The Stuxnet Story

The secret project was called “Olympic Games”. Its aim was to cripple the Iranian nuclear program “without setting off a regional war”, writes David Sanger in his super-interesting book on cyber warfare titled Perfect Weapon. The US and Israel settled on creating a malware (computer virus) that would speed up/slow down the Iranian nuclear centrifuges, leading them to “ultimately destroy themselves”.

 

Being a covert operation, the US (and Israel) couldn’t claim they’d done it. So how then did this story, the malware now known as Stuxnet, break out? Well, it was rooted in the fact that Stuxnet couldn’t be simply added onto an Iranian centrifuge (obviously). It had to be spread all over the world, and hopefully would end up entering the centrifuges via malice (an Iranian traitor) or by usual stupidity (someone carrying an infected USB into work). As with any scatter and pray operation, the malware thus reached all over the world (We’ll come to why it didn’t do any damage anywhere else in a while).

 

And when it reached everywhere, inevitably security researchers started analysing it. It seemed to be very hi-fi. For one, it was exploiting security vulnerabilities that weren’t public knowledge. Such risks are “hoarded by hackers” since they are so rare, and “sold for hundreds of thousands of dollars on the black market”. All this made it clear this could only have been created by someone with deep pockets and lots of time, not your hacker sitting at home.

 

Next, security researchers noticed it seemed to be probing for something. It turned out that “something” was a programable logic controller made by Siemens. It can be used to control air conditioning systems, water pumps, parts of chemical plant and yes, the speed of spinning of giant centrifuges. (Those centrifuges are super-sensitive to tiny variations in speeds, which is why the malware, by toying with their speed, was able to destroy them).

 

At this point, the researchers still didn’t know what the malware was targeting in particular. Then they found code that was looking for a particular configuration (a specific cluster of 164 machines). That was a very weird detail, a very non-rounded number, which got everyone very curious. Then somebody remembered that the Iranian reactors that had been inspected by the International Atomic Energy Agency were organized in groups of… yes, 164.

 

It was too much of a coincidence. A malware looking for a particular configuration used in Iran’s nuclear centrifuges. One that looked to speed up/speed down the spinning rates of centrifuges. And an Iranian nuclear weapons program that had suddenly halted when their centrifuges ruined themselves all of a sudden, without any apparent rhyme or reason.

 

And thus the story broke out: Stuxnet (the malware) was designed to take out Iran’s nuclear reactors. The Americans and Israelis, who had been (privately) ecstatic until then:

“(They had designed and used) a cyberweapon to mount the kind of attack that, previously, could have been executed only by bombing or sending in saboteurs.”

Were suddenly wary, now that the story had broken out.

 

General Michael Hayden, for example, worried that Stuxnet had “the whiff of August 1945”, said. A new era had dawned, in his opinion. Like Hiroshima led to everyone trying to get a nuclear weapon, would Stuxnet set off a similar scramble to the Age of Cyberweapons?

 

He was right, but I’ll end this blog with only what the Iranians did next (We’ll see what other countries have done in other blogs). They have created their own cyber army. Sure, they weren’t very great at first, but they focused on getting the job done, unworried whether the technique was low-tech. Like the time they brought down the servers of four dozen American financial institutions:

“Banks were paralyzed. Customers were frozen out of online banking.”

Another time they got into the control system of a minor American dam. They didn’t activate or do any damage, just got their malware in. Was it a signal to the US that they could get into the control system of any American dam? And that they might pull the trigger? When a Las Vegas casino owner advocated dropping a nuclear weapon on Iran, the Iranians took out his casino’s servers, in effect shutting down the casino!

 

And most famously, Iranian hackers got into the world’s largest oil company, Saudi Aramco. They wiped out 30,000 computers and 10,000 servers. While oil production itself wasn’t affected, everything else (supplies, coordination, shipping) was impacted. Were the Iranians signalling that if the US were to ever attack Iran, who knew what other malware they’d installed, and whether that would impact the world’s oil supply?

 

General Hayden was proving to be prophetic: Stuxnet had indeed ushered in the age of the next type of weapon that could inflict disproportionally massive damage, a la the nuclear weapon.

Comments

Post a Comment

Popular posts from this blog

Student of the Year

Image
As a toddler, my daughter loved Alia Bhatt’s songs, esp. the ones from Student of the Year . (That movie did have many good songs and well-choreographed dances). Fast forward to present day, when she is 12 yo. She rarely watches Hindi movies now, but one of the few ones she likes of late, Raja aur Rani ki Prem Kahani has, yes, Alia Bhatt.   If I had any hopes that there was anything to be read in the name of her toddler-time favorite ( Student of the Year ), they have been dashed. Our conversations come exam time are perfectly captured by this photo and its caption: In fact, the pic below captures how she and I look at her answer sheets – me intently, she with an expression of “It’s over, so why are you even looking at it?”   Of late, we pull her leg and tell her that she isn’t showing any signs of academic prowess, she’d better find a rich guy to marry. Some time later, she showed us this meme on the Internet: “Me No Study, Me No Care Me Go Marry Millionaire If He Die
Read more

Animal Senses #7: Touch and Remote Touch

Instinctively, we think touch is based on contact. Not entirely true, explains Ed Yong in Immense World – there’s a more important aspect than contact: “These incredible feats are possible through movement. If you rest a fingertip upon a surface, you can get only a limited idea of its features. But as soon you’re allowed to move, everything changes. Hardness becomes apparent with a press. Textures resolve at a stroke.” As you run your fingers over a surface, they hit the tiny peaks and troughs and set off vibrations in the mechanoreceptors at their tips.   At the tip of its snout, the star-nosed mole has many pairs of hairless appendages. It uses them to touch things around itself. Alive or dead? Food or ignore? It does these movements at an insane speed. In the time it takes to blink our eyes, the star-nosed mole can probe, identify and swallow its food. “Light may be the fastest thing in the universe, but light sensors have their limits, and the star-nosed mole’s sense of
Read more

The Retort of the "Luxury Person"

Image
Coming up with biting and witty retorts. It’s something we dream of, but rarely manage to pull off. Worse, the more we stew over the offending remark, the more likely we are to come up with that dream retort, as Calvin ruefully points out: During our last holiday at the Taj Resort, seeing my wife carrying towels to our poolside chairs, one of the kids there mistook her for a member of the staff and asked for a towel. When my wife narrated this to us, I did not imagine that my 8 yo daughter would come up with her own retort. But a day later, my daughter recapped the incident, an incident that didn’t even involve her in the first place , and said, “You know what I’d have told that kid who asked for the towel?”. And without waiting for an answer, she told us anyway: “I don’t work here. I too am a luxury person who is living at this resort. Go get your own towel.” We were highly amused by the phrase she had coined: “luxury person”. It certainly captures the kind of holid
Read more