Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
The Farewell operation was never discovered, according to Weiss, but Vetrov was not so lucky. He was imprisoned in 1982 after stabbing his mistress, a married KGB colleague, and was exposed as a double agent—though the CIA’s sabotage efforts remained a secret.
19
In 1986, the CIA shuttered the operation.
Weiss, who is now dead, never specified the effects of the contrived computer chips and other defective parts that were slipped into the Soviet supply chain, but in 2004, Thomas C. Reed, who worked with Weiss on the National Security Council, wrote a book that briefly mentioned the Farewell Dossier and attributed a 1982 Siberian pipeline explosion to the CIA scheme—the same pipeline explosion that Symantec referenced in its blog post about Stuxnet. According to Reed, one of the items on the Line X shopping list was software for controlling the pumps, valves, and turbines on the Trans-Siberian Pipeline, which was being built to carry natural gas from the Urengoi gas fields in Siberia to countries in Europe. When the CIA learned the Soviets were trying to obtain the software from a company in Canada, the agency, in cooperation with the firm, embedded
a logic bomb in the code. The code was designed to reset pump speeds and valve settings on the pipeline to “produce pressures far beyond those acceptable to the pipeline joints and welds,” Reed wrote.
20
The software “ran the pipeline beautifully—for a while,” he noted. But then at some predetermined point it caused the pumps and valves to go haywire, creating a gas-pressure buildup so immense it set off a three-kiloton explosion—the “most monumental non-nuclear explosion and fire ever seen from space,” according to Reed.
There are many who believe the story of the exploding pipeline is apocryphal; a former KGB official has denied the tale and believes Reed and Weiss confused their facts.
21
Regardless, the Farewell Dossier operation did exist and served as inspiration for later sabotage schemes focused on Iran’s nuclear program.
One such operation occurred after the CIA infiltrated A. Q. Khan’s nuclear supply network around 2000 and began inserting doctored parts
into components headed to Iran and Libya—where Khan had also begun peddling his illicit nuclear services. A weapons expert at Los Alamos National Laboratory worked with the CIA to alter a series of vacuum pumps so that they would malfunction at random intervals. As with the operation against the Soviets, the plan was to sabotage the parts so subtly that they would work fine for a little while before breaking down in such a way that it would be difficult to spot a pattern or pinpoint the problem.
Of seven pumps the CIA compromised, six of them went to Libya; but the seventh one ended up in Iran. IAEA inspectors later stumbled across it by chance when they visited Natanz.
22
The Iranians apparently didn’t know the pump had been altered.
They did, however, discover another sabotage operation that occurred in 2006. This one involved UPSes—uninterruptible power supplies—obtained from Turkey. UPSes help regulate the flow of electricity and are important to the operation of centrifuges, which require reliable and consistent energy to spin for long periods of time at uniform speeds. If the electrical current wavers, the centrifuges will speed up and slow down, sabotaging the enrichment process and even throwing the centrifuges themselves off balance.
The Khan network evidently purchased the devices from two businessmen in Turkey and secretly shipped them to Iran and Libya.
23
But in early 2006, when Iran attempted to enrich its first batch of uranium in a small cascade at the pilot plant at Natanz, things went terribly wrong. The cascade ran fine for about ten days, but then the sabotage kicked in and all of the centrifuges had to be replaced. No one said anything about it at the time. But a year later, during a televised interview, the head of Iran’s Atomic Energy Organization described what had occurred. Technicians
had installed 50 centrifuges in the cascade, he explained, but one night “all 50 had exploded.” The UPS controlling the electricity “had not acted properly,” he said, and created a surge. “Later we found out that the UPS we had imported through Turkey had been manipulated.” He also said that after the incident occurred they began checking all imported instruments before using them.
24
There have been other known plans to alter parts and components for Iran’s nuclear program, but at least one was aborted, while others failed to work as planned.
25
What Bush’s advisers were proposing in 2006, however, promised to take the black art of sabotage to a whole new level.
What they proposed was a stand-alone surgical strike involving code that could operate independently once unleashed, that had the intelligence to know when it had found its target and would only release its payload when conditions were right, that also disguised its existence by carefully monitoring attempts to detect it, and that had the ability to destroy physical equipment not through bold, explosive strokes but through subtle, prolonged ones.
Some officials in the Bush administration were skeptical that such an attack could work, likening it to an untried science experiment.
26
But the planners weren’t expecting miracles from the operation. They didn’t expect to destroy Iran’s uranium enrichment program altogether, just to set it back and buy some time. And even if the operation were discovered and the Iranians learned that their computers had been infiltrated, it would still be a win-win situation, as Weiss had pointed with the Farewell Dossier, since it would succeed in sowing doubt and paranoia among the Iranians.
Even if technicians wiped their machines clean and reprogrammed them, they could never be certain that the systems wouldn’t be infected again or that their enemies wouldn’t try a different tack. They would always be on guard for any signs of trouble, and if something did go wrong, they would never know for certain if the cause had been a material defect or enemy sabotage. They’d also be much more wary of any equipment procured outside of Iran for fear that it might have already been compromised.
The daring and sophisticated scheme, which combined both covert and clandestine activities, was reportedly conceived by US Strategic Command—the Defense Department division that operates and oversees the country’s nuclear weapons—with Gen. James Cartwright as one of its architects.
27
A former senior U.S. official described General Cartwright as the concept man, while former NSA Director Keith Alexander was responsible for executing the plan. “Cartwright’s role was describing the art of the possible, having a view or a vision,” the official told the
Washington Post.
But Alexander had the “technical know-how and carried out the actual activity.”
28
The code was then developed by an elite team of programmers at the NSA, at least initially. Later versions reportedly combined code from the NSA with code from the Israeli Defense Force’s Unit 8200—Israel’s version of the NSA. Once the code was designed, however, it would have been handed off to the CIA to oversee delivery to its destination, since only the CIA has legal authority to conduct covert operations.
The technical challenges of the operation were daunting, but there were legal issues to work out as well, since they were proposing to attack
another country’s infrastructure outside of a declaration of war. Covert action requires a legal document known as a Presidential Finding to authorize it, as well as notification to Congress. And before Bush signed off on the operation, there would have been extensive review to consider the risks involved.
29
Luckily, sabotaging the centrifuges in a cascade carried no risk of a nuclear accident. Uranium hexafluoride gas was destructive to lungs and kidneys if inhaled in sufficient quantities, but an entire cascade contained only tens of grams of gas, which would dissipate quickly once released into the air.
But if there was no risk of a nuclear incident to consider, there were still other consequences to weigh, including the risk of bricking the computers at Natanz if the code contained an error or a bug that was incompatible with the systems, thereby tipping off the Iranians to the attack and ruining the operation. There was also the risk of retaliation if Iran discovered that the United States was behind the attack, as well as the risk of blowback if someone altered the code and used it against American critical infrastructure.
Perhaps the biggest consideration of all was the risk of tipping off Iran and other enemies to US cyber capabilities. The problem with using a cyberweapon, says one former CIA agent, is that “once it’s out there, it’s like using your stealth fighter for the first time—you’ve rung that bell and you can’t pretend that the stealth fighter doesn’t exist anymore. So the question is, which air battle do you really want to use that stealth fighter for?”
30
Was the operation against Iran worth exposing this new capability? And what about losing the moral high ground if it became known that the United States was behind the attack? A digital assault that destroyed another country’s critical infrastructure—and Iran would no doubt claim
that the centrifuges
were
critical infrastructure—was essentially an act of war. It would be very hard for the United States to point an accusing finger at any nation that used digital attacks thereafter.
It’s unclear how much advance research and work had already been done by the time Bush’s advisers proposed their plan in 2006. But once he gave the go-ahead for the covert operation to advance, it reportedly took just eight months to finalize the scheme.
31
It was an ingenious plot that proceeded exactly as planned.
Until suddenly it didn’t.
1
Spiegel
staff, “Cables Show Arab Leaders Fear a Nuclear Iran,”
Der Spiegel
, December 1, 2010.
2
US State Department cable, from CDA Michael Gfoeller, April 20, 2008, available at
nytimes.com/interactive/2010/11/28/world/20101128-cables-viewer.html#report/iran-08RIYADH649
.
3
“Cables Show Arab Leaders Fear a Nuclear Iran,”
Der Spiegel
.
4
Jeffrey Goldberg, “The Point of No Return,”
The Atlantic Monthly
, September 2010.
5
Catherine Collins and Douglas Frantz,
Fallout: The True Story of the CIA’s Secret War on Nuclear Trafficking
(New York: Free Press, 2011), 212.
6
In June 1991 when then–Defense Secretary Cheney visited Israel, he reportedly gave Israeli Maj. Gen. David Ivry a satellite image of the Osirak reactor taken after it was obliterated. Cheney annotated the image: “For General Ivry, with thanks and appreciation for the outstanding job he did on the Iraqi Nuclear Program in 1981, which made our job much easier in Desert Storm.” See Douglas Frantz and Catherine Collins,
The Nuclear Jihadist: The True Story of the Man Who Sold the World’s Most Dangerous Secrets
(New York: Free Press, 2007), 190.
7
Erich Follath and Holger Stark, “The Story of ‘Operation Orchard’: How Israel Destroyed Syria’s Al Kibar Nuclear Reactor,”
Der Spiegel
, November 2, 2009. For information about the electronic warfare used to take out the radar station, see David A. Fulghum, “U.S. Watches Israeli Raid, Provides Advice,”
Aviation Week
, November 21, 2007.
8
Julian Borger, “Israeli Airstrike Hit Military Site, Syria Confirms,”
Guardian
, October 1, 2007.
9
David Albright notes that when fully operational, the reactor could have produced enough plutonium for a nuclear weapon every one to two years. David Albright,
Peddling Peril: How the Secret Nuclear Trade Arms America’s Enemies
(New York: Free Press, 2010), 3.
10
Tim Shipman, “U.S. Pentagon Doubts Israeli Intelligence Over Iran’s Nuclear Program,”
Telegraph
, July 5, 2008.
11
US State Department cable, “Israeli NSA Eiland on Iranian Nuclear Threat,” April 26, 2006, published by WikiLeaks at
http://wikileaks.org/cable/2006/04/06TELAVIV1643.html
.
12
Erich Follath and Holger Stark, “The Birth of a Bomb: A History of Iran’s Nuclear Ambitions,”
Der Spiegel
, June 17, 2010.
13
David E. Sanger, “U.S. Rejected Aid for Israeli Raid on Iranian Nuclear Site,”
New York Times
, January 10, 2009.
14
David E. Sanger, “Iran Moves to Shelter Its Nuclear Fuel Program,”
New York Times
, September 1, 2011.
15
See
chapter 12
for more on the history of the US government’s cyberwarfare capabilities.
16
In mid-2007, Western satellites spotted evidence of a possible tunnel being built into a mountain adjacent to Natanz, possibly to sequester materials and equipment from an anticipated attack on the plant. The NCRI reported that Iran was in fact constructing secret tunnels in more than a dozen locations around the country to protect missile and nuclear installations from potential attack. Israel had secured an agreement to obtain a new generation of bunker-busting bombs from the United States—said to be ten times more powerful than the previous generation and capable of breaking through cement and penetrating deep underground. But the new bombs weren’t expected to be ready until 2009 or 2010 and there was no guarantee they would work against Natanz. See David Albright and Paul Brannan, “New Tunnel Construction at Mountain Adjacent to the Natanz Enrichment Complex,” ISIS, July 9, 2007, available at
isis-online.org/uploads/isis-reports/documents/IranNatanzTunnels.pdf
. See also William Broad, “Iran Shielding Its Nuclear Efforts in Maze of Tunnels,”
New York Times
, January 5, 2010.
17
The newsletter was later declassified. See Gus Weiss, “The Farewell Dossier: Strategic Deception and Economic Warfare in the Cold War,” in
Studies in Intelligence
, 1996, available at
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/96unclass/farewell.htm
.
18
According to Weiss, the CIA also launched a misinformation campaign around a laser weapons technology to convince the Soviets that the unproven technology was something they should pursue. When the CIA found Soviet documents discussing the technology, the agency arranged for renowned physicists to plant stories about it in
Nature
and another reputable publication to create buzz about it as if it were a promising discovery. Then they abruptly halted publication of information on the matter, to make the Soviets think the technology had strategic importance and that conversations about it had been stifled. Weiss said the Soviets must have taken the bait because years later, when the Soviet Union collapsed, evidence was found that the Soviets had been pursuing research on the laser technology.
19
The complete story of Vetrov’s life and the Farewell Dossier is recounted in Sergei Kostin and Eric Raynaud,
Farewell: The Greatest Spy Story of the Twentieth Century.
The book, published in French in 2009, was translated into English by Catherine Cauvin-Higgins and published in 2011 by Amazon Crossing. The book was made into a French film released in 2009 titled
L’affaire Farewell.
20
Thomas C. Reed,
At the Abyss: An Insider’s History of the Cold War
(New York: Presidio Press, 2004), 268–69.
21
Reed’s account of the pipeline explosion, the first to be published, has taken on a life of its own and been re-reported many times as fact, though no reporters have been able to substantiate it. There are reasons to doubt the story. According to Reed, the explosion was captured by US infrared satellites and caused a stir among members of the National Security Council at the time, who were trying to determine whether the Soviets had detonated an atomic device in Siberia when Weiss told them not to worry about it. Weiss never explained why they shouldn’t worry about it, but twenty years later when Reed was writing his book, Weiss told him the cause of the explosion they had been concerned about was CIA sabotage. But Vasily Pchelintsev, the former head of the KGB in the region where Reed said the explosion occurred has said it never happened, and that Weiss may have conflated his memory of the Farewell Dossier incident with an explosion that occurred in April 1982 in a different region. But that explosion, Pchelintsev said, was caused by shifting pipes that moved when snow melted, not by CIA sabotage. See Anatoly Medetsky, “KGB Veteran Denies CIA Caused ’82 Blast,”
Moscow Times
, March 18, 2004.
Asked if he believed Weiss’s account of the pipeline, Reed told me in a phone interview in October 2010, “I don’t really know if it happened.… Clearly the whole Dossier episode happened. The agency had a very major campaign to adjust the tech of stuff that was being sent off to the Russians.” He said he does recall that an explosion occurred at the time he was on the NSC. “I remembered there was a great event that puzzled the intelligence community.” But whether that was in fact a pipeline explosion, “that was thirty years ago,” he said, acknowledging that both his and Weiss’s memories may have been altered in the ensuing years. “I have respect for Russian historians who say there was no explosion in connection with Dossier.… So it could be there was an explosion, but it was not a result of a Trojan horse.… Whether it was true or not I do not know.” It may be too much to hope, however, that any future retellings of the pipeline tale will be done with the appropriate caveats.
22
When IAEA inspectors saw the pump at Natanz, it stood out for them because a sticker was affixed to it identifying it as property of the Los Alamos National Lab, which they thought was odd. When the IAEA investigated, the agency found that the serial number on the pump was consecutive with the serial numbers of pumps they had seen in Libya, indicating the pumps had all come from the same batch. The inspectors traced the order for the pumps to the US lab. No one was ever able to figure out how the Los Alamos sticker got onto the pump at Natanz, or why the Iranians weren’t suspicious of it. See Collins and Frantz,
Fallout
, 138.
23
Frantz and Collins,
Nuclear Jihadist
, 238.
24
Gholam Reza Aghazadeh interview, January 2007, with
Ayande-ye
(New Future). The interview itself is not online, but it’s referenced in Sheila MacVicar and Farhan Bokhari, “Assessing Iran’s Nuclear Program,” CBS News, April 4, 2007, available at
cbsnews.com/news/assessing-irans-nuclear-program
.
25
One ill-conceived plan conjured by the Mossad and the CIA, as described in James Risen’s
State of War
, involved using an electromagnetic pulse to fry computers used in Iran’s nuclear facilities. Spies planned to smuggle equipment into Iran that would deliver the electromagnetic pulse to power transmission lines outside the facilities. The CIA dropped the plan, however, after realizing that the equipment was far too big to truck into Iran and position stealthily. Risen,
State of War: The Secret History of the CIA and the Bush Administration
(New York: Free Press), 208–9.
26
Sanger, “U.S. Rejected Aid for Israeli Raid.”
27
Clandestine
operations involve secret activity that isn’t meant to be detected or noticed, such as surveillance and intelligence collection activities to uncover information about a target that might be later attacked.
Covert
activity, however, is meant to be noticed, since it’s intended to influence conditions—political, economic, or military—although the party responsible for the activity is hidden, such as the CIA. The Stuxnet operation involved both clandestine and covert activity. The clandestine activity involved the initial reconnaissance to gather intelligence about the plant. But the planting of malicious code in a control system to send centrifuges spinning off their axis was covert since it was meant to be noticed while hiding the hand behind it.
28
Ellen Nakashima and Joby Warrick. “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,”
Washington Post
, June 2, 2012.
29
Sanger, “U.S. Rejected Aid for Israeli Raid.”
30
Author interview, 2012.
31
David E. Sanger,
Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power
(New York: Crown, 2012), 193.