Zero Days Page #9

an opposite effect occurs.

You can imagine a toy top

that you spin

and as the top begins to

slow down, it begins to wobble.

That's what would happen

to these centrifuges.

They'd begin to wobble

and essentially shatter

and fall apart.

And instead of sending back

to the computer

what was really happening,

it would send back

that old data

that it had recorded.

So the computer's sitting

there thinking,

"yep, running at 1,000 hertz,

everything is fine.

Running at 1,000 hertz,

everything is fine."

But those centrifuges are

potentially spinning up wildly,

a huge noise would occur.

It'd be like, you know,

a jet engine.

So the operators

then would know, "whoa,

something is

going wrong here."

They might look at their

monitors and say, "hmm,

it says it's 1,000 hertz," but

they would hear that in the room

something gravely bad

was happening.

Not only are the operators

fooled into thinking

everything's normal,

but also any kind of automated

protective logic

is fooled.

Chien:
You can't just turn

these centrifuges off.

They have to be brought down

in a very controlled manner.

And so they would hit,

literally, the big red button

to initiate

a graceful shutdown,

and stuxnet intercepts

that code.

So you would have

these operators

slamming on that button

over and over again

and nothing would happen.

Yadlin:
If your cyber weapon

is good enough,

if your enemy is not

aware of it,

it is an ideal weapon,

because the enemy

even don't understand

what is happening to it.

Gibney:
Maybe even better if

the enemy begins to doubt

- their own capability.

- Absolutely.

Certainly one must conclude

that what happened

at natanz

must have driven

the engineers crazy,

because the worst thing

that can happen

to a maintenance engineer

is not being able to figure out

what the cause

of specific trouble is.

So they must have been

analyzing themselves to death.

Heinonen:
You know, you see

centrifuges blowing up.

You look the computer screens,

they go with the proper speed.

There's a proper gas pressure.

Everything looks beautiful.

Sanger:
Through 2009

it was going pretty smoothly.

Centrifuges were blowing up.

The international atomic energy

agency inspectors

would go in to natanz

and they would see that

whole sections of the

centrifuges had been removed.

The United States knew

from its intelligence channels

that some iranian scientists

and engineers

were being fired because

the centrifuges were blowing up

and the iranians had assumed

that this was because

they had been making errors

or manufacturing mistakes.

Clearly this was

somebody's fault.

So the program was doing

exactly what it was supposed

to be doing,

which was it was

blowing up centrifuges

and it was leaving no trace

and leaving the iranians

to wonder

what they got hit by.

This was the brilliance

of olympic games.

You know, as a former director

of a couple of big

3-letter agencies,

slowing down 1,000 centrifuges

in natanz...

Abnormally good.

There was a need for... for...

For buying time.

There was a need for

slowing them down.

There was the need to try

to push them

to the negotiating table.

I mean, there are a lot

of variables at play here.

Sanger:
President Obama would go

down into the situation room,

and he would have laid out

in front of him

what they called

the horse blanket,

which was a giant schematic

of the natanz

nuclear enrichment plan.

And the designers

of olympic games

would describe to him

what kind of progress they made

and look for him

for the authorization

to move on ahead

to the next attack.

And at one point

during those discussions,

he said to a number

of his aides,

"you know,

I have some concerns

because once word of this

gets out,"

and eventually he knew

it would get out,

"the Chinese may use it

as an excuse

for their attacks on us.

The Russians might or others."

So he clearly

had some misgivings,

but they weren't big enough

to stop him

from going ahead with

the program.

And then in 2010,

a decision was made

to change the code.

Our human assets

weren't always able to get

code updates into natanz

and we weren't told

exactly why,

but we were told we had to have

a cyber solution

for delivering the code.

But the delivery systems

were tricky.

If they weren't aggressive

enough, they wouldn't get in.

If they were too aggressive,

they could spread

and be discovered.

Chien:
When we got

the first sample,

there was some configuration

information inside of it.

And one of the pieces in there

was a version number, 1.1

and that made us realize,

well, look, this likely isn't

the only copy.

We went back through

our databases looking for

anything that

looks similar to stuxnet.

Chien:
As we began to collect

more samples,

we found a few earlier versions

of stuxnet.

O'murchu:
And when we

analyzed that code,

we saw that versions

previous to 1.1

were a lot less aggressive.

The earlier version

of stuxnet,

it basically required

humans to do a little bit

of double clicking

in order for it to spread

from one computer

to another.

And, so, what we believe

after looking at that code

is two things,

one, either they didn't

get in to natanz

with that earlier version,

because it simply wasn't

aggressive enough,

wasn't able to jump over

that air gap,

and/or two,

that payload as well

didn't work properly, didn't

work to their satisfaction,

maybe was not

explosive enough.

There were

slightly different versions

which were aimed

at different parts

of the centrifuge cascade.

Gibney:
But the guys at symantec

figured you changed the code

because the first variations

couldn't get in

and didn't work right.

We always found a way

to get across the air gap.

At tao, we laughed

when people thought they were

protected by an air gap.

And for og, the early versions

of the payload did work.

But what NSA did...

Was always low-key

and subtle.

The problem was that

unit 8200, the Israelis,

kept pushing us

to be more aggressive.

Chien:
The later version

of stuxnet 1.1,

that version had multiple ways

of spreading.

Had the four zero days inside

of it, for example,

that allowed it to spread

all by itself

without you doing anything.

It could spread via

network shares.

It could spread via USB keys.

It was able to spread via

network exploits.

That's the sample that

introduced us

to stolen digital certificates.

That is the sample that,

all of a sudden,

became so noisy

and caught the attention

of the antivirus guys.

In the first sample

we don't find that.

And this is very strange,

because it tells us that

in the process

of this development

the attackers

were less concerned

with operational security.

Chien:
Stuxnet actually kept

a log inside of itself

of all the machines that

it infected along the way

as it jumped from one machine

to another

to another to another.

And we were able to gather up

Rate this script:0.0 / 0 votes