The Stuxnet Story: What REALLY happened at Natanz

174.08k views4062 WordsCopy TextShare
OTbase
The story of Stuxnet, the first cyber weapon in history. Focus is on the manipulation of machinery a...
Video Transcript:
[Music] in 2007 an unidentified person submitted a code sample to the collaborative antivirus platform virus total not recognized by any antivirus company at the time that code was the first true cyber weapon in history designed to physically attack a military target this is the story of the malware that became the icon of cyber warfare every story has a backstory ours goes back to 1975. in that year a pakistani methodologist named abdulkar khan or aq khan for short working at the european uranium enrichment consortium juranko in the netherlands steals design plans for the gas centrifuges that are the backbone of the enrichment process pretending to go on holiday leave khan will never come back instead he becomes the head of the pakistani nuclear program that ultimately leads to their atomic bomb in addition to this achievement khan turns out to be a businessman of sorts understanding that other nations are eager to develop nuclear weapons as well he seizes the business opportunity and starts a lucrative side business unknown to the pakistani government his khan research labs sells uranium enrichment technology to the highest bidder including north korea libya and iran in the case of iran these dealings first happened in 1987 at the height of the war with iraq when iraq had massively increased their use of chemical weapons but after the war ended in 1988 it still takes iran over a decade before getting serious about their little manhattan project in 2000 they secretly start building the nathan's fuel enrichment plant the giant construction site and its illicit purpose make headlines two years later when a domestic opposition group reveals the existence of undeclared nuclear facilities unable to hide the obvious anymore iran comes clean about natanzi in 2003 and enters into negotiations with the european union format known as the eu3 meaning france germany and the united kingdom hassan rouhani becomes iran's chief negotiator yes it's the same person who will later become iran's president the eu3 ultimately negotiates that iran holds their enrichment activities for the time being remember the phrasing here for the time being in the meantime the united states takes a more hands-on approach to the problem the cia gets actively involved in taking down the khan network and u. s and british operatives start to sabotage iran's program by compromising the supply chain with bogus parks khan's nuclear trafficking operation is shut down by the pakistani government and khan customer libya is forced to dismantle its enrichment program things didn't go as well with iran in 2005 hardliner mahmoud ahmadinejad becomes elected president of iran and publicly announces that he will restart the nuclear program and for good measure he also announces his intention to wipe israel off the map in iran's interpretation the relaunch is not even a violation of the eu3 agreement as iran's chief negotiator rouhani reminds the media the e03 conditions were only accepted for those parts of the plant where iran didn't face technical difficulties and technical difficulties they had in other words rouhani had negotiated a way for iran to push their technological development forward while they couldn't start production anyway he had simply outsmarted the eu it is quite obvious what those technical difficulties were and they get us right to stuxnet due to trouble purchasing equipment under embargo conditions and due to sheer technical incompetence iran lacked the technology for precision manufacturing of the centrifuge rotors that are supposed to spin at a constant 63 000 rpm for months if not for years lifetime of a pakistani p1 centrifuge is about 10 years iranian centrifuge rotors on the other hand kept cracking constantly so starting up a uranium enrichment production for rio was simply out of the question that is until somebody figured out a clever workaround what if one could invent a centrifuge cascade design that would tolerate individual centrifuges to fail and that's exactly what iran did they or their international contractors invented a fall tolerant design for their cascades using modern digital automation technology they equipped centrifuges with vibration sensors and valves allowing for a defect centrifuge to be isolated from the flow of gas [Music] the isolation is achieved by three valves that when closed cut off a vibrating centrifuge from the cascade the faulty centrifuge can then be stopped and replaced while the cascade keeps operating [Music] down centrifuges within an operational cascade are an everyday effect of normal operation at the natanz plant we can even see them in official press photos just as if iran was proud to show off their accomplishment in this photo from the 2008 press tour the noteworthy item is not president ahmadinejad looking at a computer screen but the grey dots indicating inoperative centrifuges there was one problem left though isolating centrifuges via shutoff valves impacts the overall gas pressure in the respective cascade stage something that needed to be compensated for in order to do this iran invented a clever hack for their cascade dump system which is normally used to evacuate a centrifuge cascade during an emergency they extended the dump system to compensate for the overpressure that results from cutting individual centrifuges off in every cascade stage they installed an overpressure valve that is controlled by a dedicated pressure controller the controller monitors pressure via a local pressure sensor in an arrangement that control engineers call a closed loop and when overpressure is detected it is simply released into the dump system the end result is a plant full of technically obsolete and ill manufactured centrifuges stuffed with digital automation technology that allows iran to enrich uranium with minimal efficiency compare the centrifuges at natanz with these at jurenko where eight yukon stole the design while the iranian cascades are packed with valves sensors and cables one only sees clean pipes at your renko no valves no sensors no cables and so with the truckload of digital automation technology iran solved their technical difficulties while making themselves vulnerable for cyber attacks [Music] with the new cascade protection system in place iran starts to commission the pilot fuel enrichment plant in 2006.
located in the above ground part at natanz it is kind of a lab environment for testing centrifuge operations and cascade designs a mini fuel enrichment plant with a total of six cascades that are not meant for actual production the next year the underground part goes operational as well and with it does stuxnet now if that isn't some coincidence given that the development of the malware must have taken well over a year one cannot but acknowledge that the attackers were well prepared the destructive code sequences did not target computers a fact that caused antivirus companies to completely miss the topic when looking at the code samples submitted to virus total and also to stay baffled three years later when stuxnet had become the most publicized malware of all time stuxnet didn't delete steal or manipulate data on windows pcs it didn't even get to these pcs by self-propagation as we see it in the later version it got there by physical transmission either by compromised laptops that traveled in and out of the plant or by infected usb sticks and it did not communicate with command and control servers on the internet a feature of the later version that made it easy to detect it operated autonomously and in perfect silence the intermediate target for the attack code is what we call engineering systems in automation technology these systems are used to configure industrial controllers that directly control a physical process in real time since these controllers don't have a keyboard screen and a configuration user interface regular windows computers equipped with engineering software of the respective automation vendor are used to do the job when connected to a controller that is part of the cascade protection system the real destructive parts of the code also called the payload in infosec terminology jumps over to the small gray boxes and merges with a legitimate control logic and then it sits there and does little more but analyze process conditions for weeks when conditions are right the malware takes control while allowing legitimate control logic to continue execution in the background but disconnected from physical reality in a much publicized stunt that i discovered in 2010 the legitimate control is fed fake sensor values that are recorded by the malware just before taking over control while everything appears to be normal for the original code the malware operates completely under cover and manipulates valves at will the goal of the attack is to damage centrifuge rotors by over pressure and here we are not talking about multiples of atmospheric pressure as you use it for the tyres of your car we were talking about fractions of atmospheric pressure how so you may wonder well because the centrifuges operate near absolute vacuum and there is a reason for it uranium hexafluoride solidifies at around 100 millibar or one-tenth of atmospheric pressure it turns into solid material just like water turns into ice below freezing level if the pressure level goes beyond what is called the triple point the gas solidifies and destroys the centrifuges instantly now wouldn't that be a great idea you may think good point and i'll get back to this for now just consider that this was not the goal of the attackers how do i know because they could have easily done so it would have made the attack much simpler so in reality it was about creating temporary rotor stress by increasing gas pressure thereby getting more uranium hexafluoride into the centrifuge which means more rotor pressure but just to the point where the aluminum tubes were slightly damaged resulting in a shorter operational lifetime the attackers went to great lengths in order to cover this up they closely monitored cascade operation until a certain set of process conditions was met then they cut off both ends of the cascade by closing valves which inevitably leads to pressure in the cascade rising constantly this would have done nothing to the cascade if the attackers hadn't also manipulated the overpressure valves it is clear from the attack code that the attackers went out of their way to avoid catastrophic damage when based on sensor readings the attack code decides that enough is enough things are restored back to normal contrary to common belief the recording and replay of sensor values on the controller was not primarily used or even necessary to fool human operators it was used to fool the legitimate control logic which was still executing in parallel in case you are wondering in order to pull this off the attackers used a legitimate product feature of the controllers which is still functional today intended for simulation purposes the ill-documented feature allows software to override actual sensor inputs with fake values but the attackers did need to fear detection by human operators however these operators would not sit in the control room they walk around in the cascade hole remember the inline pressure controllers for over pressure relief they are sitting right in the cascade and display gas pressure for the cascade stage using a small liquid crystal display by decalibrating these controllers the attack code made sure that only normal values were [Music] shown it is crystal clear that the attackers must have had a realistic test bed available and i'm not talking about a couple of centrifuges with automation equipment i am talking about an operational cascade filled with actual uranium hexafluoride putting all these characteristics together one cannot fail to acknowledge the unprecedented absolute cyber power on display a bunch of bits and bytes was capable of compromising the operation of a nuclear facility that was a designated military target it did so in absolute silence and complete autonomy different from the later version this code did not call out to command and control servers on the internet it did not use fancy zero day exploits it was the first true cyber weapon a software artifact designed to cause physical harm we don't know exactly what results the first campaign achieved iaea inspectors noticed an above usual amount of hexafluoride in the cascade dump system at natanz which would be an indicator of stuxnet at work but apparently no dramatic effects were caused which might just be due to the fact that the attackers feared detection more than causing instant destruction even by accident the sophistication of the campaign has more of a nerdy engineering project than of a military operation it impresses by the demonstrated total and undetected control over adversary infrastructure but certainly not by audacity all this would change soon in 2008 president ahmadinejad invites the international press to a tour of the fuel enrichment plant photos of their tour go around the globe and find proliferation experts shocked by realizing how far developed the iranian program has become two months later israel starts an extensive military exercise to practice an air strike against the facility they also make it clear to the us government that they want a piece of the cyber action later that year barack obama becomes elected president of the united states not only is he eager to continue the cyber war project he had inherited from the bush administration it also gets a complete overhaul the new stuxnet variant that emerges in 2009 uses different tactics and it is clear that it was developed by a different team or multiple teams to be precise the infosec cavalry gets a green light from washington and tel aviv and uses the opportunity to show off the best taxpayer-funded hackers put their offensive cyber arsenal to work the result is tailored access operations on steroids multiple zero-day exploits and stone digital certificates are assembled to infiltrate one target a target for which the option of physical infiltration apparently was no longer available as much as the effort on the infiltration routines is extended as much as it reduced for the cyber physical part that goes on to the controllers the new payload is much smaller much less sophisticated and targets a different automation system the centrifuge drive system it controls the exact speed at which the rotors spin the cascade protection system is left alone in the second campaign there is a reason why iran operates their centrifuges 4 000 rpm below design speed which is 63 000 rpm higher rotor speed means more mechanical pressure on the ill manufactured rotors in the second campaign a whole cascade group of up to 984 centrifuges is accelerated 21 000 rpm above design speed or 40 above normal operating speed after several minutes at overspeed normal speeds are restored [Music] in the next run which executes about a month later the malware brings the centrifuges almost to a halt before spinning them up again this way the rotors are taken through their critical frequencies which is guaranteed to cause vibration that has a chance to break the road the whole deceleration and acceleration run takes 50 minutes different from the side and first campaign there is no way that the iranian operators could not have realized what was going on that is unless they were deaf any rotating or oscillating physical object emits airwaves that humans can hear given that they are in the frequency range between 20 and 16 000 hertz wavelength is proportional to rotation speed hence fast rotation means high pitch and slow rotation means low pitch everybody has experienced this when driving a car for example the more you accelerate the higher the pitch of the engine sound [Music] in the following clip listen to the background noise what you hear is ir1 centrifuges at natanz spinning at their normal operating speed at 59 000 rpm [Music] now listen to what the same centrifuges sound like when accelerated to 84 000 rpm [Music] the pitch change is impossible to miss even more so for the deceleration run every other month where the rotors are spinned down to 120 rpm or 2 hertz since 2 hertz is below the range of audible frequencies for the human ear the affected cascades went silent [Music] [Laughter] [Music] [Laughter] [Music] [Music] the stealthy cyber weapon had been turned into a prank iranian operators could not mistake what they heard it was all too obvious that their sophisticated control technology was not working as intended and so iranian engineers begin to search for causes in august 2009 iran shuts down over 600 centrifuges in november the same year another 300 plus centrifuges and two months later yet another cascade of 164 tubes due to the new self-propagation mechanism stuxnet spreads well beyond natanz no damage is done to other control systems because the attackers made sure that the real attack routines can only affect controllers with a matching configuration of which they apparently had a copy beforehand however infections occur quickly throughout the world and it is predictable that rather soon the virus would catch the attention of antivirus experts with its wealth of zero day exploits and noisy network traffic that not even a junior cyber security specialist on his first day on the job could miss it was only a question of time when stuxnet would be detected that time comes in june 2010 when antivirus experts receive a code sample spot the zero-day exploits used in the dropper and sound the alarm stuxxnet is now all over the news however even the world's best antivirus talent still has no clue what the purpose of the mysterious malware is an uber virus with nation state level exploits and a mysterious payload for an unidentified target it takes another couple of months until september 2010 when i determine based on our forensic analysis that stuxnet's target is the iranian nuclear program something that neither the media nor iranian experts wanted to believe for weeks some four months it just seemed too far-fetched at the time in november 2010 iran holds operation at natanz completely in an effort to get rid of the malware their stuxnet story had ended the most common misconception about stuxxnet is that its mission objective was to destroy the centrifuges at natanz in a more or less catastrophic event and that the attackers failed miserably but this is just nonsense the attackers could have achieved that easily but chose not to in the first campaign they could simply have kept the outflow valves closed until the operating pressure in the centrifuges had reached the level where the uranium hexafluoride solidifies at that moment the whole cascade unit with roundabout thousand centrifuges would have pretty much exploded due to excessive vibration in the second campaign the attackers could have left the centrifuges spinning at over speed until even the last centrifuge was shut off by the still functioning cascade protection system or by iranian operators executing an emergency shutdown but again the attackers chose not to after their little concert in the cascade hall they carefully decelerated back to normal operating speed as if nothing had happened the reason for not attempting catastrophic destruction is obvious iran was long capable of producing low-grade centrifuge rotors at industrial scale and had a substantial stockpile which it which could be deployed instantly the obvious mission objective was to slow iran down on their way to the production of weapons-grade uranium making it more costly and ideally having iran lose confidence in their capability to get there with given resources along these lines we see a significant shift of mission focus that was missed by most observers started as yet another attempt to sabotage the iranian centrifuges the u. s had provided iran with compromised parts in the past they just took existing efforts to the digital realm and pretty much by coincidence along the way the concept of cyber warfare materialized the attackers realized that they had pretty much accidentally created something bigger than just another means to mess up iran's centrifuges the much different second campaign can be viewed as aggressive experimentation with the new concept all the good and expensive stuff from offensive cyber operations was brought in zero-day exploits stolen digital certificates remote updates via rogue command and control servers operated by government entities the works staying covert was no longer a priority nathans had been turned into a test range for cyber weaponry where digital life rounds were fired but while the second campaign was a show of force it was much more show than actual use of force knowing that the malware was bound to be discovered the attackers even left the much more terrifying payload from the first campaign in the code even though deactivated they wanted to make sure that the world would see it anything but disappointed about the outcome of this experiment the united states formed u. s cyber command in 2011 arguably the best funded and most capable military cyber organization on the globe but whatever cyber command is doing they did not launch further cyber physical attacks that anybody would know of the obama administration shifted their iran policy towards a more friendly stance which resulted in the so-called nuclear deal in 2015.
Copyright © 2024. Made with ♥ in London by YTScribe.com