In September 2010, Eric Byres started noticing an interesting trend at work. Byres runs Byres Security from a small island near Vancouver, Canada. His flagship product Tofino is a security suite aimed at protecting Industrial Control Systems (ICSs) from digital incursions that can sabotage their installations. “We started to see a lot of people log on or attempt to log on and request access to some of the more restricted pieces of [content on our site],” he says. “They weren’t in our usual user group.” Their IP addresses revealed that many of them were in Iran.
Byres’ customers aren’t typical home users looking for the sort of anti-virus protection provided by Kaspersky or Symantec. They are large companies or nation states running large installations like public water works, traffic lights and even nuclear power plants. “These weren’t curiosity seekers,” Byres continues. The users wanted very specific details on Siemens S7-300, a large ICS which also happens to control how fast Iran’s uranium enriching turbines spin.
“It’s not proof of anything, but it’s an interesting indication because you’ll remember at the time, there were lots of claims from Iran that the [Stuxnet] worm was not affecting them,” says Byres, “And what we were really curious about was that if the worm is not affecting you, or you don’t have a problem, then why have you got so many people downloading solutions off our site or trying to download solutions off our site?”
“And that,” he adds, “was really what caught our interest. In a normal year, we’d get one or two people from Iran, maybe a dozen at most. And we were getting more people from Iran than we were from the US, and that really got me interested because there are more Siemens systems in places other than Iran. By any sort of demographic measure, the spike from Iran indicated something weird was going on…”
On 29 November 2010, Iranian President Mahmoud Ahmadinejad seemed to confirm what Byres suspected: he admitted at a news conference that enemies of Iran had sabotaged Natanz’s nuclear facilities that are used to enrich uranium. Although Ahmadinejad never mentioned it by name, the attack was engineered through the computer virus Stuxnet, sending rogue commands to the plant’s ICS, which also happened to be manufactured by the German firm Siemens. “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,” the president told the media. “They did a bad thing. Fortunately, our experts discovered that, and today they are not able (to do it) anymore.”
On 15 January, The New York Times reported what many experts in the field had long been saying about Stuxnet. It was, the report revealed, a sophisticated cyber weapon that only a few nation states in the world had the capability to build. And through a collection of unnamed sources, the newspaper concluded that Israel and America had cooked up Stuxnet in a joint operation. The NYT report had all the cloak-and-dagger intrigue of a spy novel; its key findings included revelations that the virus was put together by computer programmers working in Dimona, a remote lab in the Negev desert, and US researchers at the Idaho National Laboratory, which, by coincidence, is also a remote lab in a desert. A story that same day in The Jerusalem Post even reported that Dimona was the domain of Unit 8200, an elite cyber warfare unit of the Israeli Defence Forces.
The characteristics of Stuxnet, perhaps the most sharply aimed virus ever designed, only seemed to substantiate the key points of the plot. Through a configuration known as a rootkit, it sneaks so cleverly into a computer that it is virtually undetectable. Once embedded, it acts on specific targets: it sends turbines spinning out of control while projecting a façade of normalcy for the engineers monitoring the control room.
In Iran’s case, it even took pictures and transmitted them back to the saboteurs. But for all its revelations, the NYT found few government sources willing to go on record. “That’s part of the story, that cyber weapons have this amazing ability to allow the perpetrator plausible deniability,” Byres says. “If you’re North Korea and smack a torpedo into the side of a South Korean boat, unfortunately pieces get left behind. But if you launch Stuxnet, you can deny forever that you did it, and it’s really tough to prove. And that’s one of the nasty things about cyber weapons versus conventional weaponry. What’s scary about Stuxnet is that… the people who wrote it had capabilities that most other people didn’t have.”
Experts say Stuxnet is clearly a new sort of virus. “Five-seven years ago, cyber attacks were primarily motivated by fame,” explains Shantanu Ghosh, a vice-president in India with the anti-virus firm Symantec. “Mass-mailer worms and viruses were common and hit the headlines due to their reach. A couple of years ago, we witnessed the rise of more sophisticated, stealthy and targeted threats with a more insidious motivation—financial gain. Cyber criminals have been making money on the burgeoning underground economy, trading in confidential information and identities—for example, credit card data—worth millions of dollars. In fact, the value of this economy has been estimated to exceed the value of the illegal drug trade.”
Stuxnet, which has been infecting computers since July 2010, is different. “The quality of the code is military grade, it is not commercial grade,” Byres says. “The bugs-per-1,000-lines-of-code is very low compared to, say, a commercial product like Windows or something. So whoever wrote this put a lot of time and resources into it.” He’s even noted six different coding styles in the virus. This is why most experts agree that only a nation state had the ability to write this virus.
So how would a virus of this complexity worm its way into such sensitive installations? Much has been written about the use of pen drives that plug into a computer’s USB port. But Byres says this oversimplifies Stuxnet’s delivery mechanism. “That is one that got most attention ‘cause it was so stunning,” he says. “But the USB technique was just one.” Other means include infecting the Siemens files themselves and other methods that exploit the vulnerabilities of shared digital resources. “So the USB key is the one that the public can hang their hat on, but we have a little lab here full of Stuxnet. So let’s say I plugged in a home laptop and it got infected, it will infect everything around it and I don’t even need to own a USB key. So that was one of the brilliant things about Stuxnet, it wasn’t relying on one way to infect. It had seven ways to spread…”
Once inside a machine, the virus uses a ‘botnet’ that turns the user’s computer into a slave and allows it to be remotely controlled. But, Ghosh adds, “The threat also has the ability to update itself via a peer-to-peer (P2P) component. Infected machines contact each other and check which machine has the latest version of the threat installed.” This indicates forethought: “The creators of Stuxnet were aware that they might lose control of their command-and-control servers, so they built in a P2P update function to prepare for that eventuality.”
Stuxnet targets Siemens’ ICSs, which are deployed to control anything from large assembly lines to nuclear power plants. Once inside these systems, Stuxnet replaces the programmer’s code, which tells the machine what to do, with its own malicious instructions. In the case of Iran’s Natanz nuclear installation, Stuxnet is believed to have remotely controlled the speed at which the uranium enriching turbines spun. “Stuxnet then hides these code blocks, so a programmer using an infected machine… will not see the code injected by Stuxnet,” Ghosh says.
The NYT story even reported that the Israeli team had gone as far as procuring the same centrifuges used in Natanz, which would explain why the worm was written to such exacting specifications. “Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz before it modifies their behaviour,” Ghosh says. “We are not experts in industrial control systems and do not know all the possible applications at these speeds, but for example, a conveyor belt in a retail packaging facility is unlikely to be targeted. We also know frequency converter drives that produce over 600 Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
While Stuxnet is clearly the most finely targeted and high-profile case of cyber warfare, it’s just one of many recent attacks. In May 2007, shortly after Estonia took down a Soviet war memorial in its capital Tallinn, websites of its government offices and major banks were spammed so heavily that their servers were overwhelmed. Suspicion focused on Russia, which denied any role in the attack. “The Russians could stand up and say ‘We don’t know what you’re talking about’, because it is just impossible to track,” Byres says.
The same is true for China’s GhostNet. Discovered by researchers at Canada’s Information Warfare Monitor in March 2009, the virus targeted the Dalai Lama’s resistance movement, extracting information on Tibetan exiles in India and infiltrating computers in Indian government offices. It was even able to remotely turn on webcams to monitor users of the compromised computers. There has been one link so far to a server on the Chinese island of Hainan, home to a Chinese military base. But no substantive link between GhostNet and the Chinese State has ever been established.
A December 2009 attack on Google Inc’s China operation, Operation Aurora, targeted the email addresses of Chinese political dissidents.
Even the US has been victimised; a 2008 white paper jointly authored by Siemens staffer Todd Stauffer and the Idaho lab detailed specific vulnerabilities and listed several incidents of sabotage. As further evidence of the link between Idaho National Labs and Stuxnet, the NYT pointed to this document.
What’s more frightening, however, are the sorts of installations that have almost been compromised in America. In 2006, hackers gained access to a Pennsylvania water treatment plant through an employee’s laptop, installing spyware on computers at the installation. In June 2008, a nuclear plant in Georgia went into shutdown mode; a software update had reset the system’s control data that monitors the water levels that cool the plant’s nuclear fuel rods.
But while the other attacks were just footnotes, Stuxnet has changed the game. “As soon as you introduce a new weapon to a field of war, whether it’s tanks in World War I or whether you’re a caveman who’d been using stone spears and somebody chucks a bronze spear at you, if you survive, you learn how to make a bronze spear real fast,” Byres says. “And that’s what’s going to happen with Stuxnet. Everybody is now going to be in an arms race. And we’re just beginning to see the start of the sons of Stuxnet. I mean here’s this offensive cyber weaponry for dummies. It’s a manual basically written and handed out free. And there isn’t a major military organisation that isn’t going to be building [clones].”
The exact status of that virus today, however, is a matter of some dispute. Since neither the US nor Israel has officially taken responsibility for the virus, there is no way to really mark the end of it. It’s also unclear if there is any effective way to stop it.
Recently, the Israeli defence and analysis website, Debka, citing an anonymous source reported that Stuxnet was disturbing Iran’s nuclear programme again. This time, the target was said to be its Bushehr nuclear power plant, which Iran’s head of atomic energy, Ali Akbar Salehi, promised would be hooked to the country’s energy grid by April.
There was just one problem. According to the Debka report, Sergei Kiriyenko, who was overseeing the construction for the Russian-state-owned nuclear concern Rosatom, had warned Ahmadinejad that Stuxnet was back, and “…switching the reactor on could trigger a calamitous nuclear explosion that could cost a million Iranian lives and devastate neighbouring populations”. The Debka report said the resulting meltdown could be far worse than Russia’s Chernobyl disaster in 1986.
Kiriyenko had tried to warn Iran’s nuclear team, but they were anxious to get back to business and show that Stuxnet was no bother...