Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (47 page)

It might have taken months to obtain the data the attackers needed. But some of the reconnaissance work could have been done as early as 2005, when the domains for the command-and-control servers used with Stuxnet 0.5 were registered. Although Stuxnet wasn’t released until later, the domains could initially have been used to communicate with spy tools.
The reconnaissance also might have been done around May 2006, when researchers found that code for the command-and-control servers used with later versions of Stuxnet was created.

Once information about the systems was gathered, final work on the attack code could have occurred. Symantec estimated that two separate teams created the 315 and 417 attack codes based on the distinct ways they were written. Whether the United States and Israel worked on both of them together or the Israelis only worked on the missile portion while the Americans handled the payloads is unknown. A third team may have worked on the code that hijacked the Step 7 system to swap out the legitimate .DLL for Stuxnet’s rogue one and inject the malicious commands into the PLCs. Symantec estimated that it took about six months to write this Step 7 portion of the code and a little less time to write the malicious PLC code blocks. The testing, however, would have also taken time.

Whoever was responsible for the actual code, this part of the operation had to be precise. There were so many ways for the attack to go wrong, but there was no room for error, and it would be difficult to gauge the effects of the code in the field or tweak it once it was unleashed. This meant the attackers had to do extensive testing—not only on a Siemens test-bed to make sure their code didn’t brick the Step 7 system or the PLCs, but also, in the case of the variants unleashed in 2009 and 2010, on all versions of the Windows operating system to make sure the malware spread and installed seamlessly without detection.
¹²

Most of all, the attackers needed precise knowledge of how each
change of the code would affect the centrifuges, particularly because what they were aiming for was not a brute-force attack but a finessed one. The tiniest mistake and they could destroy the centrifuges too quickly or destroy too many at once and expose the sabotage, blowing the operation.

To pull this off, they would have needed a team of material scientists and centrifuge experts who understood the density and strength of the aluminum rotors and centrifuge casings, and who understood how the bearings at the bottom of each centrifuge, which kept them spinning in balance, would respond to increased vibration. They also needed to calculate the normal wall pressure inside the centrifuges and determine how much it would increase as the gas pressure inside the centrifuges grew.
¹³

To do all of this, they needed actual centrifuges against which to test the attacks. Luckily, as noted previously, the Department of Energy’s Oak Ridge National Laboratory in Tennessee possessed a number of P-1 centrifuges, upon which the IR-1s at Natanz were based.

The story behind Oak Ridge’s acquisition of the centrifuges began in August 2003, three years after the CIA infiltrated A. Q. Khan’s illicit nuclear supply network and six months after the IAEA made its first visit to Natanz. The spy agency intercepted a shipment of black-market uranium enrichment components—including 25,000 centrifuge casings as well as pumps, tubes, and other components—headed from Malaysia to a secret enrichment plant in Libya. The seized crates were used by the West to confront Libyan dictator Muammar Gaddafi with evidence of his secret nuclear program and to pressure him into abandoning it. On December 19, Libya’s foreign minister announced on national television that the country was renouncing its nuclear weapons and chemical weapons programs—programs it hadn’t until then acknowledged possessing.

The IAEA learned there was more enrichment equipment already in
Libya that US authorities planned to dismantle and ship back to the Oak Ridge lab. So over the Christmas holiday, Olli Heinonen; his boss, Mohamed ElBaradei; and other IAEA colleagues raced to Tripoli to inventory the equipment before it disappeared. There they found more than one hundred tons of equipment worth about $80 million—including UPS regulators from Turkey (similar to the ones that would later be sabotaged in Iran in 2006), two hundred P-1 centrifuges from Pakistan that the Libyans had already assembled into a small cascade, as well as components for building about four thousand other centrifuges.
¹⁴
By March 2004, the seized equipment had been packed up and sent to the Y-12 National Security Complex at Oak Ridge, where it was protected by guards armed with assault rifles while put on display for journalists to see.

“By any objective measure,” US Secretary of Energy Spencer Abraham told the assembled reporters at the time, “the United States and the nations of the civilized world are safer as a result of these efforts to secure and remove Libya’s nuclear materials.”
¹⁵
This may have been so, but what the captured booty really meant was that the United States now had the chance to assemble a secret plant to study the centrifuges and test an attack against them.
¹⁶

THE OAK RIDGE
National Laboratory, established in 1943 and located outside of Knoxville, is managed by UT-Battelle—a nonprofit company founded in 2000 by Battelle Memorial Institute and the University of Tennessee—and touts itself as a science facility focused on advanced materials research, nuclear science, clean energy, and supercomputing. But it’s the lucrative classified national security work the lab does for the Defense
Department, Department of Energy, and intelligence agencies—focused on nuclear nonproliferation, intelligence data mining, encryption cracking, and other areas—that really keeps it in business.

The secret centrifuge plant, part of a now decade-long classified program to research the destruction of centrifuges, was constructed sometime after 2005 on a backwoods lot on the 35,000-acre Oak Ridge Reservation, invisible and inaccessible to the majority of lab workers who held security clearances. Dubbed “the Hill” or sometimes “the chicken ranch” according to one person who knew about it, the covert facility was reached via an unmarked road that meandered for ten miles, blanketed on either side by a thick forest of trees, before delivering cars to first one security gate and then another.
¹⁷

The Hill actually consisted of two facilities—one aboveground, the other beneath. The underground hall, a preexisting structure built long before for another purpose, was requisitioned for the first stage of the centrifuge program, which initially focused just on figuring out how the centrifuges obtained from Libya worked. The lab had obtained both P-1 and P-2 centrifuges from Libya to study, but the devices arrived for the most part as unassembled components without a manual. The researchers had drawers and drawers filled with the parts, but had no prior experience working with the designs and therefore spent a lot of their time initially just trying to figure out how to piece the components together and get them to work.

The researchers at Oak Ridge experienced some of the same problems the Iranians experienced in operating the temperamental and fragile devices. The scoops and ball bearings proved to be particularly problematic for them and delayed their progress for a while.

In the beginning, the program wasn’t about building a virus to attack the centrifuges; it was simply about learning how the centrifuges and cascades worked in order to understand their capabilities and gauge how
far along the Iranians were in their enrichment program and to determine how close they might be to having enough enriched uranium to make a nuclear bomb. When the Oak Ridge scientists completed their initial research and testing, they estimated it would take Iran about twelve to eighteen months to produce enough fissile material for a bomb.

The study of centrifuges wasn’t foreign to Oak Ridge. The lab has a long history of centrifuge research and development, having produced some of the first rotor centrifuges in the 1960s. But in 1985, its centrifuge program was terminated after lasers replaced centrifuges as the primary method of enriching uranium in the United States. The closure displaced thousands of skilled workers and researchers whose specialized knowledge was no longer needed.

Then in 2002, around the time the world was learning about Iran’s secret enrichment facility at Natanz, centrifuge enrichment made a comeback, and Oak Ridge resurrected its program to design a new generation of centrifuges for the United States Enrichment Corporation, now a producer of enriched uranium for commercial nuclear power plants in the United States. To staff that operation, the lab pulled many of its former centrifuge experts out of retirement—some of them now in their seventies and eighties—to work alongside younger scientists.

After the cache of valuable centrifuges was seized from Libya, many of these scientists were reassigned to study the devices. According to someone familiar with the program, he believed the work was conducted under the auspices of the National Nuclear Security Administration (NNSA), a division of the Department of Energy that manages the security of the nation’s nuclear weapons but also operates a nuclear nonproliferation research and development program known as NA-22.
¹⁸
The latter collects human intelligence about illicit nuclear operations and does remote sensing and environmental
testing to collect evidence of covert enrichment activity and nuclear detonations by rogue regimes and actors.
¹⁹

The NNSA had been trying to get its hands on Iranian centrifuges for a while, so the shipment of P-1s and P-2s obtained from Libya in 2004, on which the Iranian centrifuges were based, was a huge boon.

Eventually, they also obtained parts directly from the Iranian program, via intelligence sources. These parts were highly valuable—North Korea was believed to be using centrifuges of the same general design—and workers were told to be very careful and expeditious in using the components because in some cases intelligence sources had given their lives to obtain them. In other words, there was no easy way to replace them and therefore every test on the equipment had to count.

Research on the devices was already under way in 2006, when Iran announced it would begin enriching uranium at Natanz, but the research was slow-moving, according to someone familiar with the program. But in 2007, the operation came together in earnest as Iran began installing its first centrifuges in the underground hall at Natanz.

In the meantime, the aboveground hall was constructed for the sole purpose of testing—and destroying—centrifuges. It’s believed that some of this research may have initially focused on determining the possible destructive effects from a kinetic attack, such as an aerial bombardment on centrifuges buried deep underground, and that a cyberattack became part of the equation only later. Then when a digital operation
was
proposed, initially the goal wasn’t to destroy the centrifuges at Natanz with a virus but simply to plant surveillance code in equipment at the plant to collect data that would help scientists determine where Iran was in its enrichment process. But at some point, the centrifuge destruction program and the reconnaissance operation merged to produce a plan for a digital kinetic attack.
Likely, most of the scientists testing the centrifuges never knew about the plan for such an attack but were simply focused on assessing the effects of various conditions on the centrifuges—such as increased and decreased speed or increased wall pressure inside the centrifuge—in a manner that was divorced from the causes of those conditions.

Inside the large testing hall, tall racks of control systems from Siemens and other vendors were arranged like stacks in a library at the front of the cavernous space, while more than a dozen man-sized centrifuges were spaced throughout the hall across from them. Jury-rigged cables attached to sensors snaked out from some of the centrifuges to record diagnostics and measure such things as the heat of the casing or the wobbling and vibration of the pin and ball bearing that kept the centrifuge balanced.

Some of the centrifuges spun for months, while data on them was collected. These were the research specimens, however. There were others whose fate was more dire. Just inside the entrance to the hall was a large reinforced cage made of acrylic and metal mesh—what a hospital baby-viewing room might look like if it were designed by the team from
MythBusters
—where condemned centrifuges went to die. Workers at the plant always knew when a centrifuge was being destroyed in the protective cage because it made a horrific explosive sound, accompanied by a rumbling in the ground.

The operation was in full swing by 2008, with centrifuges being destroyed sometimes on a daily basis. “You could tell the budget had jumped significantly,” the source says. President Bush, perhaps not coincidentally, had just managed to obtain $400 million from Congress for covert operations against Iran’s nuclear program.

While tests were being conducted at Oak Ridge, other tests were reportedly done on centrifuges at Israel’s nuclear facility in Dimona. It’s unclear how long all of these tests took or when officials decided they had enough conclusive data to conduct a successful attack.

During the 2006 testing, the development of the attack code was already under way. The exact timeline for that development is unclear, but the Symantec researchers found that a key function used in the attack code
appeared to have been modified in May 2006. It was the code that Stuxnet used to initiate communication with the frequency converters in the attack on the 315 PLCs. And as noted, code used for the two command servers that were used with that version of Stuxnet—mypremierfutbol.com and todaysfutbol.com—was also compiled in May 2006. Other key functions in the attack code were modified in September 2007. Just two months after that, in November 2007, Stuxnet version 0.5 popped up on the VirusTotal website after it was submitted by either the testers or an infected victim.

At some point, some of the centrifuges at Oak Ridge or another lab were taken off for another kind of test—to directly measure the efficacy of the digital weapon against the centrifuges. When the proof-of-concept tests were done, officials reportedly presented Bush with the results of their labor—the detritus of a destroyed centrifuge that proved the outrageous plan might actually succeed.
²⁰
Like the Aurora Generator Test, conducted by the Oak Ridge Lab’s sister facility in Idaho in early 2007, the centrifuge test showed that heavy machinery was no match for a piece of well-crafted code.