Ayatollah Ali Khamenei founds the High Council of Cyberspace with a $1billion budget.
- In February, 2012 US officials privately dismissed Iran’s cyber warfare efforts as “trifling”. In short order, Iran (or a proxy) did the following:
- Apr, 2012: Hacks AP’s Twitter feed to report Obama injured in two White House bombs. Stock markets plummeted until a corrected version came out
- Aug, 2012: Saudi Aramco saw the hard drives wiped out on 30,000 employee PCs, with only a burning US flag left on the screen
- Sep, 2012: US banks attacked in DDOS campaigns that were massive, hard to stop, and eventually may have cost 20-30 banks US$10m each
- Dec, 2012: Iran conducted an anti-cyber warfare drill in Hormuz
A hacker in Iran going by “Mormoroth” claimed to be a Sunni (!) in charge of “Qassam”, the organization asserting it was behind the attacks on US banks.
Israel and the US: Stuxnet’s Parents
Most observers believe that the US and Israel cooperated in producing Stuxnet. Experts believe that as many as 30 programmers worked six months to create the first version. Several programming styles are in evidence. In July 2013, Edward Snowden confirmed that the US and Israel co-developed Stuxnet.
Israel
There are at least two embedded clues pointing to Israel:
- “Myrtus” (the Latin word denoting the genus of the myrtle tree) appears in one line of Stuxnet’s code. In Hebrew the name of the myrtle tree is In turn Hassadah was the birth name of Esther, the Jewish queen of Persia. In the Old Testament, Esther foils a Persian plot
- The date 24 Sep 2007 is day that Iran’s president Ahmadinejad questioned the authenticity of the Holocaust in an address at Columbia University. This date appears several times as a hand-coded date stamp within the program.
There’s no incontrovertible proof, but it seems likely – perhaps even beyond a reasonable doubt – that the Israelis played a leading role. They had the greatest motive, too.
Israel’s Unit 8200 deemed by some to be the principal agency behind Stuxnet, assisted by the US alphabet organizations: CIA, NSA, DOE (Dept. of Energy).
Israel’s own nuclear program requires centrifuges. Informed speculation suggests that Israel (perhaps aided by the US) built IR-1s and installed them in the same cascade configuration used in Natanz in Israel’s secret nuclear weapons base at the Dimona complex in the Negev desert. Dimona became the testing ground for Stuxnet prototypes, using real uranium hexafluoride. This would have been hugely expensive.
Meir Dagan, the head of Mossad, extended his term in 2009 due to important work underway. (Iran also accused Dagan of being behind the subsequent car bombing attacks on Iranian nuclear scientists.) Israel Defense Force Chief of Staff Gabi Ashkenazi showed a career highlights reel at his retirement party that allegedly mentioned Stuxnet.
United States
Libya gave up its P-1 centrifuges in 2003 when it abandoned its nuclear weapons program [in return for aid and lifted sanctions]. The US shipped the P-1s to the Oak Ridge National Laboratory in Tennessee where the Dept of Energy (DOE) ran experiments. The US (and later the UK) couldn’t get the P-1s to work properly. Only the Israelis could do so.
Before George W. Bush left office in Jan 2009, he authorized Operation Olympic Games, a multi-year online espionage and sabotage campaign against the Iranian nuclear program. Stuxnet was one aspect of that campaign.
US presidential adviser on combatting weapons of mass destruction Gary Samore smiled broadly when Stuxnet was mentioned as a news conference. “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”
John Bumgarner, former intelligence officer and member of the US Cyber-Consequences Unit (US-CCU) published an article prior to Stuxnet being discovered or deciphered that outlined a strategic cyber strike on centrifuges. He wrote that nations operating uranium enrichment programs that violate international treaties justify cyberattacks.
* * * * *
The US government now recruits actively at hacker conventions (Def Con), and pays hackers for bugs and “exploits” (programs that perform espionage or theft). A large effort goes into finding holes in Google, Apple, Microsoft and other US companies’ security so that the NSA can use it to spy on (or sabotage) enemies. The problem is that every other country and terrorist group in the world is doing the same thing. “What hath God wrought?” (Numbers 23:23) seems an apt question to pose.
Appendix: Timeline for Key Developments in History of Cyber Warfare and the Iran Nuclear Weapons Program
Date | Description | Sea of Lies implications |
1976 | Pakistan’s “Father of the Atomic Bomb” A. Q. Khan steals the design of a uranium enrichment machine from Holland, and then returns to Pakistan to build the P-1 centrifuge | Khan later went rogue and sold the P-1 to Iran, Libya and North Korea |
1981 | Israel bombs Iraq’s nuclear development center | Iran is a target |
2003 | Libya agrees to give up nuclear bomb research, and hands its P-1s over to the US | US installs these in Oak Ridge, TN |
2004 | Israel demands aerial transmission codes for Iraq so that its jets can overfly country when bombing Iran’s nuclear infrastructure | US agrees to help w/ cyberattacks in return for a postponement |
2005 | Mosquito prototype worm shown at Def Con 2005, a hackers’ convention | Apparently becomes the inspiration for Flame |
2007 | Israel bombs Syria’s nuclear arms development center | Iran is the next target |
2007 Nov | Flame worm debuts, followed by Duqu and possibly Stuxnet | Flame and Duqu contribute code and means to Stuxnet: must have a common creator |
2007 | First version of Stuxnet antecedent submitted to a computer security site: deemed benign | Deep cover objective achieved |
2008 | Siemens helps Idaho National Laboratory (INL) identify flaws in PSC-7 software, esp. Step7 which is vulnerable to cyberattack | Siemens may have been duped, or could be a willing participant in the Stuxnet v.2.0 efforts |
2008, 4Q | George Bush authorizes Operation Olympic Games to thwart Iran’s nukes. Obama expands | The US hates Iran and fears its nukes |
2009, April | US stops 111 boxes of Siemens controllers going from Dubai to Iran | |
2009, Jun | Stuxnet (unnamed) begins showing up in malware system scans but wasn’t seen to be doing any harm. | Stealth preserved |
2009 Jul | “Nuclear accident” reported at Natanz | Stuxnet emerges! |
2009 Jul 16 | Director of Iran’s nuclear program resigns | |
2009 Sep | Hamburg blogger reports “Myrtus” finding and points finger at Israel. Later in month, Natanz first mentioned as the likely target facility | |
2009 Nov | Stuxnet revealed on-line to target frequency converter drives | |
2010 Jan 12 | Masoud Ali Mohammadi, physics professor at Tehran U, killed by a remote control motorcycle bomb | |
2010 Feb | I.A.E.A report confirms that Iran wants to produce an atom bomb | Always the last to know |
2010 Mar | Stuxnet v.2.0 variant introduced that spreads via USB drives | The NSA’s bells & whistles upgrade |
2010 Apr | v.2.1 of Stuxnet released with minor improvements | |
2010 Apr | Iran announces it will build a 3rd uranium enrichment plant | An expensive do-over to stay bug-free |
2010 Jun-Jul | US and Europe impose additional economic sanctions on Iran | |
2010 Jun | Stuxnet (unnamed) identified by a small Belarus security company, VirusBlokAda | Some suspect that Stuxnet was leaked to world on purpose |
2010 Jul 14 | On first day of wide announcement, two leading PLC industry websites subjected to DDOS attacks | Likely that the Stuxnet propagators were trying to delay the spread of the news to targets. |
2010, Jul 14 | Stuxnet re-released with JMicron updated digital signature to replace cancelled Realtek | |
2010 Aug | Symantec notes that 60% of infected computers worldwide are in Iran | India and Indonesia also hard hit: probably inadvertently spread by the same contractors |
2010 Nov | Sky News UK reports that Stuxnet, or a variant, had traded on the black market | CIA/ NSA begin working on doctored versions |
2010 Nov 27 | President Ahmadinejad says that a virus harmed centrifuges at Natanz | |
2010 Nov 29 | Near simultaneous car bomb attacks in Tehran kill Majid Shahriari and wound Fereydoon Abbasi, a 2nd Iran nuclear weapons scientist | |
2011 Mar | Iran’s Revolutionary Guards set up own cyber warfare unit | Presumably more than Keystone Cops |
2011 Jun | Iran probably behind the theft of 100s of digital certificates from DigiNotar | |
2011 Jul 27 | Darioush Rezaeinejad, nuclear physicist, assassinated in Tehran by two motorcycle gunmen | |
2011 Sep | Hungary researchers uncover Duqu, designed to steal info on industrial control systems | Related to Stuxnet v.1.0 |
2011 Dec | Mahdi malware seen: click on an attachment and have email, SMSs and data stolen. (Likely source: Iran as US and Israel targeted.) | |
2012 Jan 11 | Mostafa Ahmadi Roshan, Director of the Natanz plant, killed by a car bomb | |
2012 Mar | Iran sets up High Council of Cyberspace with a $1bn budget | Foreign hacker feeding frenzy results |
2012 Mar | 60 Minutes interviews former US intelligence officers re Stuxnet. Told that Stuxnet’s code can now be downloaded from the internet. | |
2012 Apr | Iran (?) hacks AP Twitter account and puts out false story of two bombs in White House and Obama injured | Iran flexes more muscle |
2012 Apr | WIPER worm wipes out PC memories in Iran’s oil & gas ministry | |
2012 May | UN agency the Int’l Telecoms Union asks Kaspersky to look into malware deleting files in Iranian oil sector (WIPER) | Starts Kaspersky on path of discovery |
2012 May | Flame malware discovered. Kaspersky sees an early version of Stuxnet code inside Flame, and both propagate via USB drives | Connecting the dots |
2012 Jul | Kaspersky discovers Gauss | Lebanon connection |
2012 Jun | NYT runs an article saying that “Operation Olympic Games” started in late 2008 under Bush, and Obama expanded it | The Stuxnet operation appealed to both Republicans and Democrats |
2012 Jun 24 | Date for self-erasure built into Stuxnet code. | Seen as proof of nation-state sponsorship: “lawyers all over this” |
2012 Aug | Saudi Aramco has hard drives erased on 30k employee PCs by claimed Islamists (Iran) | Iran bites back . . . but getting help? |
2012 Sep | US banks attacked via DDOS starting with BOA and NYSE. Later 10 and then 30 under attack. US$10m per bank avg spend to combat this: Iran | Iran again: how are they able to do so this after being nowhere? |
2012 Sep | Power lines to Fordow nuclear facility in Iran damaged via cyber attack | |
2012 Dec | Iran claimed that Stuxnet had attacked a power plant and other industries in Hormozgan province | Hard to say if this is fact or fiction. |
2013 Jan | Iran claims to have 4th largest cyber army in the world | |
2013 Jul | Edward Snowden confirms that the US and Israel co-developed Stuxnet |
Sources
A Declaration of Cyber War by Michael Joseph Gross in Vanity Fair, April 2011 as provided online by http://www.vanityfair.com/news/2011/04/stuxnet-201104
Obama Order Sped Up Wave of Cyberattacks Against Iran by David E. Sanger in The New York Times, 1 June, 2012 as provided online by http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=0
Stuxnet’s Secret Twin by Ralph Langner in Foreign Policy Magazine, 29 November 2013 as provided online by http://foreignpolicy.com/2013/11/19/stuxnets-secret-twin/
“Kaspersky Lab provides its insights on Stuxnet worm”. Kaspersky (Russia). 24 September 2010.
“Stuxnet Questions and Answers – F-Secure Weblog”. F-Secure (Finland). 1 October 2010.
if only I had stayed in the computer industry….. If it’s not too late for plot purposes, I am semi reliably informed that by the time you have cleared immigration and walked out of Beijing airport arrivals, your smart phone has already been infected with several bits of spyware. Presumably this is why some countries (and possibly a few corporations) do not permit their employees to carry their own laptops or smartphones into the PRC. If all this is true, and it’s not too late, this could be an interesting subtext to your novel.
Regarding Iran, it seems that a developing divide is growing between the middle classes (particularly those born after the 1979 revolution) – read any account of private interaction and you’ll see a consistency of comments along the lines of “these mad mullahs have taken us back 1,000 years”. Who knows what (or if) the tipping point will be to oust rule by religious mania, but all the westerners I now who have visited comment on the warmth of their welcome from the man in the street. Which I daresay is not the case in most middle eastern nations these days.