The Stuxnet Story
The secret project was called “Olympic Games”. Its aim was to cripple the Iranian nuclear program “without setting off a regional war”, writes David Sanger in his super-interesting book on cyber warfare titled Perfect Weapon. The US and Israel settled on creating a malware (computer virus) that would speed up/slow down the Iranian nuclear centrifuges, leading them to “ultimately destroy themselves”.
Being a covert
operation, the US (and Israel) couldn’t claim they’d done it. So how then did
this story, the malware now known as Stuxnet, break out? Well, it was rooted in
the fact that Stuxnet couldn’t be simply added onto an Iranian centrifuge
(obviously). It had to be spread all over the world, and hopefully would end up
entering the centrifuges via malice (an Iranian traitor) or by usual stupidity
(someone carrying an infected USB into work). As with any scatter and pray
operation, the malware thus reached all over the world (We’ll come to why it
didn’t do any damage anywhere else in a while).
And when it
reached everywhere, inevitably security researchers started analysing it. It
seemed to be very hi-fi. For one, it was exploiting security vulnerabilities
that weren’t public knowledge. Such risks are “hoarded by hackers” since they
are so rare, and “sold for hundreds of thousands of dollars on the black
market”. All this made it clear this could only have been created by someone
with deep pockets and lots of time, not your hacker sitting at home.
Next, security
researchers noticed it seemed to be probing for something. It turned out that
“something” was a programable logic controller made by Siemens. It can be used
to control air conditioning systems, water pumps, parts of chemical plant and
yes, the speed of spinning of giant centrifuges. (Those centrifuges are
super-sensitive to tiny variations in speeds, which is why the malware, by
toying with their speed, was able to destroy them).
At this point, the
researchers still didn’t know what the malware was targeting in particular.
Then they found code that was looking for a particular configuration (a
specific cluster of 164 machines). That was a very weird detail, a very
non-rounded number, which got everyone very curious. Then somebody remembered
that the Iranian reactors that had been inspected by the International Atomic
Energy Agency were organized in groups of… yes, 164.
It was too much of
a coincidence. A malware looking for a particular configuration used in Iran’s
nuclear centrifuges. One that looked to speed up/speed down the spinning rates
of centrifuges. And an Iranian nuclear weapons program that had suddenly halted
when their centrifuges ruined themselves all of a sudden, without any apparent
rhyme or reason.
And thus the story
broke out: Stuxnet (the malware) was designed to take out Iran’s nuclear
reactors. The Americans and Israelis, who had been (privately) ecstatic until
then:
“(They
had designed and used) a cyberweapon to mount the kind of attack that,
previously, could have been executed only by bombing or sending in saboteurs.”
Were suddenly
wary, now that the story had broken out.
General Michael
Hayden, for example, worried that Stuxnet had “the whiff of August 1945”, said.
A new era had dawned, in his opinion. Like Hiroshima led to everyone trying to
get a nuclear weapon, would Stuxnet set off a similar scramble to the Age of
Cyberweapons?
He was right, but
I’ll end this blog with only what the Iranians did next (We’ll see what other
countries have done in other blogs). They have created their own cyber army.
Sure, they weren’t very great at first, but they focused on getting the job
done, unworried whether the technique was low-tech. Like the time they brought
down the servers of four dozen American financial institutions:
“Banks
were paralyzed. Customers were frozen out of online banking.”
Another time they
got into the control system of a minor American dam. They didn’t activate or do
any damage, just got their malware in. Was it a signal to the US that they
could get into the control system of any American dam? And that they
might pull the trigger? When a Las Vegas casino owner advocated dropping a
nuclear weapon on Iran, the Iranians took out his casino’s servers, in effect
shutting down the casino!
And most famously,
Iranian hackers got into the world’s largest oil company, Saudi Aramco. They
wiped out 30,000 computers and 10,000 servers. While oil production itself
wasn’t affected, everything else (supplies, coordination, shipping) was impacted.
Were the Iranians signalling that if the US were to ever attack Iran, who knew
what other malware they’d installed, and whether that would impact the world’s
oil supply?
General Hayden was proving to be prophetic: Stuxnet had indeed ushered in the age of the next type of weapon that could inflict disproportionally massive damage, a la the nuclear weapon.
Comments
Post a Comment