Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (37 page)

As spring arrived in 2011, the story of Stuxnet seemed to be winding down. Symantec had resolved the mystery of the devices the digital weapon attacked, Albright had made the final connection between Stuxnet and the centrifuges at Natanz, and although the US government still hadn’t made a formal admission of responsibility for the attack, the
New York Times
had confirmed what everyone suspected—that the United States and Israel were behind it.

Symantec, for its part, was ready to move on. The researchers had spent half a year tearing apart the code and had produced a seventy-page dossier of all their findings. They were relieved to finally be done with it. But they hadn’t put the project aside for long when startling new evidence emerged in Europe—evidence suggesting that Stuxnet was just one in an arsenal of tools the attackers had used against Iran and other targets.

BOLDIZSÁR BENCSÁTH TOOK
a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and
Economics, where he taught computer science. Despite the long to-do list, however, he was feeling happy and relaxed. It was the first day of September and was one of those perfect, late-summer afternoons when the warm air and clear skies made you forget that cold autumn weather was lurking around the corner.

Bencsáth, known to his friends as Boldi, was sitting at his desk in the university’s Laboratory of Cryptography and System Security, aka CrySyS Lab, when the telephone interrupted his lunch. It was Jóska Bartos, CEO of a company for which the lab sometimes did consulting work.
¹

“Boldi, do you have time to do something for us?” Bartos asked.

“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.

“No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”

Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.

A while later, he was at Bartos’s office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.

They’d found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had
all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.

Bencsáth was a teacher, not a malware hunter, and had never done such forensic work before. At the CrySyS Lab, where he was one of four advisers working with a handful of grad students, he did academic research for the European Union and occasional hands-on consulting work for other clients, but the latter was mostly run-of-the-mill cleanup work—mopping up and restoring systems after random virus infections. He’d never investigated a targeted hack before, let alone one that was still live, and was thrilled to have the chance. The only catch was, he couldn’t tell anyone what he was doing. Bartos’s company depended on the trust of customers, and if word got out that the company had been hacked, they could lose clients.

The triage team had taken mirror images of the infected hard drives, so they and Bencsáth spent the rest of the afternoon poring over the images in search of anything suspicious. By the end of the day, they’d found what they were looking for—a combination keystroke logger/infostealer that was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it on the machines in a temporary file, like the one the triage team had found. The file grew fatter each time the infostealer sucked up data, until at some point the attackers would reach out to the machine to retrieve it from a command-and-control server in India.
²

By now it was the end of the day, so Bencsáth took the mirror images and the company’s system logs with him, after they had been scrubbed of any sensitive customer data, and over the next few days scoured them for more malicious files, all the while being coy to his colleagues back at the lab about what he was doing. The triage team worked in parallel, and after several more days they had uncovered three additional suspicious files—including a kernel-mode driver, and another driver that was found on some infected systems but not others.

When Bencsáth examined the kernel driver, his heart quickened—it was signed with a valid digital certificate from a company in Taiwan. Wait a minute, he thought. Stuxnet used a driver that was signed with a certificate from a company in Taiwan. That one came from RealTek Semiconductor, but this certificate belonged to a different company, C-Media Electronics. The driver had been signed with the certificate in August 2009, around the same time Stuxnet had been unleashed on machines in Iran.

Could the two attacks be related? he wondered. He mulled it over for a minute, but then dismissed it. Anyone could have stolen C-Media’s signing key and certificate, he reasoned, not just the attackers behind Stuxnet.

Then a member of the triage team noticed something else about the driver that seemed familiar—the way it injected code into a certain process on infected machines. “I know only one other attack that does this,” he told Bencsáth. He didn’t have to say the name; Bencsáth knew he was talking about Stuxnet. But Bencsáth dismissed this connection too, since he was pretty sure the technique wasn’t unique to Stuxnet.

Twice more over the next few days, Bencsáth and the triage team found something in the attack code that reminded them of Stuxnet. But each time they convinced themselves it was just a coincidence. There was just no way lightning would strike twice, they reasoned. Besides, there was no sign that this new attack was targeting PLCs.

After working on the project for a week, Bencsáth began wondering if anyone else had been infected with the files, so he decided to see if he could smoke out other victims, or the attackers themselves, with a sly test. On September 8, he posted hashes for the malicious files on his personal website, boldi.phishing.hu, along with a cryptic note: “Looking for friends [or] foes of 9749d38ae9b9ddd8ab50aad679ee87ec to speak about. You know what I mean. You know why.” His site, an odd compendium of fish recipes and culinary reviews of canned fish (the domain name, phishing, was a pun on the computer security term for malicious e-mail), was the perfect cover for posting the covert message, since the only way someone would find the hashes was if they specifically did a Google search looking for them—either another victim who found the same files on their machine and was searching the internet for information about them, or the attackers themselves, who might want to see if any victims had found the files and were discussing them online. If someone did visit his site in search of the hashes, Bencsáth would be able to see their IP address.

Unfortunately, he got no nibbles on his bait, so he deleted the hashes after a few days.

By now the fall semester had begun, and Bencsáth got busy with other things. He had classes to teach and office hours with students to keep. He also had a research paper to deliver at a conference in Dubrovnik. But through it all, the attack nagged at him in the back of his mind. When he returned to Budapest after the conference, he and the triage team decided to compare the code of one of the drivers they had found on their machines with one of the drivers that had been used with Stuxnet—just to settle once and for all that the two attacks weren’t related. When they put the codes into a hexadecimal (hex) editor to examine them side-by-side, however, they got a big surprise. The only difference between them was the digital certificates used to sign them.

Bencsáth immediately called Bartos, the company’s CEO, and told him he needed to bring the other members of the CrySyS Lab onto the investigation. This wasn’t a simple hack anymore; it looked like it might be a nation-state attack with national-security implications. Bartos agreed, but
only on condition that Bencsáth not reveal the company’s name to any of his colleagues. The only people aside from Bencsáth who knew the company had been hacked was the local government Computer Emergency Response Team, and they had been notified only because of the nature of the company’s business.
³

Bencsáth made plans to tell his colleagues the following Monday. Over the weekend, he collected all the technical literature he could find on Stuxnet—including the lengthy dossier Symantec had prepared—and reread it to refresh his memory. When he reached the part discussing the encryption routines that Stuxnet used to conceal its code, he pulled up the encryption routines for the new attack and got another surprise. They were nearly identical. The new attack code even used one of the same decryption keys that Stuxnet used.
⁴

Then he examined the six kernel hooks the new code used—specific functions on the machine that the malware hooked or hijacked to pull off its attack—and compared them to the functions hooked by other known malicious attacks. He found some that hooked two or three of the same functions, but none that hooked all six. He sifted through the Stuxnet literature to examine what Stuxnet hooked, and there it was—the digital weapon hooked all six of the same functions. There was no doubt in his mind now that the two attacks were related.

It didn’t mean the codes were written by the same people, but it was clear the creators of the new code had developed their attack from the same source code and framework that had been used to develop Stuxnet. Stuxnet had sabotaged Iran’s uranium enrichment program but who knew what this new attack was doing and how many systems it had infected?

Bencsáth dashed off an e-mail to Bartos telling him what he’d found. Until now they’d been working at a leisurely pace, looking at the code
whenever they had time. But now he realized they needed to determine what the attack was doing quickly and get the information out to the public before anyone could stop them. After Symantec had published its research on Stuxnet, there were some who wondered why the US government had never tried to thwart them. Bencsáth worried that this time someone would try to intervene.

The next day he told his colleagues, Levente Buttyán and Gábor Pék, about the attack. The three of them knew they weren’t equipped to do a thorough analysis of the files on their own—none of them had ever done malware analysis like this before and had little experience using the debugging tools needed to reverse-engineer it. But they knew they had to do enough analysis to convince other, more experienced, researchers to look at it. The CrySyS Lab, like VirusBlokAda, was hardly a familiar name in the computer security world, and they needed solid evidence to connect the attack to Stuxnet or no one else would agree to examine it.

They set a deadline ten days away and decided to focus only on the parts of the attack that were similar to Stuxnet. But to their surprise, there were more similarities than they expected. At the end of the ten days, they had a sixty-page report. Bartos gave Bencsáth permission to share it with Symantec, but only on condition that if they went public with the report, the CrySyS Lab would not be named in it. Bartos worried that if anyone knew the lab was in Hungary, it wouldn’t take long to identify the victim.

They sent the report to the government CERT, to Chien and his team at Symantec, and to a few others—Péter Szor, a Hungarian researcher at McAfee; someone at VeriSign, because VeriSign would need to revoke the digital certificate the malware used; and to a researcher at Microsoft.
⁵
Bencsáth’s heart was pounding as he clicked Send to e-mail the report. “I was really excited,” he says. “You throw down something from the hill, and you don’t know what type of avalanche there will be [as a result].”

WHEN CHIEN AWOKE
on October 14, a Friday, he immediately reached for his BlackBerry to check his e-mail. The subject line of one message caught his eye. It read simply, “important malware,” and came with an attachment. It had been sent by two computer scientists at an obscure university lab in Hungary, who wrote in stilted English that they’d discovered a new attack that bore “strong similarities” to Stuxnet. They dubbed it “Duqu” (dew queue)—because temporary files the malware created on infected machines all had names that began with ~DQ—and were certain it would “open a new chapter in the story of Stuxnet.”