Computer Science Book Club: April

This month we will recount the events surrounding the world’s first and largest digital weapon: The STUXNET virus.

CS Book Club Banner
CS Book Club Banner

Countdown to Zero Day:

STUXNET and the Launch of the World’s First Digital Weapon

By Kim Zetter


Countdown to Zero Day introduces us to the world of cyber warfare and the use of the world’s first digital weapon. This story takes place in the early 2000’s and is about the discovery of the STUXNET virus. CTZD is a look at the earliest days of cyber warfare and digital attacks, and the uncovering of the world’s first digital weapon.

While nobody really knows with absolute certainty that STUXNET was a state-sponsored operation; it’s purpose was discovered and its inextricable link to the Iranian nuclear program was confirmed. STUXNET and its use are centered directly in the realm of intelligence, political tampering, and espionage.


“As Mike McConnell, the former director of national intelligence, told a US Senate committee in 2011, “If the nation went to war today, in a cyber-war, we would lose. We’re the most vulnerable. We’re the most connected. We have the most to lose.” 

Countdown to zero day

All of the unknowns and mysteries surrounding this event make CTZD an even more fascinating read. The writing is easy to follow and intuitive, even while describing the complicated functions of the code, or the other technical aspects of this story.

Kim Zetter does an amazing job recounting the experts who discovered the attacks, and makes the entire story play out like a spy thriller worthy of its own Showtime series.

The author is an eclectic writer who has published a wide array of books and interviews. She has written a series of articles on electronic voting machines security, Lonely Planet guides, and even books about spirituality.

Look at the Code

Flaws and vulnerabilities exist in all software and networks, in order for an attacker to make use of these holes, they must catch them before the software manufacturer or anti-virus companies can fix them.

These exploits found by hackers are called zero day exploits, because the organizations responsible for stopping them have zero days to respond. When these exploits are uncovered, the anti-virus and software companies work quickly to patch them and keep their customers safe and secure.

Zero day exploits allow an attacker unrestricted access to their target system, in this digital era this can mean any number of things: financial losses, industrial espionage, or in this case, war.

Green text with skull outline malicious code

There had been several instances of cyber warfare, specifically using the internet to target industrial systems. After STUXNET, the realization that every industrial control system in the world was vulnerabities shook-up many industries.

The ties of STUXNET to major wars such as: WWII, the Iran-Iraq war, and many Middle East conflicts make this story different than the rest. STUXNET had implications into real-world incidents and exposed some security researchers to the world of nuclear geopolitics.

Realtek and JMicron Certificate Breach

The certificates used to authenticate STUXNET and help it spread were stolen from two technology companies in South Korea. The two large companies Realtek and JMicron were both holding secured certificates issued by Microsoft in offline locations.

These certificates allowed STUXNET to install itself on the host machines without asking permission, as it was masquerading as legit software. Certificates allow the consumer to check if software is legitimate and written by the correct developer. Certificates can be thought of as digital ID cards.

The two South Korean companies were located in the same office park. This has led many to speculate that the certificates were stolen physically, by breaking into the offices. The image of Navy Seals breaching an office building to steal installation .dll files makes this story even more spectacular and unbelievable.

Spread of Nuclear Technology

After the second world war, nuclear proliferation was everywhere. The haves and the have-nots were becoming worried about what the other was doing. The nuclear capable members of the U.N. formed the International Atomic Energy Agency (IAEA). In order to try and stop the dual-use of nuclear technology in both energy and weapons, the IAEA inspects the nuclear enrichment processes very carefully.

The IAEA is synonymous with U.N. inspectors in this story, which means that they are the agency responsible for monitoring the process of uranium enrichment and nuclear power construction to ensure that no uranium is being enriched for nuclear weapons.

Spy using camera around corner

One of the many nations that was seeking nuclear power in the 1950’s was Iran. The Shah of Iran was a U.S. ally, and thus Iran was given U.S. aide in order to establish a nuclear program for energy purposes. After the Iranian revolution, the newly empowered Ayatollah Khomeini declares nuclear technology un-Islamic and ceases production and development.

The upcoming Iran – Iraq war prevented Iran from seriously progressing its nuclear program in the 1980s and 1990s. This was due to the fact that the national attention was on beating Saddam’s forces. The Brashir nuclear power plant was attacked several times, marking the first attack on such a target in history. Luckily the fatwa declared by the Ayatollah had involved breaking down the nuclear plant, so the attacks did very little.

Fast forward to the early 2000’s and a man named Abdul Qadeer (A.Q.) Khan delivers stolen nuclear enrichment technology as well as plans for weapons to the Iranian government. The majority of the story revolves around centrifuges, which are used to enrich or basically concentrate uranium gas.

The Process Explained

There are different methods and uses for uranium gas. The difference between clean nuclear energy and nuclear warheads is very slim at times. Especially during the enrichment process where the gas is refined and concentrated with a series of centrifuges. There are organizations, inspections, and oversight committees ensuring that these centrifuges are spinning for peace, and not for war.

Declarations of intentions to produce nuclear weapons began international scrutiny on these centrifuges, located at the Natanz nuclear facility.

Natanz nuclear facility
Photo of the Natanz nuclear facility broadcast on Iranian TV in 2012

VirusBlokAda

A small Belorussian firm had been hired to provide tech support for the nuclear facility. They initially received a call about machines restarting randomly.

VirusBlokAda soon discovered that this incident was special. STUXNET has so many anomalies that separate it from every other known malware attack. For instance, some of the differences in STUXNET over the “average” malware are:

STUXNET used multiple zero day exploits, this had never been seen before. Zero day exploits are very difficult to come by and are very valuable on the free market. In other words using upwards of five zero day exploits ensured STUXNET would find its target no matter what, indicating a dire need for the operation to succeed..

Hiding in Plain Sight

The actions the STUXNET code took were extremely complex. It took every precaution to make sure it wasn’t found, hiding all traces of its existence by obtaining root-level access. The code even had an expiration date and update system in place; and more zero day exploits were added later to keep the worm going.

The effects of STUXNET were much less of a focus of the story, rather than the code itself. Protecting from the virus could be as simple as adding definitions to the latest anti-virus software and doing a scan.  The fact that STUXNET lay undetected for years is due to its amazing design, and a testament to how well the code was written.

Effects of the operation

Before STUXNET was discovered, the Iranian nuclear program began struggling to maintain Uranium enrichment numbers. IAEA reports showed decline and erratic numbers as an effect of the virus. This could potentially be viewed as a cause of STUXNET.

The overall success of the operation is questionable, this is because the production of Uranium rose sharply after the virus was discovered. The construction of the second secret enrichment plant at Fordow cancelled any slowing of the enrichment process.

Map of nuclear sites in Iran
The multiple present-day nuclear facilities in Iran show that stopping nuclear proliferation did not succeed.

The eventual public opening of both facilities prove that STUXNET did not stop nuclear operations all together. Opinions on the overall target and effectiveness of the operation have been varied. The U.S. intelligence community estimated that the nuclear program was slowed between 12 and 18 months. However, other sources have stated that it did not slow the program at all.

Theories / Follow ups

The United States and Israel are attributed with the attacks, part of the public Department of Defense budget was slated for the purpose of subverting Iranian nuclear proliferation. As always, when the stakes are as high as nuclear secrets, none of the parties involved are very forthcoming with information. The generally accepted theory presented by the book is that General Cartwright and U.S. Special Operations Command (USSOCOM or SOCOM) combined with Israel’s Unit 8200 to produce the code.

A lot of this speculation came from the researchers deconstructing the code. When reading the code it becomes apparent that it was written by different entities and pieced upon completion.

Interaction between code blocks in STUXNET is hurried and clunky. Similarly the code didn’t have the usual flavor or style of the usual international hacker group looking for fame or small gains.

Another hint to the origins of the code lie in the code itself. Embedded in STUXNET lay a safety switch, which prevented the virus from infecting friendly computers. This safety switch was in the form of a registry entry: 19790509 or May 9, 1979.

Mysterious Connection

May 9, 1979 is a very famous day in the relations between the Islamic and Israeli world. This is the day that Islamic revolutionaries executed Habib Elghanian on charges of Zionism and spying.

Elghanian was the symbolic head of the Jewish community and head of the Jewish Society. His very public execution sparked anti-Jewish movements in Iran that were devastating to the local community. The reference to this incident led many to believe that Israel or Israeli sponsored entities were behind the attacks.

Attackers may place clues and signatures to try and shift the attention off of themselves or even blame an adversary. Many groups would love to blame the foreign powers of the United States and Israel for such an attack. However, this Easter egg seems a bit obvious and unlike other signatures or tweaks legitimate attackers would use.

STUXNET has been referred to as the digital Pandora’s box. In other words, If it did anything it introduced the entire security community to the very real possibility of industrial espionage and state-sponsored digital warfare. Industrial controls were mostly unprotected before STUXNET, and the uncovering of the plot opened the eyes of many industrial cybersecurity experts to the very real threats that they faced.

For more on STUXNET

Original blog post by Brian Krebs on zero days used in STUXNET

https://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

Interview with main STUXNET player Sergey  Ulasen by Kaspersky

https://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/

McAfee Total STUXNET resource:

https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-stuxnet.html

Symantec total STUXNET resource:

https://www.symantec.com/security-center/writeup/2010-071400-3123-99

Please like and share:)