A new film gives a frightening look at how the US used cyberwarfare to destroy nukes – Tech Insider

REUTERS/Mehr
News Agency/Majid Asgaripour

In 2006, then-President George W. Bush was increasingly worried
about Iranian efforts at enriching uranium, and ultimately, its
hopes to build an atomic bomb.

But he was mired in the Iraq war, and had few options beyond air
strikes or another full-scale war in the Middle East, which
Israel was pushing for. So, his military leaders gave him a third
option: a weapon that could potentially set back Iran’s
nuclear ambitions, while leaving no trace of the attacker.

It was the world’s first cyber weapon, code-named “Olympic Games”
and later called “Stuxnet” by computer security researchers.

A fascinating new documentary film by Alex Gibney called
“Zero Days” that
premieres on Friday tells the story of Stuxnet, along with the
frightening takeaway that, while this was the first cyber weapon,
it will certainly not be the last.

‘We’ve never seen this before’

International
Iran Photo Agency/Ebrahim Norouzi/AP

Bits and pieces of the Stuxnet story are well-known by now.

First authorized by President Bush
and then re-authorized by President Obama, the top secret
computer worm was designed by the US and Israel to infect an
Iranian nuclear enrichment facility at Natanz.

And it did. Too well.

The code made its way into the facility and infected the specific
industrial control systems the Iranians were using. Once it
turned itself on about 13 days after infection, it sped up or
slowed down the centrifuges until they destroyed themselves — all
while the operators’ computer screens showed everything was
working as normal.

But at some point, the powerful computer code escaped and made
its way out. It had an unheard number of zero-day exploits (four,
to be precise), which are software vulnerabilities unknown to the
target that has “zero days” to protect themselves. Making
matters worse, its self-replicating behavior ended up infecting
computers around the world.

Though Iran initially had no idea it was attacked by a cyber
weapon, believing its scientists and engineers were
incompetent due to the failures, eventually the code escaped and
worldwide infections led computer researchers to study it, and
the idea of leaving “no trace” of the attacker was gone.

“We’ve never seen this before,” Liam O’Murchu, a director at
Symantec, says in the film. “We’ve actually never seen this
since, either.”

“Real world physical destruction,” says his colleague at
Symantec, engineer Eric Chien.

‘I don’t know, and if I did, we wouldn’t talk about it anyway’

REUTERS/Kevin
Lamarque

Just the fact that director Alex Gibney could get people to give
on-camera interviews providing some insight
into Stuxnet is an achievement in itself.

But even these interviews always end up at a wall, colorfully
demonstrated by former CIA and NSA Director Michael Hayden,

who tells him: “I don’t know, and if I did, we wouldn’t talk
about it anyway.”

That’s because even today, despite Stuxnet’s well-known legacy in
the computer security community and
in-depth reporting on the subject, it remains
highly-classified.

Though Gibney is stonewalled by just about every Israeli and US
official he encounters, he is able to score a major source from
the NSA*. And that’s where the story of “Zero Days” really takes
off.

Gibney’s NSA source talks about the NSA’s Tailored Access
Operations (TAO) unit, explaining how the secretive elite hacker
unit and its counterpart in Israel coded a massive piece of
malware designed for this one specific task. She goes on to
explain how it was tested, saying, “in the tests we ran, we blew
[the centrifuges] apart.”

Those tests proved accurate, with
some estimates saying Stuxnet malware destroyed roughly
one-fifth of Iran’s centrifuges in 2009.

It’s not just interviews with cyber security experts and
government officials, however. Gibney weaves together documentary
footage of the Iranian president touring Natanz — which US
intelligence used to figure out the exact computers and equipment
there — along with compelling graphics of the actual Stuxnet code
as Symantec researchers explain its use.

“There wasn’t any code in there that served no purpose,” Chien
told Tech Insider in a phone interview. “Every piece of code in
there served to get inside Iran’s nuclear facility.”

Stuxnet was only the beginning

There are some spoilers for the film below.

REUTERS/Dado
Ruvic

The most incredible revelation from the film comes from Gibney’s
NSA source, who talks about a much larger operation than Stuxnet.
It’s a news-breaking claim that The New York Times
has since corroborated: The US had an in-depth cyber
attack plan that was much larger than Natanz.

“We were inside, waiting, watching,” the source says. “Ready to
disrupt, degrade, and destroy those systems with cyber attacks.
In comparison, Stuxnet was a back alley operation. NZ was
the plan for a full scale cyber war with no attribution.”

NZ is the acronym for a separate operation called Nitro Zeus,
which gave the US access into Iran’s air defense systems so it
could not shoot down planes, its command-and-control systems so
communications would go dead, and infrastructure like the power
grid, transportation, and financial systems.

“The science fiction cyber war scenario is here. That’s Nitro
Zeus,” the source says.

The aftermath

What happened after the world’s first cyber weapon launched?

A large portion of Iran’s centrifuges were taken offline, but it
was only a temporary measure. It quickly recovered and
secured its systems. The country also launched it’s own “cyber
army” — no doubt inspired by its hacker counterparts in the US
and Israel.

But for the US and Israel, the cyber weapon’s launch is
likened to August 1945, when the first atomic bomb was dropped.
Though the physical destruction of Stuxnet pales in comparison to
bombs dropped on Hiroshima and Nagasaki, its first use by the
West has given others license to look into it for themselves.

“So whoever initiated this — and was very proud of themselves to
see that little dip in Iran’s centrifuge numbers — should look
back now and acknowledge it was a major mistake,” Emad
Kiyaei, executive director American Iranian Council, says in the
film.

Perhaps that may be the most frightening revelation of all
to come from “Zero Days.”

Now there is a new weapon that can do a better job at
destruction than bombs. But the difference between
highly-controlled nuclear materials and computer code, is that
anyone — and any state — can develop it.

“It seems pretty reasonable to think that there are things out
there today that we haven’t seen that are much more advanced
[than Stuxnet],” O’Murchu told TI in a phone interview.

We’ll just have to wait and see who uses it next.

*The NSA source is later revealed to be an actor reciting lines
based on testimony from CIA and NSA officials who spoke with
Gibney and his team.