< On the Trail of Stuxnet


Friday, March 11, 2011

BROOKE GLADSTONE: The story of the back-story of the so-called Stuxnet computer virus reads like the plot of a high-tech espionage thriller. Last year, somebody somewhere – possibly a government, possibly several governments – unleashed one of the most sophisticated pieces of malware ever created, specially designed, apparently, to target Iran’s uranium enrichment program. In a gripping tick-tock in the April issue of Vanity Fair, author Michael Joseph Gross follows the trail of Stuxnet from June 2010, when it was discovered, until the present day. And although much remains unknown, or rather, unconfirmed about the virus, one thing, says Gross, is certain. It marks a turning point, the Hiroshima of cyber warfare, and there’s no going back. Michael, welcome to OTM.

MICHAEL JOSEPH GROSS: Thank you, Brooke.

BROOKE GLADSTONE: So Act One – and let's assume this is a scenario – starts with Surgey Ulasen, who is the antivirus expert in Belarus.

MICHAEL JOSEPH GROSS: Last June, Surgey was sitting in his office and he got a report of unusual behavior on a client’s computer in Iran. This person’s computer just kept booting over and over and over again. He realized that this worm was exploiting a flaw in Windows that had never been seen. It was like a Trojan horse. It used USB keys to go into a computer and drop two things. The first was called a rootkit, which is essentially a way that a worm has of saying, I'm in charge here. “Root” means “you’re God,” one hacker told me. The other was an injector for a payload of malicious code that would then do something, but Ulasen couldn't tell what.

BROOKE GLADSTONE: Okay, so the next scene: Somebody discovers that the worm is invading little gray plastic boxes called “programmable-logic controllers” or “P.L.C.'s.” This is really scary.

MICHAEL JOSEPH GROSS: P.L.C.'s make everything happen in industrial society. They open and close all the valves that make our sewage system work. They control the factories that make our cookies that we eat for lunch. They control the turning of the traffic lights from red to yellow to green. So if you found a way to make these things go haywire, you'd set civilization on its ear.

[BROOKE LAUGHS] There was a moment last summer when western governments all thought that Stuxnet might be a general attack on P.L.C.'s, and it took them a while to figure out that, in fact, Stuxnet was just going for a particular kind of P.L.C.

BROOKE GLADSTONE: And now, let's cut to crazed genius Ralph Langner. He makes the Israel connection, right?

MICHAEL JOSEPH GROSS: That's right. Ralph Langner is an industrial control systems security specialist in Hamburg. He’s a pilot. He is a dandy. He loves his ostrich shoes and his [BROOKE LAUGHS] Dolce & Gabbana suits. Langner, as soon as he heard about Stuxnet, started reverse engineering the virus. At the same time though he was drawn to speculation about who made it. He focused in on two words that were in lines of the code. One was “myrtus,” the other “guava.” These are botanical terms, one of which Ralph tied, via some ingenious googling, to the Book of Esther, which is a book about a Persian plot to destroy Israel, which is then foiled by the Jews. And he started googling again. He found out that Bushehr Nuclear Reactor was having some technical difficulties.

BROOKE GLADSTONE: Bushehr Nuclear Reactor in Iran.

MICHAEL JOSEPH GROSS: That's right. And he put two and two together, and he got five! [LAUGHS]


BROOKE GLADSTONE: So now, let's cut to the polar opposite kind of character from Langner, a guy named Frank Rieger. He’s the one who put two and two together, and got four.

MICHAEL JOSEPH GROSS: That’s right. A few hundred miles away in Berlin, Frank Rieger, the spokesman for the Chaos Computer Club, was also looking really closely at this. Rieger walked into the room when I first met him wearing a dark jumpsuit that was caked with ice, because he had ridden his great big tricycle in to work [BROOKE LAUGHS] that morning, and it was snowing. So Rieger, at the same time Langner was pushing his Bushehr theory, said, no, in fact, Stuxnet was going after Natanz uranium-enrichment facility, which is really at the core of their weapons development program.

BROOKE GLADSTONE: So what did you learn that hadn't been reported before about Stuxnet, after you did this pretty detailed investigation?

MICHAEL JOSEPH GROSS: I think the main thing is that the story we've been telling about how Stuxnet came into the world has Israel as the main character and the United States as best supporting actor. In fact, there’s more evidence to suggest it may have been the other way around. Stuxnet is not only the boldest piece of malware yet publicly known, it is also in some ways the most cautious. For instance, Stuxnet can spread via USB key but for each USB key that Stuxnet infects, it can only hop to three machines. Now, that’s enough to create a moderate chain reaction but not a full-blown epidemic. That is a level of caution that is much more - suggestive of a diplomatically-minded power than not.

BROOKE GLADSTONE: Has any government agency weighed in on Stuxnet?

MICHAEL JOSEPH GROSS: I got a “no comment” from the CIA. I got odd elliptical answers that meant nothing from both U.S. Cyber Command and the NSA. And then one day in my email showed up a note from the Idaho National Laboratory. Now, INL and Siemens, the German company that made the controllers that Stuxnet was after, collaborated on a study of the vulnerabilities of those controllers a couple of years ago. Some have pointed to that as possible evidence that the U.S. then used the results of that study to create Stuxnet. INL took it upon themselves to send me a statement that denied, categorically, any involvement in the creation of Stuxnet.

BROOKE GLADSTONE: How well did Stuxnet work? Do we know?

MICHAEL JOSEPH GROSS: By putting together the information we have from the International Atomic Energy Association and other sources, some physicists have been able to show, with near certainty, that about 1,000 of the 9,000 or so centrifuges at Natanz were – didn’t –


BROOKE GLADSTONE: Taken offline, at some point.


BROOKE GLADSTONE: But also, returned to line after awhile.

MICHAEL JOSEPH GROSS: That's right. I mean, the truth is that if Stuxnet set them back by some measure, they have certainly recovered, and they are moving on. So we need to do a cost benefit analysis of this. Was it really worth it to set them back just a little bit, for just a little while, if we were at the same time changing the nature of war forever?

BROOKE GLADSTONE: “Stuxnet is the Hiroshima of cyber-war,” you wrote. “That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.”

MICHAEL JOSEPH GROSS: The essence of [SIGHS] cyber-war is that you can never know for sure who shot the gun. You can never know for sure who dropped the bomb. There’s no way to look up in the sky and see the marks on the bottom of the plane. There’s no way ever to be sure who to blame. We have no international treaties governing the use of cyber-weapons. The Chinese and the Russians have both articulated explicitly their policies on what cyber-warfare will look like, but the United States has yet to do that. So we're still in kind of a Wild West situation here. And whoever let Stuxnet loose into the wild, before the terms of this conversation have been defined, has done something really quite, quite reckless.

BROOKE GLADSTONE: Thank you very much.

MICHAEL JOSEPH GROSS: Thank you, Brooke.

BROOKE GLADSTONE: Michael Joseph Gross is an author and journalist whose article, A Declaration of Cyber-War, appears in the April issue of Vanity Fair.