In 2006, then-President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb.
But he was mired in the Iraq war, and had few options beyond air strikes or another full-scale war in the Middle East, which Israel was pushing for. So, his military leaders gave him a third option: a weapon that could potentially set back Iran’s nuclear ambitions, while leaving no trace of the attacker.
It was the world’s first cyber weapon, code-named “Olympic Games” and later called “Stuxnet” by computer security researchers.
A fascinating new documentary film by Alex Gibney called “Zero Days” that premieres on Friday tells the story of Stuxnet, along with the frightening takeaway that, while this was the first cyber weapon, it will certainly not be the last.
‘We’ve never seen this before’
Bits and pieces of the Stuxnet story are well-known by now.
First authorised by President Bush and then re-authorised by President Obama, the top secret computer worm was designed by the US and Israel to infect an Iranian nuclear enrichment facility at Natanz.
And it did. Too well.
The code made its way into the facility and infected the specific industrial control systems the Iranians were using. Once it turned itself on about 13 days after infection, it sped up or slowed down the centrifuges until they destroyed themselves — all while the operators’ computer screens showed everything was working as normal.
But at some point, the powerful computer code escaped and made its way out. It had an unheard number of zero-day exploits (four, to be precise), which are software vulnerabilities unknown to the target that has “zero days” to protect themselves. Making matters worse, its self-replicating behaviour ended up infecting computers around the world.
Though Iran initially had no idea it was attacked by a cyber weapon, believing its scientists and engineers were incompetent due to the failures, eventually the code escaped and worldwide infections led computer researchers to study it, and the idea of leaving “no trace” of the attacker was gone.
“We’ve never seen this before,” Liam O’Murchu, a director at Symantec, says in the film. “We’ve actually never seen this since, either.”
“Real world physical destruction,” says his colleague at Symantec, engineer Eric Chien.
‘I don’t know, and if I did, we wouldn’t talk about it anyway’
Just the fact that director Alex Gibney could get people to give on-camera interviews providing minimal insight into Stuxnet is an achievement in itself.
But even these interviews always end up at a wall, colorfully demonstrated by former CIA and NSA Director Michael Hayden, who tells him: “I don’t know, and if I did, we wouldn’t talk about it anyway.”
That’s because even today, despite Stuxnet’s well-known legacy in the computer security community and in-depth reporting on the subject, it remains highly-classified.
Though Gibney is stonewalled by just about every Israeli and US official he encounters, he is able to score a major source from the NSA*. And that’s where the story of “Zero Days” really takes off.
Gibney’s NSA source talks about the NSA’s Tailored Access Operations (TAO) unit, explaining how the secretive elite hacker unit and its counterpart in Israel coded a massive piece of malware designed for this one specific task. She goes on to explain how it was tested, saying, “in the tests we ran, we blew [the centrifuges] apart.”
Those tests proved accurate, with some estimates saying Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.
It’s not just interviews with cyber security experts and government officials, however. Gibney weaves together documentary footage of the Iranian president touring Natanz — which US intelligence used to figure out the exact computers and equipment there — along with compelling graphics of the actual Stuxnet code as Symantec researchers explain its use.
“There wasn’t any code in there that served no purpose,” Chien told Tech Insider in a phone interview. “Every piece of code in there served to get inside Iran’s nuclear facility.”
Stuxnet was only the beginning
There are some spoilers for the film below.
The most incredible revelation from the film comes from Gibney’s NSA source, who talks about a much larger operation than Stuxnet. It’s a news-breaking claim that The New York Times has since corroborated: The US had an in-depth cyber attack plan that was much larger than Natanz.
“We were inside, waiting, watching,” the source says. “Ready to disrupt, degrade, and destroy those systems with cyber attacks. In comparison, Stuxnet was a back alley operation. NZ was the plan for a full scale cyber war with no attribution.”
NZ is the acronym for a separate operation called Nitro Zeus, which gave the US access into Iran’s air defence systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.
“The science fiction cyber war scenario is here. That’s Nitro Zeus,” the source says.
What happened after the world’s first cyber weapon launched?
A large portion of Iran’s centrifuges were taken offline, but it was only a temporary measure. It quickly recovered and secured its systems. The country also launched it’s own “cyber army” — no doubt inspired by its hacker counterparts in the US and Israel.
But for the US and Israel, the cyber weapon’s launch is likened to August 1945, when the first atomic bomb was dropped. Though the physical destruction of Stuxnet pales in comparison to bombs dropped on Hiroshima and Nagasaki, its first use by the West has given others licence to look into it for themselves.
“So whoever initiated this — and was very proud of themselves to see that little dip in Iran’s centrifuge numbers — should look back now and acknowledge it was a major mistake,” Emad Kiyaei, executive director American Iranian Council, says in the film.
Perhaps that may be the most frightening revelation of all to come from “Zero Days.”
Now there is a new weapon that can do a better job at destruction than bombs. But the difference between highly-controlled nuclear materials and computer code, is that anyone — and any state — can develop it.
“It seems pretty reasonable to think that there are things out there today that we haven’t seen that are much more advanced [than Stuxnet],” O’Murchu told TI in a phone interview.
We’ll just have to wait and see who uses it next.
*The NSA source is later revealed to be an actor reciting lines based on testimony from CIA and NSA officials who spoke with Gibney and his team.