Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (35 page)

Chien was stunned by how beautifully everything now fell into place.

They had struggled for months to decipher the code, achieving their progress in increments of inches rather than miles, worried that they would
never reach the end of the road. Now in hindsight, it all seemed so elegant and complete. With the final details resolved, Falliere laid out a step-by-step description of the attack from start to finish.

Once Stuxnet found a Step 7 machine, it unpacked its Step 7 .DLL doppelgänger and kidnapped the Siemens .DLL to take its place. Then it waited patiently for a programmer to launch the Step 7 program to read or create code blocks for an S7-315 PLC. Stuxnet then injected its malicious code into the blocks and waited until the programmer connected his laptop to a PLC or copied the commands to a USB flash drive to transfer them to a PLC. It could take days or weeks for the malicious commands to land on a PLC, but once they did, the attack unfolded without resistance.

After the initial reconnaissance stage recording data for thirteen days, Stuxnet first increased the frequency of the converters to 1,410 Hz for fifteen minutes, then reduced it to 1,064 Hz, presumably the normal operating frequency, for about twenty-six days. Once Stuxnet recorded all of the data it needed to record during these three weeks, it dropped the frequency drastically to 2 Hz for fifty minutes, before restoring it to 1,064 Hz again. After another twenty-six days, the attack began again. Each time the sabotage commenced, the man-in-the-middle attack fed false frequency readings back to the operators and safety system to keep them blind to what was happening.

SYMANTEC AT LAST
knew exactly what Stuxnet was doing to the S7-315 PLC. But the attack targeting the S7-417 PLC remained a mystery. The two digital weapons arrived with the same missile but operated completely independent of each other.

The S7-417 was Siemens’s high-end PLC, which came with 30 megabytes of RAM and a price tag of more than $10,000 compared to about $500 for the S7-315. As if to match its higher status, the attack targeting this PLC was also much larger, with many more blocks of code—40 blocks of code compared to 15 blocks for the 315 attack—some of which
got generated on the fly based on conditions Stuxnet found on the system it was attacking.

The 417 attack code was also far more complex, both in terms of the steps that got executed and the conditions under which the attack was unleashed. In addition, it had bizarre constructs that made it a huge pain to reverse-engineer. There were pointers leading to pointers leading to pointers, which made it difficult to follow the sequence of events in the code. The difference in structure between the two attacks made it appear as if the codes had been created by completely different teams using different tools.

The attackers had obviously put a lot of thought and effort into the 417 code, so Falliere was perplexed when he discovered that it didn’t work—that in fact the attackers had intentionally disabled it. In part of the code responsible for fingerprinting the 417 PLC to see if its configuration matched the target configuration Stuxnet was seeking, the attackers had inserted an exception—a programming trick that involved introducing an intentional error into the code to abort a mission before it began. What’s more, there was no sign the attack had ever been active. Stuxnet needed to generate a crucial block of code on the fly to make the attack work, but the code that was supposed to create that block was incomplete.

It wasn’t clear if the attackers had disabled the code because it was still a work in progress or if it had been completed at one point and later disabled for a different reason. Falliere recalled the recent news story quoting an Iranian official saying that
five
versions of Stuxnet were found in Iran.
⁵
Symantec and other researchers had seen only three versions of Stuxnet so far. But was there, perhaps, another version of Stuxnet in the wild that contained a complete version of the 417 attack?

Based on clues Falliere and his colleagues had found in the three versions of Stuxnet discovered so far, it seemed there might in fact be another version out in the wild. The version numbers of the three variants, for example, were out of sequence. The attackers themselves had numbered
them—the June 2009 variant was version 1.001, while the March and April 2010 variants were 1.100 and 1.101. Gaps in the numbers suggested that other variants had at least been developed—including a 1.00 version that pre-dated all three of the ones already identified—even if they were never released in the wild.

Whatever the 417 code was attacking, it was different from the 315 attack. Unlike the 315 attack, the 417 code targeted a system that consisted of 984 devices configured into six groups of 164. And during the attack, only 110 of the 164 devices in each group got sabotaged. Unfortunately, the 417 code contained no magic values to help the Symantec team identify what it attacked—like the ones that helped identify the frequency converters. Langner and his team, who analyzed the 417 code at the same time Symantec did, surmised that the 417 code might be targeting the cascade itself, not the individual centrifuges, perhaps the pipes and valves that controlled the flow of gas in and out of the cascades. But without more details in the code to offer definitive proof, neither Langner nor Symantec could say for sure what the 417 attack was doing. After months of work and extensive progress in other regards, they all had to resign themselves to the fact that they had reached another dead end—it seemed that Stuxnet was determined to hold on to at least one of its mysteries.

In the absence of a clear understanding of the 417 attack code, the Symantec researchers decided to publish what they
did
know—which were the final details of the 315 assault.

So on November 12, 2010, exactly four months after VirusBlokAda had first announced its discovery of the Stuxnet code, Symantec published a blog post announcing that Stuxnet was attacking a very unique configuration of specific frequency converters. “Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities,” Chien wrote in the Symantec team’s typically cryptic and cautious style.
⁶
He never mentioned the Iranian nuclear program by name, or even centrifuges, but the message behind his words was clear.

Four days after Symantec published its post, technicians at Natanz brought all of the spinning centrifuges at the plant to a complete halt. For six days, until November 22, all enrichment activity at the facility stopped. Iranian officials offered no explanation for the sudden freeze, but the Symantec researchers suspected administrators at the plant were tearing apart the computers for any lingering traces of Stuxnet. Although information about the worm had been in the public domain for months, the revelations until now hadn’t been specific about what devices Stuxnet attacked or how it conducted its operation, and Stuxnet had been meticulously crafted to make it hard for anyone to find its malicious code on the PLCs or to trace the sabotage to its source. Symantec’s latest report, however, provided all the evidence operators needed to connect the problems they were having at Natanz to the digital weapon. Although antivirus firms had long ago released signatures to detect Stuxnet’s files, they could only detect the ones on Windows machines—not the rogue code that Stuxnet injected into the PLCs. And since Stuxnet was like an octopus with many tentacles to help it spread, technicians at Natanz would have had to wipe and restore every machine at the plant to completely disinfect the stubborn code from their systems.

It was clear now that Stuxnet’s days were finally over. Not only would it no longer be able to mess with the centrifuges at Natanz, but any future problems with systems at the plant would immediately spark suspicion that malicious code was the cause. It would be much more difficult to pull off a similar stealth attack in the future without scrutiny quickly focusing on the control systems.

With nearly all the mysteries of Stuxnet now resolved, the Symantec researchers focused on tidying up some loose ends and finalizing their lengthy dossier about the code before turning their attention to other things.

But a week after the halted centrifuges at Natanz resumed their operation, the story of Stuxnet took a darker and more sinister turn, suggesting
that efforts to thwart the enrichment program weren’t yet done. If the use of malicious code was no longer a viable option, other means to halt the program were still at the attackers’ disposal.

THE RUSH-HOUR TRAFFIC
on Artesh Boulevard in northern Tehran was particularly congested the morning of November 29, 2010, when Majid Shahriari, a slim forty-year-old professor of nuclear physics maneuvered his Peugeot sedan through the bumper-to-bumper gridlock on his way to work. It was only seven forty-five on that Monday morning, but a layer of smog already hovered in the air as Shahriari inched his way toward Shahid Beheshti University, where he was a lecturer. With him in the car were his wife, also a nuclear physics professor and mother of two, and a bodyguard.

As the sedan approached a busy intersection, assailants on a motorcycle suddenly pulled alongside Shahriari’s vehicle and brazenly slapped a “sticky” bomb to the driver’s-side door. Seconds after they zipped away, the bomb exploded, shattering the car’s rear window and leaving the driver’s-side door a twisted mess of molten metal. Shahriari was instantly killed; his wife and bodyguard were injured, though spared. A small pit in the asphalt next to the car testified to the force of the blast.
⁷

Not long after, in another part of the city, Fereydoon Abbasi, a fifty-two-year-old expert in nuclear isotope separation, was also making his way through traffic toward the same destination, when, out of the corner of his eye, he spotted a motorcycle approaching. A second later he heard the distinctive sound of something being attached to his door. Abbasi was a member of Iran’s Revolutionary Guard, so his defensive instincts were more honed than Shahriari’s. He quickly leapt from the car and pulled his wife from her seat. Although the two were injured when the bomb exploded, both of them survived the attack.

News reports indicated the two scientists were targeted for their prominent roles in Iran’s nuclear program. “They’re bad people,” an unnamed US official said afterward, “and the work they do is exactly what you need to design a bomb.”
⁸

Shahriari was an expert in neutron transport—essential to creating nuclear chain reactions for reactors and bombs—and Western news reports claimed that only political appointees ranked higher than Shahriari in Iran’s nuclear program. Iran’s nuclear chief, Ali Akbar Salehi, told reporters that he had been working on a “major project” for Iran’s Atomic Energy Organization (AEOI), but didn’t elaborate.
⁹

Abbasi was even more important to the program. He was one of only a few specialists in Iran who had expertise in separating uranium isotopes, a core part of the uranium enrichment process. He was also on the UN Security Council’s sanctions list for his role as a senior scientific adviser to Iran’s Ministry of Defense and for his close working relationship with Mohsen Fakhrizadeh-Mahabadi, an officer in the Iranian Revolutionary Guard. If Iran did indeed have a nuclear weapons program, Fakhrizadeh-Mahabadi was believed to be its architect.

President Ahmadinejad wasted no time laying blame for the attacks on “the Zionist regime and Western governments.”
¹⁰
Saeed Jalili, general secretary of Iran’s Supreme National Security Council, called the attacks an act of desperation by powerless enemies.
¹¹
“When the enemy sees no other option, he resorts to the methods of terror,” he said. “This is not a sign of strength, but of weakness.”
¹²
After his recovery, Abbasi was appointed head of the AEOI, as if to assert Iran’s determination to achieve
its nuclear goals despite enemy plots against it. Abbasi was said to keep a photo of Shahriari in his office to remind him of that resolve.
¹³

But the two attacks on busy streets in broad daylight had their desired effect and sent a message to anyone involved in Iran’s nuclear program that no one was safe or beyond the reach of assassins. Other Iranian scientists reportedly called in sick to work for several days after the bombings to avoid the fate of their colleagues.
¹⁴

In response to the accusations from Ahmadinejad, the US State Department offered only a brief statement. “All I can say is we decry acts of terrorism wherever they occur and beyond that, we do not have any information on what happened,” spokesman Philip J. Crowley said.
¹⁵
Israel declined to respond, at least directly. Instead, on the day of the attacks, Israeli prime minister Benjamin Netanyahu announced the retirement of Mossad chief Meir Dagan after eight years of service as the spy agency’s leader. The timing of the announcement seemed to suggest that the attacks on the scientists and on the centrifuges at Natanz were part of Dagan’s
swan song. Dagan was known to favor assassination as a political weapon.
¹⁶
Upon his appointment as head of Mossad in 2002, then–Prime Minister Ariel Sharon crudely praised him for his skill at separating Arabs from their heads.

The day of the assaults on the scientists, President Ahmadinejad seemed to tie the attacks to Stuxnet and provide what appeared to be the first official confirmation that the digital weapon had struck Natanz. As he condemned Israel and the West for the bombing attacks, he also blamed them for a virus attack that he said had been unleashed on Iran’s nuclear program a year earlier. The virus had been embedded in software “installed in electronic parts,” he said, and had damaged some of Iran’s centrifuges. But he downplayed the effects of the attack, saying the worm had created problems for only “a limited number of our centrifuges,” before workers discovered and immobilized it.
¹⁷
Though he didn’t identify the digital attack by name or the facility where the centrifuges were damaged, it seemed clear to everyone that he was referring to Stuxnet and Natanz.