Zero Days: Nuclear Cyber Sabotage Storyville

This programme contains some strong language.

-DISTORTED MALE VOICE:

-Through the darkness

of the pathways that we march,

evil and good live side by side,

and this is the nature of life.

We are in an unbalanced and un-equivalent confrontation

between democracies who are obliged to play by the rules

and entities who thinks democracy is a joke.

You can't convince fanatics by saying,

"Hey, hatred paralyses you, love releases you."

There are different rules that we have to play by.

-NEWS REPORT:

-'Today, two of Iran's top nuclear scientists

'were targeted by hit squads...'

'Bomb attacks in the capital, Tehran...'

'The latest in a string of attacks...'

'Today's attack has all the hallmarks

'of major strategic sabotage...'

'Iran immediately accused the US and Israel

'of trying to damage its nuclear programme...'

I want to categorically deny any United States involvement

in any kind of active violence inside Iran.

Covert actions can help, can assist.

They are needed. They are not all the time essentials.

And they in no way can replace political wisdom.

INTERVIEWER: Were the assassinations in Iran

related to the Stuxnet computer attacks?

Er, next question, please.

-NEWS REPORT:

-'Iran's infrastructure is being targeted

'by a new and dangerously powerful cyber worm.

'The so-called Stuxnet worm is specifically designed, it seems,

'to infiltrate and sabotage real world power plants

'and factories and refineries...'

'It's not trying to steal information

'or grab your credit card,

'it's trying to get into some sort of industrial plant and wreck havoc,

'try to blow up an engine...'

'No-one knows who's behind the worm

'and the exact nature of its mission,

'but there are fears Iran will hold Israel or America responsible

'and seek retaliation.'

'It's not impossible that some group of hackers did it,

'but the security experts that are studying this

'really think this required the resources of a nation state.'

-OK? And speaking.

-OK, ready.

-OK, good. Here we go.

INTERVIEWER: What impact, ultimately,

did the Stuxnet attack have? Can you say?

Er, I don't want to get into the details.

Since the event has already happened,

why can't we talk more openly and publically about Stuxnet?

Yeah. I mean, my answer's "Because it's classified."

I won't acknowledge...

Knowingly offer up anything I consider classified.

I know that you can't talk much about Stuxnet,

because Stuxnet is officially classified.

You're right on both those counts.

People might find it frustrating not to be able to talk about it

when it's in the public domain, but...

-I find it frustrating.

-Yeah, I'm sure you do.

-I don't answer that question.

-Unfortunately, I can't comment.

I do not know how to answer that.

Two answers before you even get started, I don't know and if I did,

-we wouldn't talk about it anyway.

-How can you have a debate

-if everything's secret?

-I think, right now, that's just where we are.

No-one wants to...

Countries aren't happy about confessing or owning up

to what they did, because they're not quite sure

where they want the system to go.

And so, whoever was behind Stuxnet hasn't admitted they were behind it.

Asking officials about Stuxnet was frustrating and surreal.

Like asking the Emperor about his new clothes.

Even after the cyber weapon had penetrated computers

all over the world, no-one was willing to admit that it was loose

or talk about the dangers it posed.

What was it about the Stuxnet operation

that was hiding in plain sight?

Maybe there was a way the computer code could speak for itself.

Stuxnet first surfaced in Belarus.

I started with a call to the man who discovered it

when his clients in Iran began to panic

over an epidemic of computer shutdowns.

Had you ever seen anything quite so sophisticated before?

On a daily basis, basically,

we are sifting through a massive haystack,

looking for that proverbial needle.

We get millions of pieces of new malicious threats

and there are millions of attacks going on every single day.

And not only are we trying to protect people and their computers,

and their systems, and countries' infrastructure

from being taken down by those attacks,

but, more importantly, we have to find attacks that matter.

When you're talking about that many, impact is extremely important.

20 years ago, the antivirus companies,

they were hunting for computer viruses

because there were not so many.

So, we had, like, tens or dozens a month

and they were just in little numbers.

Now, we collect millions of unique attacks every month.

This room we call a woodpeckers' room, or a virus lab,

and this is where virus analysts sit.

We call them "woodpeckers" because they are pecking the worms,

network worms and viruses.

We see, like, three different groups of actors

behind cyber attacks. They are traditional cybercriminals.

Those guys are interested only in illegal profit -

quick and dirty money.

Activists or hacktivists, they are hacking for fun,

or hacking to push some political message.

And the third group is nation states.

They're interested in high-quality intelligence or sabotage activity.

Security companies not only share information,

but we also share binary samples.

So, when this threat was found by a Belarusian security company

on one of their customer's machines in Iran,

the sample was shared amongst the security community.

When we try to name threats, we just try to pick some sort of string,

some sort of words, that are inside of the binary.

In this case, there was a couple of words in there.

We took pieces of each and that forms "Stuxnet".

I got the news about Stuxnet from one of my engineers.

He came to my office, opened the door,

and he said, "So, Eugene,

"of course, you know what we're waiting for? Something really bad?

"It happened."

Give me some sense of what it was like in the lab at that time.

Was there a palpable sense of amazement

that you had something really different there?

Well, I wouldn't call it amazement.

It was kind of a shock.

It went beyond our worst fears, our worst nightmares.

And this continued the more we analysed,

the more we researched,

the more bizarre the whole story got.

We look at so much malware every day

that we can just look at the code and say,

"OK, there's something bad going on here

"and I need to investigate that."

That's the way it was when we looked at Stuxnet for the first time.

We opened it up, and there was just bad things everywhere.

Like, "OK, this is bad and that's bad, and, you know,

"we need to investigate this."

Suddenly, we had, like, 100 questions straightaway.

The most interesting thing that we do is the detective work

where we try to track down who's behind a threat.

What are they doing? What's their motivation?

And try to really stop it at the root.

It is kind of all-consuming.

You get this new puzzle and it's very difficult to put it down.

You know, work until, like, 4:00am in the morning

and figure these things out.

I was in that zone where I was very consumed by this,

very excited about it,

very interested to know what was happening.

And Eric was also in that same sort of zone.

So, the two of us were, like, back and forth all the time.

Liam and I continued to grind at the code.

Sharing pieces, comparing notes,

bouncing ideas off of each other.

We realised that we needed to do what we call "deep analysis" -

pick apart the threat, every single byte, every single zero-one,

and understand everything that was inside of it.

I'll just give you some context.

We can go through and understand every line of code

for the average threat in minutes.

And here we are one month into this threat

and we're just starting to discover

what we call the "payload", or its whole purpose.

When looking at the Stuxnet code,

it's 20 times the size of the average piece of code

but contains almost no bugs inside of it and that's extremely rare.

Malicious code always has bugs inside of it.

This wasn't the case with Stuxnet.

It's dense and every piece of code does something

and does something right in order to conduct its attack.

One of the things that surprised us was that Stuxnet utilised

what's called a "zero-day exploit".

Or, basically, a piece of code

that allows it to spread without you having to do anything.

You don't have to, for example, download a file and run it.

A zero-day exploit is an exploit

that nobody knows about except the attacker.

So there's no protection against it, there's been no patch released.

There's been zero days' protection, you know, against it.

That's what attackers value

because they know 100%, if they have this zero-day exploit,

they can get in wherever they want.

They're actually very valuable. You can sell these on the underground

for hundreds of thousands of dollars.

Then we became more worried because we discovered more zero-days.

And, again, these zero-days are extremely rare.

Inside Stuxnet we had, you know, four zero-days,

and for the entire rest of the year

we only saw 12 zero-days used.

It blows everything else out of the water.

We've never seen this before. We've never seen it since, either.

We've seen one in a malware you could understand,

because the malware authors are making money,

they're stealing people's credit cards.

They're making money, so it's worth their while to use it.

But seeing four zero-days could be worth 500,000 right there,

used in one piece of malware.

This is not your ordinary criminal gang who's doing this.

This is someone bigger.

It's definitely not traditional crime, not hacktivists.

Who else?

It was evident at a very early stage that,

just given the sophistication of this malware,

it suggested that there must have been a nation state involved -

at least one nation state involved in the development.

When we look at code that's coming from

what appears to be a state attacker, or state-sponsored attacker,

usually they're scrubbed clean.

They don't leave little bits behind.

They don't leave little hints behind.

But in Stuxnet there were actually a few hints left behind.

One was that in order to get lower level access to Microsoft Windows,

Stuxnet needed to use a digital certificate

which certifies that this piece of code came from a particular company.

Now, those attackers obviously couldn't go to Microsoft and say,

"Hey, test our code out for us and give us a digital certificate."

So they essentially stole them...

..from two companies in Taiwan.

And these two companies have nothing to do with each other except

for their close proximity in the exact same business park.

Digital certificates are guarded very, very closely,

behind multiple doors,

and they require multiple people to unlock.

And they need to provide both biometrics,

and, as well, pass phrases.

It wasn't like those certificates were just sitting on some machine

connected to the internet. Some human assets had to be involved.

-O'MURCHU:

-Spies, like a cleaner who comes in at night

and has stolen these certificates from these companies.

It did feel like walking onto the set of this James Bond movie

and you've been embroiled in this thing that,

you know, you'd never expected.

We continued to search, and we continued to search in the code,

and, eventually, we found some other breadcrumbs left

that we were able to follow.

It was doing something with Siemens.

Siemens software, possibly Siemens hardware.

We'd never, ever seen that in any malware before,

something targeting Siemens.

We didn't even know why they would be doing that.

But after googling, very quickly we understood

it was targeting Siemens PLCs.

Stuxnet was targeting a very specific hardware device,

something called a PLC, or a programmable logic controller.

-LANGNER:

-The PLC is kind of a very small computer

attached to physical equipment,

like pumps, like valves, like motors.

So, this little box is running a digital program

and the actions of this program

turns that motor on, off or sets a specific speed.

Those programmable logic controller

control things like power plants, power grids.

This is used in factories, it's used in critical infrastructure.

Critical infrastructure, it's everywhere around us.

Transportation, telecommunication, financial services, health care...

So, the payload of Stuxnet

was designed to attack some very important part of our world.

The payload is going to be important.

What happens there could be very dangerous.

-LANGNER:

-The next very big surprise came

when we infected our lab system.

We figured out that the malware was probing the controls.

It was quite picky on its target.

It didn't try to manipulate any given control

in a network that it would see.

It went through several checks

and when those checks failed, it would not implement the attack.

It was obviously probing for a specific target.

You've got to put this in context that, at the time,

we already knew, "Well, this was the most sophisticated piece of malware

"that we have ever seen."

So, it's kind of strange.

Somebody takes that huge effort

to hit that one specific target?

Well, that must be quite a significant target.

-CHIEN:

-At Symantec, we have probes on networks all over the world

watching for malicious activity.

-O'MURCHU:

-We'd seen infections of Stuxnet all over the world.

In the US, in Australia, in the UK,

France, Germany, all over Europe.

It spread to any Windows machine in the entire world.

You know, we had these organisations inside the United States.

They were in charge of industrial control facilities saying,

"We're infected, what's going to happen?"

We didn't know if there was a deadline coming up

where this threat would trigger and suddenly would, like,

turn off all electricity plants around the world

or it would start shutting things down or launching some attack.

We knew that Stuxnet could have very dire consequences.

And we were very worried about what the payload contained

and there was an imperative speed

that we had to race and try and beat this ticking bomb.

Eventually, we were able to refine this a little bit

and we saw that Iran was the number one infected country in the world.

That immediately raised our eyebrows.

We have never seen a threat before

where it was predominantly in Iran.

And so we began to follow what was going on in the geopolitical world.

What was happening in the general news. And, at that time,

there were actually multiple explosions of gas pipelines

going in and out of Iran.

Unexplained explosions.

And, of course, we did notice that, at the time,

there have been assassinations of nuclear scientists,

so that was worrying.

We knew there was something bad happening.

Did you get concerned for yourself?

Did you begin start looking over your shoulder from time to time?

Yeah, definitely looking over my shoulder

and being careful about what I spoke about on the phone.

Um... I was...

pretty confident my conversations on the phone were being listened to.

We were only half joking,

when we would look at each other and tell each other things like,

"Look, I'm not suicidal.

"If I drop dead on Monday, it wasn't me."

We'd been publishing information about Stuxnet

all through that summer.

And then, in November,

the industrial control systems expert in Holland contacted us.

And he said, "All of these devices

"that would be inside of an industrial control system

"hold a unique identifier number

"that identified the make and model of that device."

And we actually had a couple of these numbers in the code,

except we didn't know what they were.

And so we realised maybe what he was referring to

was the magic numbers we had.

And when we searched for those magic numbers in that context,

we saw that what had to be connected to this industrial control system

that was being targeted

were something called "frequency converters"

from two specific manufacturers. One of which was in Iran.

And so, at this time, we absolutely knew

that the facility that was being targeted had to be in Iran,

and it had equipment made from Iranian manufacturers.

When we looked up those frequency converters,

we immediately found out that they were actually export controlled

by the Nuclear Regulatory Commission.

And that immediately led us, then, to some nuclear facility.

This was more than a computer story,

so I left the world of the antivirus detectives

and sought out journalist David Sanger,

who specialised in the strange intersection of cyber,

nuclear weapons and espionage.

The emergence of the code is what put me on alert

that an attack was underway.

And because of the covert nature of the operation,

not only were official government spokesmen unable to talk about it,

they didn't even KNOW about it.

Eventually, the more I dug into it,

the more I began to find individuals

who had been involved in some piece of it

or who had witnessed some piece of it.

And that meant talking to Americans,

talking to Israelis, talking to Europeans,

because this was, obviously, the first, biggest

and most sophisticated example

of a state or two states using a cyber weapon for offensive purposes.

I came to this with a fair bit of history -

understanding the Iranian nuclear programme.

How did Iran get its first nuclear reactor?

We gave it to them under the Shah,

because the Shah was considered an American ally.

APPLAUSE

-SAMORE:

-But the revolution which overthrew the Shah in '79

really curtailed the programme

before it ever got any head of steam going.

Part of our policy against Iran after the revolution

was to deny them nuclear technology,

so most of the period, when I was involved, in the '80s and the '90s,

was the US running around the world

and persuading potential nuclear suppliers

not to provide even peaceful nuclear technology to Iran.

And what we missed was the clandestine transfer

in the mid-1980s from Pakistan to Iran.

-MOWATT-LARSSEN:

-Abdul Qadeer Khan is what we would call

the father of the Pakistan nuclear programme.

He had the full authority and confidence

of the Pakistan Government from its inception

to the production of nuclear weapons.

The AQ Khan network is so notable

because, aside from

building the Pakistani programme

for decades,

it also was the means by which other countries

were able to develop nuclear weapons - including Iran.

-SAMORE:

-By 2006, the Iranians had started producing

low-enriched uranium, producing more centrifuges, installing them

at the large-scale underground enrichment facility at Natanz.

How many times have you visited Natanz?

Not that many, because I left a few years ago already, IAEA,

but I was there quite a few times.

Natanz is in the middle of the desert.

When they were building it in secret,

they were calling it a "desert irrigation facility".

There is a lot of artillery and air force.

It's better protected against attack from the air

than any other nuclear installation I have seen.

And so, all the monitoring activities of the IAEA,

they are basic principle - you want to see what goes in, what goes out,

and then, on top of that,

you make sure that it produces low-enriched uranium.

Is that anything to do with the higher enrichments

and nuclear-weapon-grade uranium?

Iran's nuclear facilities are under 24-hour watch

of the United Nations nuclear watchdog, the IAEA,

the International Atomic Energy Agency.

Every single gram of Iranian fissile material...

..is accounted for.

-HEINONEN:

-When you look at the uranium which was there in Natanz,

it was a very special uranium.

This was called isotope 236.

And that was a puzzle to us,

because you only see this sort of uranium

in states which have nuclear weapons.

We realised that they had cheated us.

This sort of equipment has been bought from

what they call a black market.

They never point it out to...

They were caught at that point in time.

What I was surprised was the sophistication

and the quality control.

The way they have the manufacturing, it was really professional.

It was not something, you know,

you just create in a few months' time.

This was the result of a long process.

The centrifuge. You feed uranium gas

in and you have a cascade, thousands of centrifuges,

and from the other end, you get enriched uranium out.

It separates uranium based on spinning the rotor,

it spins so fast.

300 metres per second.

The same as the velocity of sound.

These are tremendous forces and, as a result,

the rotor, it twists and looks like a banana at one point of time.

So, it has to be in balance,

because any small vibration, it would blow up.

This is what makes them very difficult to manufacture.

You can model it, you can calculate it, but at the very end,

it's actually based on practice and experience,

so it's a piece of art, so to say.

'Ahmadinejad came into his presidency saying that,'

"If international community wants to derail us,

"we will stand up to it.

"If they want us to sign more inspections

"and more additional protocols and other measures, no, we will not.

"We will fight for our right.

"Iran is a signatory to the nuclear Non-Proliferation Treaty.

"And under that treaty, Iran has the right to nuclear programme.

"We can have enrichment.

"Who are you, world powers,

"to come and tell us that we cannot have enrichment?"

This was his mantra.

And it galvanised the public.

By 2007, 2008,

the US Government was in a very bad place with the Iranian programme.

President Bush recognised

that he could not even come out in public and declare

that the Iranians were building a nuclear weapon

because, by this time,

he had gone through the entire WMD fiasco in Iraq.

He could not really take military action.

Condoleezza Rice said to him at one point,

"You know, Mr President,

"I think you've invaded your last Muslim country,

"even for the best of reasons."

He didn't want to let the Israelis conduct the military operation.

'It's 1938,'

and Iran is Germany and it's racing

to arm itself with atomic bombs.

Iran's nuclear ambitions must be stopped and have to be stopped.

We all have to stop it now.

That's the one message I have for you today.

-Thank you.

-APPLAUSE

Israel was saying they were going to bomb Iran.

And the government here in Washington

did all sorts of scenarios about what would happen

if that Israeli attack occurred.

They were all very ugly scenarios.

Our belief was that, if they went on their own,

knowing their limitations...

They have a very good air force, all right,

but it's small and the distances are great

and the targets dispersed and hardened.

If they would have attempted a raid on a military plane,

we would have been assuming that they were assuming

we would finish that which they started.

In other words, there would be many of us in government

thinking that the purpose of the raid

wasn't to destroy the Iranian nuclear system,

but the purpose of the raid was to put us at war with Iran.

The two countries agreed on the goal.

There is no... A page between us

that Iran should not have a nuclear military capability.

There are some differences on how to achieve it

and when action is needed.

We are taking very seriously leaders of countries

who call to the destruction and annihilation of our people.

-SAMORE:

-The Israelis believe that the Iranian leadership

has already made the decision to build nuclear weapons

when they think they can get away with it. The view in the US

is that the Iranians haven't made that final decision yet.

To me, that doesn't make any difference.

I mean, it really doesn't make any difference,

and it's probably unknowable.

Unless you can put Supreme Leader Khomeini on the couch

and interview him, I think, from our standpoint,

stopping Iran from getting the threshold capacity

is the primary policy objective.

Once they had the fissile material,

once they had the capacity to produce nuclear weapons,

then the game is lost.

-HAYDEN:

-President Bush once said to me, he said,

"Mike, I don't want any president ever to be faced

"with only two options - bombing or the bomb." Right?

He wanted options that...

made it...

made it far less likely he or his successor, or successors,

would ever get to that point where that's all you've got.

The intelligence cooperation between Israel and the United States

is very, very good.

And, therefore, the Israelis went to the Americans and said,

"OK, guys, you don't want us to bomb Iran.

"OK, let's do it differently."

One day a group of intelligence and military officials showed up

in President Bush's office and said, "Sir, we have an idea.

"It's a big risk, it might not work, but here it is."

-LANGNER:

-Moving forward in my analysis of the code,

I took a closer look at the photographs

that have been published by the Iranians themselves

in a press tour from 2008

of Ahmadinejad and the shiny centrifuges.

The photographs of Ahmadinejad going through the centrifuges at Natanz

provided some very important clues.

There was a huge amount to be learned.

First of all, those photographs

showed many of the individuals

who were guiding Ahmadinejad through the programme.

And there's one very famous photograph

that shows Ahmadinejad being shown something.

You see his face, you can't see what's on the computer.

And one of the scientists who was behind him

was assassinated a few months later.

In one of those photographs,

you could see parts of a computer screen.

We refer to that as a "stata screen".

The stata system is basically a piece of software

running on a computer.

It enables the operators to monitor the process.

What you could see...

when you look close enough

was a more detailed view of the configuration.

There were these six groups of centrifuges

and each group had 164 entries.

And guess what?

That was a perfect match to what we saw in the attack code.

It was absolutely clear that this piece of code

was attacking an array of six different groups of,

let's just say "thingies", physical objects,

and in those six groups,

there were 164 elements.

Were you able to do any actual physical tests?

Or was it all just code analysis?

So, we couldn't set up our own nuclear enrichment facility.

So, what we did was we did obtain some PLCs, the exact models.

We then ordered an air pump.

And that's what we used sort of as our proof of concept.

-O'MURCHU:

-We needed a visual demonstration

to show people what we discovered.

So, we thought of different things that we could do

and we settled on blowing up a balloon.

We were able to write a program that would inflate a balloon

and it was set to stop after five seconds.

So, we would inflate the balloon to a certain size,

but we wouldn't burst the balloon, and it was all safe.

And we showed everybody, "This is the code that's on the PLC."

And the timer says, "Stop after five seconds".

We know that's what's going to happen.

And then we would infect the computer with Stuxnet

and we would run the test again.

Here is a piece of software that should only exist in the cyber realm

and it is able to infect physical equipment in a plant or factory

and cause physical damage.

Real-world physical destruction.

At that time, things became very scary to us.

Here you had malware potentially killing people

and that was something that was always Hollywood-esque to us,

that we would always laugh at, when people make that kind of assertion.

At this point, you had to have started developing theories

as to who had built Stuxnet.

It wasn't lost on us

that there were probably only a few countries in the world

that would want and have the motivation

to sabotage the Iranians' nuclear enrichment facility.

The US Government would be up there.

The Israeli government, certainly, would be up there.

You know, maybe UK, France, Germany, those sorts of countries,

but we never found any information

that would tie it back 100% to those countries.

There are no telltale signs.

The attackers don't leave a message inside saying,

you know, "It was me!"

And even if they did,

all of that stuff can be faked.

So, it's very, very difficult

to do attribution when looking at computer code.

Subsequent work that's been done

leads us to believe that this was the work of a collaboration

between Israel and the United States.

Did you have any evidence

in terms of your analysis that would lead you

to believe that that's correct, also?

Nothing that I could talk about on camera.

-INTERVIEWER CHUCKLES Can I ask why?

-No.

Well, you can, but I won't answer.

BOTH LAUGH

But even in the case of nation states, one of the concerns...

'This was beginning to really piss me off.

'Even civilians with an interest in telling the Stuxnet story

'were refusing to address the role of Tel Aviv and Washington.

'But, luckily for me,

'whilst DC is a city of secrets,

'it is also a city of leaks.

'They're as regular as a heartbeat and just as hard to stop.

'That's what I was counting on.'

'Finally, after speaking to a number of people on background,

'I did find a way of confirming, on the record,

'the American role in Stuxnet.

'In exchange for details of the operation,

'I had to agree to find a way

'to disguise the source of the information.'

-We're good?

-We're on.

So, the first question I have to ask you is about secrecy.

I mean, at this point, everyone knows about Stuxnet.

Why can't we talk about it?

-DISTORTED WOMAN'S VOICE:

-It's a covert operation.

Not any more. We know what happened, we know who did it.

Well, maybe you don't know as much as we think you know.

I'm talking to you because I want to get the story right.

That's the same reason I'm talking to you.

Even though it's a covert operation?

Well, this is not a Snowden kind of thing.

OK? I think what he did was wrong. He went too far.

He gave away too much.

Unlike Snowden, who was a contractor, I was in the NSA.

I believe in the agency, so what I'm willing to give you will be limited,

but we're talking because everyone's getting the story wrong

and we have to get it right. We have to understand these new weapons.

-The stakes are too high.

-What do you mean?

We did Stuxnet.

It's a fact.

You know, we came so fucking close to disaster,

and we're still on the edge.

It was a huge multinational inter-agency operation.

In the US, it was CIA,

NSA, and the military, Cyber Command.

From Britain, we used Iran intel out of GCHQ.

But the main partner was Israel.

Over there, Mossad ran the show

and the technical work was done by Unit 8200.

Israel is really the key to the story.

Our traffic in Israel is so unpredictable...

Yossi, how did you get into this Stuxnet story?

I have been covering the Israeli intelligence, in general,

and the Mossad in particular

for nearly 30 years.

I knew that Israel is trying to slow down Iran's nuclear programme

and, therefore, I came to the conclusion

that if there was a virus affecting Iran's computers,

it's one more element in this larger picture.

Amos Yadlin, General Yadlin,

he was the head of the military intelligence.

The biggest unit within that organisation is Unit 8200.

They bug telephones, they bug faxes, they break into computers.

A decade ago, when Yadlin became the Chief Of Military Intelligence,

there was no cyber warfare unit in 8200.

So, they started recruiting very talented people, hackers,

either from the military or outside the military

that can contribute to the project of building a cyber warfare unit.

It's another kind of weapon and it's for unlimited range,

in a very high speed and in a very low signature.

So this gives you a huge opportunity,

and the superpowers have to change the way we think about warfare.

Finally, we are transforming our military for a new kind of war

that we're fighting now...

..and for wars of tomorrow.

-SANGER:

-Back in the end of the Bush administration,

people in the US Government

were just beginning to convince President Bush to pour money

into offensive cyber weapons.

Stuxnet started off in the Defense Department.

Then Robert Gates, the Secretary of Defense,

reviewed this program and he said,

"This program shouldn't be in the Defense Department.

"This should be under the covert authorities

"over in the intelligence world."

So, the CIA was very deeply involved in this operation,

while much of the coding work

was done by the National Security Agency and Unit 8200 -

its Israeli equivalent - working together

with a newly created military position called US Cyber Command.

And, interestingly, the Director of the National Security Agency

would also have a second role

as the Commander of US Cyber Command.

And US Cyber Command is located at Fort Meade,

in the same building as the NSA.

-HAYDEN:

-NSA has no legal authority to attack.

It's never had it, I doubt that it ever will.

It might explain why US Cyber Command is sitting out of Fort Meade

on top of the National Security Agency.

Because NSA has the abilities to do these things.

Cyber Command has the AUTHORITY to do these things,

and "these things" here refer to the cyber attack.

This is a huge change for the nature of the intelligence agencies.

The NSA is supposed to be a code-making

and code-breaking operation,

to monitor the communications of foreign powers

and American adversaries

in the defence of the United States.

But creating a Cyber Command

meant using the same technology to do offensive work.

Once you get inside an adversary's computer networks,

you put an implant in that network,

and we have tens of thousands of foreign computers and networks

that the United States has put implants in.

You can use it to monitor what's going across that network

and you can use it to insert cyber weapons, malware.

If you can spy on a network, you can manipulate it.

It's already included. The only thing you need is an act of will.

-DISTORTED FEMALE VOICE:

-I played a role in Iraq.

I can't tell you whether it was military or not,

but I can tell you NSA had combat support teams in the country

and, for the first time,

units in the field had direct access to NSA intel.

Over time, we thought more about offence than defence.

More about attacking than intelligence.

In the old days, units would try to track radios,

but through NSA in Iraq,

we had access to all the networks going in and out of the country.

We hoovered up every text message, e-mail and phone call.

The complete surveillance state.

We could find the bad guys.

Say, a gang making IEDs -

map their networks and follow them in real-time.

We could lock into cellphones,

even when they were off, send a fake text message from a friend,

suggest a meeting place and then capture...

-SOLDIER:

-'You're clear to fire.'

..or kill.

I was in TAOS 321, the ROC.

OK, the TAO? The ROC?

Right, sorry, TAO is Tailored Access Operations.

It's where NSA's hackers work. Of course, we didn't call them that.

What did you call them?

On-net operators. They're the only people at NSA

allowed to break in or attack on the internet.

Inside TAO headquarters is the ROC - "Remote Operations Center".

If the US Government wants to get in somewhere,

it goes to the ROC.

I mean, we were flooded with requests.

So many that we could only do about 30% of the missions

that were requested of us at the one time.

Through the web, but also by hijacking shipments of parts.

You know, sometimes the CIA

would assist in putting implants in machines.

So, once inside a target network,

we could just...watch...

..or we could attack.

Inside NSA was a strange kind of culture -

like two parts macho military

and two parts cyber geek.

I mean, I came from Iraq, so I was used to, "Yes, sir!" "No, sir!"

but for the weapons programmers,

we needed more "think outside the box" types.

Were they all working on Stuxnet?

We never called it Stuxnet.

That was the name invented by the anti-virus guys.

When it hit the papers - we're not allowed

to read about classified operations even if it's in the New York Times -

we went out our way to avoid the term.

I mean, saying "Stuxnet" out loud

was like saying "Voldemort" in Harry Potter -

the Name That Shall Not Be Spoken.

What did you call it, then?

The Natanz attack, and this is out there already,

was called Olympic Games or OG.

There was a huge operation to test the code

on PLCs here at Fort Meade,

and in Sandia, New Mexico.

Remember during the Bush era,

when Libya turned over all of its centrifuges?

Those were the same models the Iranians got from AQ Khan, P1s.

We took them to Oak Ridge and used them to test the code,

which demolished the insides.

At Dimona, the Israelis also tested on the P1s.

Then, probably by using our intel on Iran,

we got the plans for the newer models, the IR2s.

We tried out different attack vectors.

We ended up focusing on ways to destroy the rotor tubes.

In the tests we ran, we blew them apart.

They swept up the pieces, they put it on an aeroplane,

they flew to Washington, they stuck it in a truck,

they drove it through the gates of the White House,

and dumped the shards out

on the conference room table in the Situation Room,

and then they invited President Bush to come down and take a look.

And when he could pick up the shard of a piece of centrifuge,

he was convinced this might be worth it,

and he said, "Go ahead and try."

Was there a legal concern inside the Bush administration

that this might be an act of undeclared war?

If there were concerns, I haven't found them.

That doesn't mean that they didn't exist

and that some lawyers somewhere were concerned about it,

but this was an entirely new territory.

At the time, there were only very few people who had expertise

specifically on the law of war and cyber.

And what we did was, looking at,

"OK, here's our broad direction.

"Now let's look, technically,

"what can we do to facilitate this broad direction?"

After that, maybe the...

I would come in, or one of my lawyers would come in and say,

"OK, this is what we may do."

OK? There are many things we CAN do but we are not ALLOWED to do them.

And then, after that, there's still a final level that we look at,

and that's, what should we do?

Because there are many things that would be technically possible

and technically legal, but a bad idea.

For Natanz, it was a CIA-led operation,

so we had to have agency sign-off.

Really?

Someone from the agency...

stood behind the operator and the analyst,

and gave the order to launch every attack.

Before they even started this attack,

they put inside of the code the kill date,

a date at which it would stop operating.

Cut-off dates, we don't normally see that in other threats,

and you have to think, "Well, why is there a cut-off date in there?"

When you realise that a section of it

was probably written by Government,

and that there are laws regarding

how you can use this sort of software,

that there may have been a legal team who said,

"No, you need to have a cut-off date in there,

"you can only do this and you can only go that far,

"and we need to check if this is legal or not."

That date is a few days before Obama's inauguration.

So, the theory is that

this was an operation that needed to be stopped at a certain time,

because there was going to be a handover

and that more approval was needed.

-Are you prepared to take the oath, Senator?

-I am.

I, Barack Hussein Obama...

-I, Barack...

-..do solemnly swear.

I, Barack Hussein Obama, do solemnly swear...

-SANGER:

-Olympic Games was reauthorised by President Obama

in his first year in office, 2009.

It was fascinating because it was the first year

of the Obama administration

and they would talk to you ENDLESSLY about cyber defence.

-OBAMA:

-We count on computer networks to deliver our oil and gas,

our power and our water.

We rely on them for public transportation

and air-traffic control.

But just as we failed in the past to invest

in our physical infrastructure, our roads,

our bridges and rails, we've failed to invest

in the security of our digital infrastructure.

But when you asked questions

about the use of offensive cyber weapons,

everything went dead.

No cooperation. White House wouldn't help. Pentagon wouldn't help.

NSA wouldn't help. Nobody would talk to you about it.

But when you dug into the budget for cyber spending

during the Obama administration,

what you discovered was

much of it was being spent on offensive cyber weapons.

You'd see phrases like "Title 10 CNO".

"Title 10" means "operations for the US Military",

and "CNO" means "computer network operations".

This is considerable evidence that Stuxnet was just the opening wedge

of what is a much broader US Government effort now

to develop an entire new class of weapons.

-CHIEN:

-Stuxnet wasn't just an evolution -

it was really a revolution in the threat landscape.

In the past, the vast majority of threats that we saw were always

controlled by an operator somewhere.

They wouldn't infect your machines,

but they would have what's called a "call-back"

or "command and control channel".

The threats would actually contact the operator and say,

"What do you want me to do next?" The operator would send commands

and say, maybe, "Search through this directory, find these folders,

"find these files, upload these files to me.

"Spread to this other machine."

Things of that nature.

But Stuxnet couldn't have a command and control channel,

because once it got inside of Natanz,

it would not have been able to reach back out to the attackers.

The Natanz network is completely air-gapped

from the rest of the internet. It's not connected to the internet.

It's its own isolated network.

Getting across an air gap is one of the more difficult challenges

that attackers will face,

just because of the fact that

everything is in place to prevent that.

You know, everything... You know, the policies and procedures

and the physical network that's in place is specifically designed

to prevent you crossing the air gap.

But there is no truly air-gapped network

in these real-world production environments.

People have got to get new code into Natanz.

People have to get log files off of this network in Natanz.

People have to upgrade equipment. People have to upgrade computers.

This highlights one of the major security issues

that we have in the field.

If you think, "Well, nobody can attack this power plant

"or this chemical plant because it's not connected to the internet,"

that's a bizarre illusion.

-DISTORTED FEMALE VOICE:

-And the first time we introduced the code

into Natanz, we used human assets.

Maybe CIA - more likely, Mossad - but...

our team was kept in the dark about the tradecraft.

We heard rumours in Moscow,

an Iranian laptop infected by a phoney Siemens technician

with a flash drive.

A double agent in Iran with access to Natanz.

But I don't really know.

What we had to focus on was to write the code

so that, once inside, the worm acted on its own.

They built in all the code and all the logic into the threat

to be able to operate all by itself.

It had the ability to spread by itself.

It had the ability to figure out, "Do I have the right PLCs?

"Have I arrived in Natanz?

"Am I at the target?"

-LANGNER:

-And when it's on target, it executes autonomously.

That also means you... you cannot call off the attack.

It was definitely the type of attack where someone had decided that this

is what they wanted to do. There was no turning back

once Stuxnet was released.

When it began to actually execute its payload,

you would have a whole bunch of centrifuges

in a huge array of cascades,

sitting in a big hall, and then, just off that hall,

you would have an operators' room, the control panels in front of them,

a big window where they could see into the hall.

Computers monitor the activities of all these centrifuges.

So, a centrifuge,

it's driven by an electrical motor,

and the speed of this electrical motor

is controlled by another PLC,

by another programmable logic controller.

Stuxnet would wait for 13 days before doing anything.

These 13 days is about the time it takes to actually fill

an entire cascade of centrifuges with uranium.

They didn't want to attack when the centrifuges were empty

or at the beginning of the enrichment process.

What Stuxnet did

was it actually would sit there during the 13 days

and basically record all of the normal activities

that were happening, and save it.

And once they saw them spinning for 13 days, then the attack occurred.

Centrifuges spin at incredible speeds, at about 1,000 hertz.

They have a safe operating speed -

63,000 revolutions per minute.

Stuxnet caused the uranium enrichment centrifuges

to spin up to 1,400 hertz.

Up to 80,000 revolutions per minute.

What would happen was those centrifuges would go through

what's called a "resonance frequency".

It would go through a frequency

at which the metal would basically vibrate uncontrollably,

and essentially shatter. There'd be uranium gas everywhere.

And then the second attack they attempted

was they actually tried to lower it to two hertz.

They were slowed down...

to almost standstill.

And at two hertz, an opposite effect occurs.

You can imagine a toy top that you spin,

and as the top begins to slow down, it begins to wobble.

That's what happened to these centrifuges -

they would begin to wobble and essentially shatter and fall apart.

And instead of sending back to the computer what was really happening,

it would send back that old data that it had recorded.

So, the computer's sitting there thinking,

"Yup, running at 1,000 hertz, everything's fine.

"Running at 1,000 hertz, everything's fine."

But those centrifuges are spinning up wildly.

A huge noise would occur. It'd be like, you know, a jet engine.

JETS POWERING UP

The operators would know, "Whoa, something is going wrong here."

They might look at their monitors and say, "It says it's 1,000 hertz."

But they would hear that, in the room,

something gravely bad was happening.

Not only are the operators fooled into thinking everything's normal,

but also any kind of automated protective logic is fooled.

You can't just turn these centrifuges off.

They have to be brought down in a very controlled manner.

And so they would hit, literally,

the big red button to initiate a graceful shutdown.

And Stuxnet intercepts that code, so you would have these operators

slamming on that button over and over again,

and nothing would happen.

-YADLIN:

-If your cyber weapon is good enough,

if your enemy is not aware of it,

it is an ideal weapon,

because the enemy don't understand what is happening to them.

Maybe, even better, the enemy begins to doubt their own capability?

Absolutely.

Certainly,

one must conclude that what happened at Natanz

must have driven the engineers crazy.

Because the worst thing that can happen to a maintenance engineer

is not being able to figure out

what the cause of the specific trouble is,

so they must have been analysing themselves to death.

-SANGER:

-Through 2009, it was going pretty smoothly.

Centrifuges were blowing up. The International Atomic Energy Agency

inspectors would go into Natanz and they would see

that whole sections of the centrifuges had been removed.

The United States knew from its intelligence channels

that some Iranian scientists and engineers were being fired,

because the centrifuges were blowing up,

and the Iranians had assumed that this was because

they would have been making errors,

there were manufacturing mistakes,

clearly this was somebody's fault.

So, the program was doing exactly what it was supposed to be doing,

which was, it was blowing up centrifuges

and it was leaving no trace,

and leaving the Iranians to wonder what they got hit by.

This was the brilliance of Olympic Games.

You know, as a former director

of a couple of big three-letter agencies,

slowing down 1,000 centrifuges in Natanz?

An unalloyed good.

There was a need for, for buying time.

There was a need for slowing them down.

There was a need to try and push them to the negotiating table.

I mean, there were a lot of variables at play here.

-SANGER:

-President Obama would go down into the Situation Room

and he would have laid out in front of him

what they call the horse blanket,

which was a giant schematic

of the Natanz nuclear enrichment plant.

And the designers of Olympic Games

would describe to him what kind of progress they made,

and look for him for the authorisation

to move on ahead to the next attack.

And at one point during those discussions,

he said to a number of his aides,

"You know, I have some concerns,

"because once word of this gets out..."

And he knew it would get out.

"..the Chinese may use it as an excuse for their attacks on us,

"the Russians might, or others."

So, he clearly had some misgivings,

but they weren't big enough to stop him

from going ahead with the programme.

And then, in 2010,

a decision was made to change the code.

Our human assets weren't always able to get code updates into Natanz,

and we weren't told exactly why, but...

we were told we had to have a cyber solution

for delivering the code.

But the delivery systems were tricky.

If they weren't aggressive enough, they wouldn't get in.

If they were too aggressive,

it could spread and be discovered.

-CHIEN:

-When we got the first sample,

there was some configuration information inside of it,

and one of the pieces in there was a version number, 1.1.

And that made us realise,

"Well, look, this likely isn't the only copy."

We went back to our databases,

looking for anything that looked similar to Stuxnet.

As we began to collect more samples,

we found a few earlier versions of Stuxnet.

And when we analysed that code,

we saw that versions previous to 1.1

were a lot less aggressive.

The earlier version of Stuxnet,

it, basically, required humans to do a little bit of double-clicking

in order for it to spread from one computer to another.

And so, what we believe, after looking at that code, is two things.

One, either they didn't get into Natanz with that earlier version

because it simply wasn't aggressive enough,

wasn't able to jump over that air gap.

And/or two, that payload, as well, didn't work properly.

It didn't work to their satisfaction.

Maybe it was not explosive enough.

There were slightly different versions

which were aimed at different parts of the centrifuge cascade.

But the guys at Symantec figured you changed the code because

the first variations couldn't get in and didn't work right.

Bullshit. We always found a way to get across the air gap.

At TAO, we laughed when people

thought they were protected by an air gap.

And for OG, the early versions of the payload did work.

But what NSA did...

..was always low-key

and subtle.

The problem was that Unit 8200, the Israelis,

kept pushing us to be more aggressive.

The later version of Stuxnet, 1.1 -

that version had multiple ways of spreading.

It had the four zero-days inside of it, for example,

that allowed it to spread all by itself, without you doing anything.

It could spread via network shares. It could spread via USB keys.

It was able to spread via network exploits.

That's the sample that introduces the stolen digital certificates.

That is the sample that, all of a sudden,

became so noisy

and caught the attention of the antivirus guys.

In the first sample, we don't find that.

And this is very strange

because it tells us that,

in the process of this development,

the attackers were less concerned with operational security.

Stuxnet actually kept a log inside of itself

of all the machines that had been infected along the way,

as it jumped from one machine to another to another to another.

And we were able to gather up

all of the samples that we could acquire,

tens of thousands of samples, and we extracted all of those logs.

We can see the exact path that Stuxnet took.

Eventually we were able to trace back this version of Stuxnet

to ground zero - to the first five infections in the world.

The first five infections were all outside of Natanz plant,

all inside of organisations inside of Iran.

All organisations that are involved in industrial control systems,

and construction of industrial control facilities.

Clearly contractors who were working on the Natanz facility,

and the attackers knew that.

They're electrical companies. They're piping companies.

They're, you know, these sorts of companies.

And they knew that technicians from those companies would visit Natanz.

So, they would infect these companies and then technicians

would take their computer or their laptop on their USB...

That operator then goes down to Natanz and he plugs in his USB key

which has some code that he needs to update into Natanz,

into the Natanz network, and now Stuxnet is able

to get inside Natanz and conduct its attack.

These five companies were specifically targeted

to spread Stuxnet into Natanz,

and it wasn't that Stuxnet escaped out of Natanz

and then spread all over the world, and it was this big mistake and,

"Oh, it wasn't meant to spread that far but it really did."

No, that's not the way we see it. The way we see it is that

they wanted it to spread far so that they could get it into Natanz.

Someone decided that we're going to create something new,

something evolved, that's going to be far, far, far more aggressive.

And we're OK, frankly,

with it spreading all over the world to innocent machines,

in order to go after our target.

The Mossad had the role,

had the assignment,

to deliver the virus,

to make sure that Stuxnet

would be put in place in Natanz to affect the centrifuges.

Meir Dagan, the head of Mossad,

was under growing pressure from the Prime Minister, Benjamin Netanyahu,

to produce results.

Inside the ROC, we were furious.

The Israelis took our code for the delivery system and changed it.

Then, on their own, without our agreement,

they just fucking launched it.

2010, around the same time they started killing Iranian scientists.

And they fucked up the code.

Instead of hiding, the code started shutting down computers.

So, naturally, people noticed.

Because they were in a hurry, they opened Pandora's Box,

they let it out, and it spread...

all over the world.

The worm spread quickly,

but somehow it remained unseen until it was identified in Belarus.

Soon after, Israeli intelligence confirmed

that it had made its way into the hands

of the Russian Federal Security Service, the successor to the KGB.

And so it happened that the formula for a secret cyber weapon

designed by the US and Israel

fell into the hands of Russia

and the very country it was meant to attack.

ANGRY CHANTING

-KIYAEI:

-In international law,

when some country, or a coalition of countries,

targets a nuclear facility,

it's an act of war.

Please, let's be frank here.

If it wasn't Iran,

let's say a nuclear facility in the United States

was targeted in the same way...

..the American Government would not sit by and let this go.

Stuxnet is an attack in peacetime on critical infrastructure.

Yes, it is. Look, when I read about it,

all right, I go,

"Whoa, this is a big deal!" Yeah.

-SANGER:

-The people who were running this program,

including Leon Panetta, the director of the CIA at the time,

had to go down into the Situation Room and face President Obama

and Vice President Biden

and explain that this program was suddenly on the loose.

Vice President Biden at one point during this discussion, sort of,

exploded in Biden-esque fashion

and blamed the Israelis. He said, "It must have been the Israelis

"who made a change in the code that enabled it to get out."

President Obama said to the senior leadership,

"You told me it wouldn't get out of the network. It did.

"You told me Iranians would never figure out

"it was the United States. They did.

"You told me it would have a huge effect on their nuclear programme,

"and it didn't."

The Natanz plant is inspected every couple of weeks

by the International Atomic Energy Agency inspectors,

and if you line up what you know about the attacks

with the inspection reports, you can see the effects.

-HEINONEN:

-If you go to the IAEA reports,

we really saw that a lot of centrifuges were switched off,

and they were removed.

As much as almost a couple of thousand got compromised.

When you put this all together,

I wouldn't be surprised if their programme

got delayed by the one year.

But go, then, to year 2012-13, and look, you know,

how the centrifuges started to come up again.

-KIYAEI:

-So, ironically, cyber warfare,

assassination of its nuclear scientists,

economic sanctions,

political isolation...

Iran has gone through A-X of every coercive policy that the US,

Israel and those who ally with them

have placed on Iran,

and they have actually made Iran's nuclear programme

more advanced today than it was ever before.

CHANTING IN ARABIC

-DISTORTED MALE VOICE:

-This is a very, very dangerous minefield

that we are walking, and the nations who decide

to take these covert actions should be

taking into consideration all the effects,

including the moral effects.

I would say that this is the price that we have to pay in this...

in this world, and our blade of righteousness shouldn't be so sharp.

In Israel and in the United States,

the blade of righteousness cut both ways,

wounding the targets and the attackers.

Once Stuxnet infected American computers,

the Department of Homeland Security,

unaware of the cyber weapons launched by the NSA,

devoted enormous resources trying to protect Americans

from their own government.

We had met the enemy and it was us.

Yep, absolutely.

We'll be more than happy to discuss that.

Early July of 2010, I received a call

that said that this piece of malware was discovered,

and could we take a look at it?

When we first started the analysis, there was that, "Oh, crap" moment.

You know, where we sat there and said, "This is something

"that's significant. It's impacting industrial control.

"It can disrupt it to the point where it could cause harm,

"and not only damage to the equipment,

"but potentially harm or loss of life."

We were very concerned,

because Stuxnet was something that we had not seen before,

so there wasn't a lot of sleep at night.

Basically, light up the phones, call everybody we know,

inform the Secretary, inform the White House

inform the other departments and agencies,

wake up the world and figure out what's going on

with this particular malware.

Did anybody ever give you an indication

that it was something that they already knew about?

No, at no time did I get the impression from someone that,

"That's OK," you know,

get a little pat on the head and scooted out the door.

I never received a stand down order.

I never... No-one ever asked, "Stop looking at this."

Sean McGurk, the Director of Cyber

for the Department of Homeland Security,

testified before the Senate

about how he thought Stuxnet was a terrifying threat

-to the United States. Is that not a problem?

-No, no...

How do you mean? That, that, that the Stuxnet thing was a bad idea?

No, no, just that before he knew what it was and what it attacks...

Oh, I get it. That, that...

Yeah, that he was responding to something that...

He thought was a threat to critical infrastructure in the United States.

Yeah. "The worm is loose!"

The worm is loose, I understand.

But there's a...